A 1033 Implementation Breakdown (Part 1)
Deep diving into the CFPB's massive open banking vision
After putting it off for a few weeks and attending a conference where this was the topic on everyone’s mind, we’re finally jumping into the lake of 1033 - beginning what is going to require a couple of editions of analysis around the recently proposed rulemaking by the CFPB to finally implement Section 1033 of the Dodd-Frank Act of 2010. In other words, the CFPB’s attempt to bring “open banking” to life here in the USA.
Since not everyone who reads this is a massive fintech expert, let me come down to ground level for a second - what is open banking? In a nutshell, it’s a mechanism by which consumers can not only access their financial data (i.e. bank balances, transactions, etc) but have a standardized mechanism by which to make that data available to third parties which assures a uniform mechanism of privacy/security/portability and opens up numerous capabilities and opportunities for innovative fintechs to provide insights, capabilities, and more to consumers.
This is already happening in the EU and UK, which have open banking baked into their regulations. The wild thing is that the US could have been first to the party as Dodd-Frank was passed in 2010 and it said that rules would be “prescribed by the Bureau,” but it’s taken 13 years for us to finally get to this point where they will now be proposed and implemented.
Just to put it out there, here’s what Section 1033 says:
(a) IN GENERAL.—Subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.
(b) EXCEPTIONS.—A covered person may not be required by this section to make available to the consumer—
(1) any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors;
(2) any information collected by the covered person for the purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct;
(3) any information required to be kept confidential by any other provision of law; or
(4) any information that the covered person cannot retrieve in the ordinary course of its business with respect to that information.
(c) NO DUTY TO MAINTAIN RECORDS.—Nothing in this section shall be construed to impose any duty on a covered person to maintain or keep any information about a consumer.
(d) STANDARDIZED FORMATS FOR DATA.—The Bureau, by rule, shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information, including through the use of machine readable files, to be made available to consumers under this section.
(e) CONSULTATION.—The Bureau shall, when prescribing any rule under this section, consult with the Federal banking agencies and the Federal Trade Commission to ensure, to the extent appropriate, that the rules—
(1) impose substantively similar requirements on covered persons;
(2) take into account conditions under which covered persons do business both in the United States and in other countries; and
(3) do not require or promote the use of any particular technology in order to develop systems for compliance.
So in other words, the “subject to rules prescribed” is happening now. What you see above is an overview of a future state, and in this 299-page proposed rulemaking document, the CFPB outlines their future vision. Let’s dig into this a little bit at a time, because it is massive and it will probably take us 3, if not 4, editions to work through all of this!
The rulemaking document starts off by using a few use cases (i.e. having more success in obtaining credit and having better customer service experiences) as the potential positive outcomes of what a future with more financial data rights for consumers could mean. The CFPB then affirmatively states its intent to fulfill the “subject to rules prescribed” component of Dodd-Frank.
We then dive into statistics about financial services consumers, and also get some history about what kinds of attempts have been made (in fragmented form) over the years to try and serve the same sort of purpose as a true open banking framework would. Screen scraping is noted as the first real attempt to provide consumers with more control and visibility over their data across numerous companies/institutions (think Mint - RIP soon). It also talks about the evolution to APIs, and how the concerns of banks about the potential security risks of scraping is causing this to become less viable. The move of Europe and the UK to open banking is also mentioned, as well as the development of local initiatives (when I hear this I think of FIS’ Open Banking initiative).
Some of the challenges of the current open banking environment are discussed, namely:
Dependency on intermediaries who then use the data for their own purposes
Data limitations and privacy/security issues with screen scraping
No mandate for every provider to offer APIs, forcing reliance on screen scraping
Forcing standard setters to navigate inconsistent landscape and reliance on a handful of aggregators (i.e. FIS)
The CFPB also takes time to explain why they feel implementing this rule is a priority for them now:
They believe that with the proliferation of consumer data to a degree significantly beyond where it was in 2010, it is high time they define the scope of what information third parties can access (some parties will like this, other parties may not like this)
Although they don’t say it explicitly, they will try to make it easier for legal departments across the industry by adopting more standard set of terms and disclosures across the board
They believe it’s important to come up with a consistent view on the technical mechanics of data access - and frankly, this is going to be the hardest part to nail down
In terms of scope of coverage, it should be noted that this is not an infinite applicability. There is a specific range of products to which this rule will apply:
Any asset accounts subject to EFTA/Reg E i.e. bank accounts, and accounts applicable to Reg Z i.e. credit cards.
Does not appear to include mortgages, auto loans, personal loans, student loans - which ironically are the biggest pains in the rear for consumers especially from a data accessibility and data sharing perspective. My guess is that the fact that these loans are sold and serviced is what kept these out of the books.
The CFPB also talks about some of its goals from a technical and security perspective:
It references (repeatedly) its desire to create a specific requirement for institutions to have developer interfaces
They talk about the need for having written policies and procedures around these interfaces
It also repeatedly mentions the current dangers of screen scraping, however while encouraging institutions to move away from them it also adds the caveat that in specific instances if an institution bans screen scraping by third parties but also doesn’t provide an alternative for them to facilitate access, the CFPB will come after them.
They do account for some restrictions in the context of increasing data portability, but they state that institutions will have to have a “valid risk management reason” for doing so (i.e. some fraud related or security related concern)
In terms of its philosophy on data life:
The CFPB believes in limited authorization of usage of consumer data, that should expire after a set period of time.
The CFPB mentions its expectation of data deletion once the customer closes their account
They also touch on their view on standards and standard-setting bodies:
They note that super technical standards can go out of date quickly
By creating a framework under which standards can be developed it will help ensure evolution of standards (and not veering toward a consortium made up of a few key players as is the case with a lot of bodies in payments i.e. PCI, EMVCo)
Then the bad news (which incidentally, they close with) - making note of other laws (the bad news)
Mentioning that there should be no changes to EFTA obligations for error resolution for institutions
Also making a brief reference to September 2023 CRA proposal - many reactions to this proposal have cited confusion about how that rulemaking and this rulemaking are going to mesh
Join us next time, where we’ll dig into the actual details of the proposal, which is the meat of the 299-page document.