Section 1033 Final Rule: Quick Takes on Key Changes — Deadlines, Scope, and Secondary Use

Yesterday, the Consumer Financial Protection Bureau published the final Section 1033 rule that will give consumers greater control and rights over their personal financial data. While we are still reviewing closely, the 594-page final rule seems to be largely the same as the proposed rule with a few key changes and clarifications. 

At MX, our mission is to empower the world to be financially strong. And, at the core of delivering on that mission is the ability for consumers and the financial providers who serve them to connect, understand, and act on their permissioned financial data. This final rule is a huge milestone in making sure consumers have the right to access and control that financial information. Here’s our summary of a few key aspects of the final rule as we continue our review:

Extending Compliance Deadlines

Compliance deadlines have been extended to allow for more time for data providers and third parties to meet these new expectations. And, the smallest institutions (banks and credit unions with less than $850 million in assets), will not be required to provide data under the rule.

New compliance deadlines for institutions with more than $850M in assets are: 

Continuing to Start Small on Scope of Data

The scope of data remains largely the same from the draft rule, and we should continue to expect additional rules over time to address other products and services. 

Covered data includes Reg E accounts, Reg Z credit cards, digital wallets, and payment facilitation products. The only difference here from the draft rule is excluding first-party payments as part of those payment facilitation products. According to the final rule, “first-party payments are distinct from payment facilitation products. Accordingly, the CFPB is … explicitly excluding products or services that merely facilitate first-party payments. For purposes of this definition, a first-party payment is a transfer initiated by the payee or an agent on behalf of the underlying payee. First-party payments include payments initiated by a loan servicer.”

Again, this is just the first wave of covered data. Chopra said in remarks at the Federal Reserve Bank of Philadelphia yesterday that “the CFPB will be developing a roadmap for the next set of rules to advance open banking. … We are considering a number of other use cases, such as how to reduce costs and complexity in the mortgage market. During the rulemaking process, there were a number of important issues raised, such as coverage of accounts used for government benefits and the ability for nonprofit researchers to use consumer-permissioned data.”

Using Data for Consumer Benefit — A Word on Secondary Use Cases 

The final rule provides expanded guidance and clarity on the reasonable use of consumer-permissioned data by authorized third parties. The language now calls out “purposes” rather than “activities” when it comes to secondary use cases. We think this is important as it’s the intent rather than a list of actions that matters. We strongly believe consumer financial data should only be used to ultimately benefit the consumer — and not used in ways that are purely value extraction or advantages to an organization to the detriment of the consumer.

At the Federal Reserve Bank of Philadelphia, Chopra said, “it’s pretty simple. A company that ingests consumer’s data can use the data to provide the product or service the consumer asked for, but not for unrelated purposes the consumer doesn’t want.” 

The CFPB states that consumer-permissioned data can be used to improve the product or service that the consumer requested without separate authorizations. For instance, this could include data enhancement to translate raw transaction data into understandable and actionable information for consumers. But, the final rule doesn’t allow for things like targeted advertising, cross-selling of other products or services, or the sale of covered data by a third party. 

Chopra further stated that “the rule is designed to ensure that open banking does not become a new data pipeline that fuels surveillance pricing or other manipulative mischief.”  If a consumer chooses to share their financial data in order to gain a better experience, we have a responsibility to use that data to drive the best results possible for them and not cause harm. 

What’s Next

With the first compliance deadline now set, it’s time to dive into the technical details and performance requirements in depth to ensure APIs, processes, and interfaces meet the final rule. 

In addition, the CFPB published the first application seeking recognition as an open banking standard-setter from the Financial Data Exchange (FDX) in September. While the final rule mostly adjusts any standards language to call out a “consensus standard” to meet requirements, a recognized standard-setting organization will go a long way in helping create that consensus. 

We’re excited about this next step in the U.S. towards a more open, competitive, and innovative ecosystem for the benefit of consumers. We look forward to continuing to lead with privacy-first principles and ensuring our clients can meet these new compliance obligations and leverage consumer-permissioned data effectively and ethically.