On October 22, 2024 the CFPB released its final Rule 1033 (The Rule) by mandating that banks and financial service firms enable consumers to access and share their financial data “concerning the consumer financial product or service that the consumer obtained” (12 U.S.C. § 5533(a)), promoting consumer choice and competition in the financial services industry, aligning with principles of open banking, data portability, and improved consumer data rights.

The Rule intends to support transparent, fair competition by allowing customers greater control over their data and preventing unauthorized or deceptive use by third parties.

The Rule applies to organizations known as covered data providers and covers:

• Regulation E Financial Institutions

• Regulation Z Card Issuers

• Payment Facilitators

• Digital Wallet Providers

• Generally, any entity that possesses information about a covered financial product or service

As we move into 2025, an increasing competitive environment for financial services is highly likely. Key drivers will be consumer pressure for products providing better returns, data portability to move to said product, new market entrants, the expansion of digital assets, and a changing regulatory posture. While the future of Open Banking Rule 1033 seems uncertain Companies should continue to focus on the key requirements of the Rule to remain competitive, innovate, and build consumer trust. The areas to focus on are:

Technology Considerations

Open Banking requires significant technology investments for banks to integrate and share data with each other in a standardized fashion. According to data from Forbes Insights and Thought Machine “59% of surveyed bankers consider legacy infrastructure a major business challenge”. Financial Institutions will need to assess their technology architecture and either build or partner with technology providers or data aggregators to upgrade their legacy architecture. Either path (make or buy) will require strategic investments as consumer expectations for portability of their data and competition increases. To remain competitive banks should consider continuing the journey if they have already started or assessing the implications of not moving to open banking given the consumer expectations.

API Integration and Infrastructure

Open banking relies on secure, consent-driven data sharing to enable consumers to improve their use of financial products and services. Companies need to assess their existing infrastructures and implement secure, scalable APIs that are compatible with open banking standards (e.g., OAuth 2.0, FAPI) to allow seamless and secure data access and consumer consent management.

Requirements: Rule 1033 mandates secure, scalable API infrastructure to enable data portability, ensure data integrity, and enforce customer consent. APIs must comply with industry standards for secure data sharing, including encrypted connections and strong access controls.

Controls:

• Standardized API Protocols: Implement APIs using authentication protocols to secure user identity verification and manage access permissions.

• API Documentation and Testing: Maintain comprehensive documentation of API functionalities and regularly test them for security vulnerabilities, performance, and interoperability as part of good risk management practices.

• Sandbox Environments: Set up sandbox environments for third-party developers to test integrations without risking live consumer data.

Data Security and Encryption

Comprehensive security frameworks are essential, given the sensitivity of shared financial data. End-to-end encryption, strong identity verification, and secure data storage are critical to compliance and consumer confidence. Strong encryption for data in transit and at rest is essential. Security protocols like TLS are required to protect data across different touchpoints, ensuring privacy and regulatory compliance.

Requirements: Data protection standards under Rule 1033 require end-to-end encryption for both in-transit and at-rest data, as well as measures to prevent unauthorized access to consumer financial data.

Controls:

• Encryption Protocols: Use industry-standard encryption (e.g., AES-256) for data both in transit and at rest to safeguard consumer information.

• Multi-Factor Authentication (MFA): Implement MFA and other identity verification controls for users and third parties accessing consumer data to enhance security.

• Identity and Access Management (IAM): Adopt IAM frameworks that support multi-factor authentication (MFA) and role-based access controls (RBAC) are critical for managing access to sensitive data. Evolve your Know-your-Customer (KYC) and Third-Party Risk Management (TPRM) practices and applications. Restrict access based on role and conduct regular access reviews to ensure only authorized personnel and applications can access sensitive data.

• Real-Time Monitoring and Logging Systems: Institutions need real-time monitoring and automated logging to track all data access events, monitor API usage, and detect suspicious activities. Logs shall be accessible for audit trails and regulatory reviews.

Scalability and Interoperability

Technology systems must be scalable and interoperable across platforms to allow seamless data sharing and accommodate future updates or regulatory changes. Cloud-based solutions or other scalable infrastructure are recommended to handle high transaction volumes, maintain consistent performance, and allow for rapid scaling to meet regulatory demands.

Requirements: Rule 1033 compliance requires systems that are scalable to handle fluctuating data-sharing demands and interoperable with various financial platforms to facilitate data portability.

Controls:

• Modular Architecture: Adopt a modular IT infrastructure, allowing components to be scaled or modified independently as data-sharing demands evolve.

• Interoperability Testing: Regularly test API integrations across various platforms to ensure data-sharing consistency and compatibility with other institutions.

• Load Balancing and Redundancy: Use load balancing and redundancy mechanisms to handle peak usage and ensure uptime during high traffic for API services.

Monitoring and Auditing Systems

Continuous monitoring of data transfers and automated auditing tools help detect unauthorized access or suspicious activities, ensuring compliance and safeguarding against potential data breaches.

Requirements: Under Rule 1033, institutions are required to monitor data-sharing activities continuously and conduct audits to ensure compliance with regulatory requirements and prevent unauthorized access.

Controls:

• Real-Time Monitoring Tools: Deploy monitoring tools that detect suspicious or unauthorized access attempts and alert the security team for immediate response.

• Automated Audit Logs: Implement automated logging of all data access, transfer, and deletion events to maintain an audit trail for regulatory review.

• Regular Security Audits: Conduct periodic internal and external security audits to identify and resolve potential vulnerabilities and ensure continuous compliance with data-sharing protocols.

Operational Considerations

The operational considerations required under CFPB Rule 1033 encompass consumer data access rights and consent, consumer education, third-party management, and data governance. Companies should review their operations and controls to ensure appropriate operational capacity and data security measures for consumers and authorized third parties to access financial data in a secure and reliable manner. By addressing the below outlined considerations, institutions can not only meet regulatory expectations, but also foster greater trust and satisfaction among their customers.

Data Access and Consumer Consent

To comply, covered institutions need to establish protocols for secure, consent-based data transfers. Ensuring that customers understand how their data will be shared is essential, requiring a clear consent management system and transparency around data usage.

Requirements: Under Rule 1033, financial institutions must enable consumers to provide explicit, informed consent before sharing their financial data with third parties. This includes informing consumers of the data being shared, the purpose, and with whom.

Controls:

• Consent Management Systems: Implement systems that record and manage consumer consent in real-time, ensuring that consent is explicit, documented, and easily revocable.

• Transparency Policies: Develop and communicate clear data-sharing policies that outline the scope of data access, ensuring alignment with regulatory requirements.

• Ongoing Monitoring: Conduct ongoing monitoring through 1st and 2nd lines of defense to ensure consent is received timely prior to data access and data sharing.

Consumer Education and Communication

Institutions should educate customers about their data rights and choices under Rule 1033. Transparent communication about data portability, withdrawal of consent, and deletion protocols are important in maintaining customer trust and meeting regulatory expectations.

Requirements: Financial institutions are required to inform consumers about their data rights, including data portability, revocation rights, and the security measures in place. This involves proactive communication around the benefits and risks of data sharing.

Controls:

• Educational Resources: Provide resources (e.g., FAQs, interactive tutorials) on data rights and open banking to help consumers make informed choices.

• Consumer Alerts and Notifications: Use alerts to keep consumers updated on data-sharing activities, potential risks, and their rights to opt-out.

Data Governance

Establish systems that enable consumers to easily give, revoke, or modify consent for data sharing. These systems should record consent in real-time, ensuring the institution can respond to compliance requests promptly. Operational changes are needed to support data revocation requests, including system designs for the prompt deletion of data across both internal and third-party systems.

Requirements: Consumers must have the right to revoke their consent and request the deletion of their data. Institutions must provide mechanisms for quick response to such requests and ensure that revoked data is no longer accessible.

Controls:

• Automated Revocation Mechanisms: Build or integrate tools that allow customers to easily revoke data access and initiate data deletion.

• Audit Trails: Maintain records of all revocation and deletion requests, with timestamps and logs that ensure compliance and accountability.

Inter-Institutional Agreements

Establishing data-sharing agreements with other financial institutions or third-party data aggregators can ensure clarity in responsibilities, security standards, and data protection.

Requirements: When partnering with third-party data aggregators, firms must establish agreements that clearly define each party's role in data security, consent management, and compliance.

Controls:

• Formal Data-Sharing Contracts: Create legally binding agreements with third parties outlining data security, regulatory compliance, and mutual responsibilities.

• Third-Party Due Diligence: Conduct thorough risk assessments of third-party partners, evaluating their security practices, data governance, and adherence to Rule 1033.

Staff Training and GRC Updates

Compliance with Rule 1033 requires GRC adjustments based on the above technology and operational considerations. Companies should train employees on data privacy best practices and the specifics of customer data rights under Rule 1033 and Open Banking as a whole.

Data Governance Policies: Develop policies defining data-sharing protocols, consumer consent requirements, and data revocation rights.

Action: Define roles, responsibilities, and approved processes for data sharing with third parties. Include accountability for data security and consumer education.

• Risk Assessment and Management: Regularly assess risks associated with data sharing, third-party partnerships, and data security.

  Action: Identify and mitigate high-risk areas like unauthorized access or data leakage. Perform third-party risk assessments for compliance and security assurance.

   

• Compliance Monitoring and Reporting: Implement real-time monitoring for API transactions, data sharing, and consent management.

  Action: Establish automated compliance alerts for unauthorized data access or expired consumer consents, ensuring timely response and corrective measures.

   

• Employee Training Programs: Train employees on data privacy, consent protocols, and security best practices.

  Action: Develop comprehensive training on Rule 1033 compliance, emphasizing customer rights, data protection, and monitoring requirements.

   

• Continuous Improvement Cycle: Set up feedback loops for ongoing evaluation of compliance processes and necessary technology upgrades.

  Action: Use audit results and monitoring data to adjust GRC practices and enhance API functionality, scalability, and security.

Rule 1033 Milestones

Per the CFPB release of rule 1033, the following timeline has been established. Firms need to identify their specific compliance deadlines and design a roadmap to addresses rule requirements dependent on their size, by:

Contact Us

Regardless of the fate of CFPB Rule 1033, it is crucial for financial services firms to focus on the key areas outlined above to remain competitive and build consumer trust. Clarendon Partners is here to help you navigate these critical actions and ensure your organization is fully prepared for the new era of Open Banking. Contact us at evolve@clarendonptrs.com and leverage our expertise to stay ahead of the curve in this evolving market. Let's work together to turn these requirements into opportunities for innovation and growth.