Your guide to CFPB Section 1033: Understanding CFPB rulemaking

Editor’s Note: The final 1033 rule was released on October 22, 2024. This article reflects Mastercard’s understanding of the proposed rule as released in October 2023. We are reviewing the rule in its entirety. Our goal is to advance open banking in a way that responsibly supports all players in the ecosystem. We will continue to support you as we all navigate this regulation.

An explosion in new financial services experiences, powered by fintech apps for consumers and small businesses, has propelled the rise of open banking technology in the U.S. and around the world. Every player in the consumer finance arena must now rethink what is possible when consumers and small businesses have full control of their financial lives. 

The Consumer Financial Protection Bureau (CFPB) is embracing this moment of innovation with the long-awaited Dodd-Frank Section 1033 open banking rule, which will accelerate the adoption of open banking technologies and protect consumer interests as we move further into the digital future. This proposed rule is set to be finalized in the second half of 2024. With decades of leadership in data responsibility, Mastercard’s principles align with the tenets of CFPB rulemaking and our role is to protect this data.

Mastercard has created this primer to outline the provisions of CFPB Section 1033 and explain how banks, fintechs and other holders of consumer financial data will be affected by the proposed rule. Read on to discover what CFPB 1033 rulemaking means for you — and how Mastercard equips customers to thrive in this new landscape. 

Index

1. What is the CFPB?
2. What does the Dodd-Frank Act Section 1033 say about consumers’ rights to access financial data?
3. What is the CFPB’s role in Section 1033 rulemaking?
4. What parties are impacted by the CFPB Section 1033?
5. How does the proposed rulemaking impact personal financial data rights?
6. What types of data are covered by the CFPB open banking rule? 
7. When does the open banking regulation take effect? 
8. How can Mastercard help? 
9. Where can I learn more?

The Consumer Financial Protection Bureau is an independent agency of the United States federal government, established in the wake of the 2007-2008 financial crisis to protect consumers’ interests in financial markets and promote long-term stability in the broader economy.  

The CFPB was created under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, better known as Dodd-Frank, to provide a single point of accountability for protecting consumers from unfair, deceptive or abusive financial practices and to taking action against companies that break the law.

Section 1033 of the Dodd-Frank Act establishes consumers’ right to access financial data associated with the financial products and services they use, such as credit cards, deposits and savings accounts.  This data includes account details, transactions, balances and more, and is subject to rules put forward by the CFPB.

Section 1033 gives the CFPB authority to issue rules governing personal financial data rights.  The CFPB has been working toward implementing this rulemaking since 2016.  

Some key milestones include:

• publishing a set of consumer protection principles (2017) 
• holding a symposium on consumer access to financial records (2020) 
• releasing detailed documentation of rulemaking proposals and alternatives under consideration (2022) 
• convening a Small Business Review Panel and issuing a report of its findings (2023)

In October 2023, the bureau released its proposed rule and opened a period of public comment through December 29, 2023. Since then, the CFPB has been working to finalize the written regulations. Once it takes effect, the proposed rule will serve as implementation of Dodd-Frank Section 1033.

• Data providers – financial institutions and some payment facilitators
• Third-party data recipients – fintechs and financial institutions acting on consumers’ behalf as data recipients and data aggregators acting on their behalf
• Qualified industry standard-setting bodies – CFPB-recognized issuers of fair, open, and inclusive industry standards

Broadly speaking, the CFPB open banking rule is a framework of regulations and industry standards that provides consumers with ownership and rights to control their financial data; enhanced consumer protections; and consistency in how data can be accessed and used.  

The CFPB proposal will require financial institutions and some payment facilitators to make financial data available to consumers and authorized third-party data recipients.  

The proposed rule also:

• outlines obligations and limitations for how companies must collect, use and store consumer data  
• requires banks to share data in a standardized format via safe and secure application programming interfaces (APIs) 
• seeks to empower consumers with their financial data 
• enables better access to financial products 
• and jump-starts competition between banks of all sizes, fintechs and other digital players

• Transaction information, including amounts, dates, payees, historical data, and fees. 
• Account balances 
• Account and routing numbers, both tokenized and non-tokenized 
• Terms and conditions, including fee schedules, rates, rewards terms and overdraft coverage 
• Information on upcoming bills, such as minimum payment amounts
• Basic account verification information, including names, mailing addresses, email addresses, and phone numbers.

While the CFPB hasn’t given an exact date, it has indicated that it will finalize the proposed rule toward the end of 2024, with a tiered compliance timeline to follow, which makes it even more important that financial service providers are prepared for the change.

• First, the CFPB must finalize the rulemaking. 
  • While the bureau hasn’t given an exact date, CFPB Section 1033 is expected to be finalized in the second half of 2024, most likely in the fall. 
• Third parties must comply within 60 days.  
• For consumer-authorized third parties, the CFPB proposed rule becomes effective 60 days from the date of the final rulemaking.  
  • The proposed timeline for complying with the CFPB rule varies based on the size of the financial institution. Banks and other institutions that hold deposits will have between six months and four years to comply, based on their assets. Non-deposit institutions will have six or 12 months, depending on annual revenue. The CFPB has detailed this tiered approach as follows: 

At Mastercard, we believe that consumers own their financial data; they should be in control of how and by whom it is used and should benefit from its use. Mastercard’s role is to protect this data and help data providers do the same.  

The CFPB proposed rule calls for secure permissioned data-sharing across developer interfaces, or APIs. Navigating this compliance is going to be complex, as financial institutions must decide to build APIs on their legacy infrastructure or outsource, as well as addressing other areas, including but not limited to consent management, info security, and third-party risk management.  

As trusted leaders with over 55 years of experience in helping partners navigate regulations and meet compliance, we’re here to guide you in meeting CFPB Section 1033 compliance — and in exceeding your customers’ expectations through new and improved financial experiences — as we shape the future of finance, side by side.

Catch up with all of our CFPB content, including webinars, white papers and guides with these:

Orchestrating Open Banking in the US white paper

Understanding and prepping for the pending regulations

Navigating CFPB 1033 open banking regulation – on-demand webinar

Preparing for the future of open banking API standards and the upcoming CFPB 1033 regulation – on-demand webinar

FDX Developer Hub – documentation for FDX-compliant APIs