What Does Section 1033 Really Mean for Banks?
We pine for the days when banking was boring. It is not now. Right on target, the Consumer Financial Protection Bureau (CFPB) released the final version (HERE) of the much-anticipated Section 1033 rule on consumer financial data rights this week. This rule ushers in a significant change, the ramifications of which need to be considered by every bank approaching $850 million in total asset size. This article details some strategic considerations that will set us up for a more technical discussion soon.
The Background on Section 1033
CFPB’s final rule implements Section 1033 of the Dodd-Frank Act, which has existed since 2010 but has never been fully articulated. The Rule now gives consumers greater control over their financial data and the ability to share it securely with third-party service providers. Under the new rule, banks, credit unions, and other financial institutions must make consumers’ financial data available upon request from consumers and authorized third parties. These authorized third parties could be banks, credit unions, fintech companies, or data aggregators.
In a late add and surprising twist, the CFPB included payment apps and digital wallet providers as data providers. The rule also establishes strict guidelines for third parties accessing consumer data. These entities must obtain and store explicit consumer consent and provide proof of such to the bank from which it is requesting data among other requirements. Banks must ensure that they provide data only to the extent necessary and that proper security measures are in place to safeguard the data.
The Data
Without charge, banks will need to provide customer data defined by Reg E and Reg Z. This is a customer account and contact information plus two years of information about transactions, costs, charges, and usage related to consumer deposit accounts, credit cards, and payment services. This data set includes account numbers, routing numbers, fees, rates, yields, and balance information. Banks will also have to provide the terms and conditions of the products.
Section 1033 now allows a “standard-setting body” recognized by the CFPB that may adopt and maintain “consensus standards” defined in the final rule. Some details to be clarified from this to-be-named body concern how this data will be transferred. To transfer the data, the Rule requires banks to develop standardized APIs or other secure methods for data sharing and not utilize the less accurate and less secure practice of screen scraping. The data is to be transferred in a “machine-readable format,” but it is widely assumed that it should follow the FDX protocols.
Banks must achieve a 99.5% monthly accuracy rate on data transfer. Other technical parameters must be equivalent to that of other commercially available data transfer portals. It is also important to note that a third party can frequently or continuously connect until the customer revokes their consent. To continue, a third party must get the consumer to renew their consent annually.
Record Keeping
Banks must keep records of all requests and fulfillments, including what data was transferred and when and when the appropriate authorization was given for three years. Any denials must also be recorded with reason and related communication.
When Banks Must Comply
The final rule of Section 1033 will be implemented in phases. The first focus will be deposit accounts, credit cards, and payment services, with other products likely to follow. Below is the phase-in timetable.
What Banks Should Strategically Consider for Section 1033
Open Banking Strategy: If your bank is over $850mm in assets and you were not in the open banking game, you are now. If you must incur the expense, risk, and commitment to satisfy Section 1033, then you should consider what else you might do with your API capabilities.
Step one in this process is to figure out what you want your end game to be. Do you want to just comply with these requirements, do you want to utilize Section 1033 to acquire customers of your own from banks and financial applications, or do you want to go all in and build these capabilities for your small business and commercial customers? Since more and more customers are looking for embedded solutions such as payments and account information for their account or enterprise resource planning (ERP) systems, you may want a more robust developer portal and API solution.
The rise of intelligent agents (HERE) must also be considered. Already, “agentic AI” can be tasked with automatically finding and opening a specific type of account. These intelligent agents can already store the customer’s account opening data and then read websites to handle the account opening process automatically. It will be a few short years before banks build out APIs to optimize account opening for these intelligent bots. As you look ahead, the world will be demanding more API access to banks, not less. As such, the future of your institution is worth serious consideration, given the cost of this effort.
Answer these questions, and your path forward will become more apparent.
How Will You Comply: There is a rash of IT architectural and operational problems embedded in Section 1033 that most banks have never thought about. For example, if you had to provide two years of terms and conditions on an account, do you have this information digitally? Is your data clean enough and in a servable format where you can provide it to the accuracy level required, or is a data cleaning initiative required? This Rule ushers in even more of a need for a data lake and associated data tools in addition to the APIs required to be an open bank. Figuring out how you might architect a solution is your next step to solving the Section 1033 challenge.
Buy vs. Build Decision: Once you have a strategic path, the next question is how you plan to get there. If you just want to comply, then you might want to utilize an existing data aggregator such as Plaid, MX, Visa, Finicity, Akyoa, Fiserv, Jack Henry, Experian, TransUnion, Morningstar, Blend, or the hundreds of others that will soon pop up to take advantage of this data aggregator gold rush. Most of these solutions will be six to seven figures for the average bank, which will make financial institutions consider building their solution themselves or at least outsourcing the building of the platform.
Choose Your Data Aggregator Carefully: If you do use a data aggregator, then it is worth trying to figure out what else you might want to do with your partner. For efficiency, banks should give special consideration to data aggregators that can also help with retail and commercial accounting opening, onboarding, and maintenance, as well as with compliance and know-your-customer requirements. The future of banking is composable, so data sharing should be one microservice that you consider using throughout the bank.
A word of warning is that banks need to be careful when getting attracted to an easy, unidirectional solution that just allows them to comply with Section 1033. If the solution is cheap, it might be because you have chosen a solution where you can only lose customers but never gain. Many solutions are only architected to pull account data and accounts away from community banks for the benefit of large banks and fintechs. Don’t let your customers be the product that gets monetized. Choose your partner wisely and consider multiple applications that allow for the bidirectional transfer of data and accounts.
Protecting Your Customer: The rule prohibits the use of consumer data for targeted advertising or sales to other parties, but these third parties can use the data to form a profile that can then result in what is essentially marketing. For example, a third-party data aggregator may seek consent in order to find them a cheaper checking account and, in doing so, suggest several banks where it can then seek authorization from the customer to facilitate the opening of an account. Banks will be utilizing Section 1033 to assist in a seamless account switch. Venmo, Walmart, Amazon, Robinhood, and other non-banks may use Section 1033 to consolidate financial products.
One considerable aspect of Section 1033 is bill pay. Banks give away bill pay because that product aids in account retention. As anyone who has ever tried switching bill pay knows, it is a hassle. Now, Section 1033 makes it easy as the majority of bill pay information now must transfer over to include the payee information and schedule future payments. This part dramatically alters the value of bill pay and puts many customers at risk.
In general, banks need to start thinking about other products, such as credit, that are outside of the scope of 1033 that will make customers more “sticky” to the primary financial institution. In addition, banks need to consider building out their current product functionality to provide a superior experience.
Going on the Offensive: As such, we recommend an offensive approach. Banks may want to move early to take advantage of Section 1033 to acquire their own customers from large banks and fintechs. Early adopters will catch large banks off guard. We have written about how to gather deposits from digital wallets (HERE); this now makes it immensely more accessible. Before, you had to pay for this data on potential customers; now, you can get it incrementally for free. Banks need to think about the three places where they will acquire customers to include expanding the relationships of their own customers, acquiring new customers through its own bank marketing and acquiring new customers on third-party sites.
Since 1033 contains a whole new array of data, banks now need to think how will they port over items like transaction history, rate information, terms/conditions and bill pay data. Banks will also need to think about how to automate the closing of accounts both their own and at other banks. Will your bank want to allow the automated closing of accounts at your bank or will this be a manual process? Conversely, it will be interesting to see what large banks expose account closing workflow to their APIs.
Third-party Due Diligence Criteria: One of the trickier aspects of the Rule is that banks need to make a reasonable judgment if the third party has adequate safeguards in place to manage customer data. This places banks in a precarious position. If the bank denies the requesting third party, it risks a lawsuit or complaint about non-compliance. If it does release the information and the third party proves untrustworthy with the data, then the bank could be held liable. Banks were hoping that the final rule would include some blanket liability protection, but no such luck. Banks must be thorough enough to make sure the requesting third parties comply with the data security requirements under the Gramm-Leach-Bliley Act. This is no easy feat. This risk is further compounded by the confusion around whether it is permissible for a bank to adequately rely on a third party, such as a consulting firm or data aggregator, to handle this due diligence. Expanding precious due diligence resources on various third parties requesting free data is not something banks were planning for.
Fraud: The customer data that banks are so careful to protect will now be more in the wild. This means that bad actors will have more vectors to gather customer data and use it to impersonate customers or create synthetic identities. Should this occur, banks will need to increase their ability to identify their customers and link them to the appropriate account. The use and quality of third-party data for verification will likely be degraded.
Bank Performance: Consumer accounts will get much more portable impacting deposit duration, profitability and the customer experience. Banks will be more apt to market around rate to lure customers over and defensive banks will have to follow suit. This will further pressure margins. Pausing to understand how you will react to some of these changes will help inform your decision on which path to take and at what speed.
Putting This Into Action
The time to fight this rule is primarily passed. While there is an array of lawsuits that have already been filed trying to stop this Rule from going into effect, we are not optimistic save for a new Republican Administration in the White House.
Europe has lived under open banking for some time and has long ago adopted a similar approach as Section 1033 in their PS2D standards. In future articles, we will look at the lessons learned in Europe about how to combat the portability of accounts plus we will take another dive into the technical architecture required to comply with this new Rule.
While Section 1033 seems daunting and overwhelming, Europe has proven that it doesn’t have to be the end of banking as we know it. The U.S. has many more banks and even more fintechs, so the defense will be more challenging than it is in Europe.
Every bank approaching $850mm in assets should be thinking how they will protect their consumer customers and how will they use 1033 to acquire new customers. How you market, how you handle your account opening workflow, how you handle your APIs, how you educate your bankers and how you handle your third-party due diligence of data aggregators will now all have to change at your bank to remain competitive.
Sometimes, we wish we could return to the boring banking days when accounts and rates were regulated, and all you had to do was provide quality service to win an account. Now, it will take a leap forward in technology architecture, process, and data to just keep accounts. Many banks will not be up for the challenge. Section 1033 may inadvertently be one of the most significant catalysts for bank M&A, which is ironic as this rule will likely result in fewer banking choices over time, not more.
Banks that have thought this problem through and execute appropriately will find Section 1033 more of an opportunity than a liability. The road ahead will be difficult, but it won’t be boring.