The CFPB’s 1033 Open Banking Final Rule expands the scope to include payment apps

The Consumer Financial Protection Bureau added payment apps and other financial products to its final open banking rule and provided for some secondary uses of data in line with its focus on innovation.

The CFPB is expected to publish the final rule on Tuesday, but materials describing the final rule were provided to American Banker in advance of its publication.

The final rule borrows heavily from the CFPB’s proposal from a year ago, but appears to include some significant changes to the rule’s scope, secondary uses, and compliance deadline, which has been extended by 10 months for the largest banks. The Open Banking Rule is referred to by the industry as “1033” for the section of the 2010 Dodd-Frank Act that gave the CFPB the authority to implement how consumers control their own financial data.

The CFPB rule, named after Section 1033 of the Dodd-Frank Act, requires banks to securely share financial information about checking accounts, prepaid cards, credit cards, mobile wallets, payment apps and other financial products. The final rule added payment apps and other financial products, bringing Apple Pay, Google Pay, PayPal, Zelle and Venmo, as well as other apps, into the scope of the rule. The change is further proof that third-party apps are the dominant forces in banking and payments. Many expect Electronic Benefit Transfer (EBT) accounts and Supplemental Nutrition Assistance Program benefits, known as SNAP, to also be included.

For banks, the biggest change could be liability for fraud and data breaches by third-party fintechs. Banks are worried The regulation exposes them to greater liability and also require costly oversight of third-party fintech companiesa tall order in an ecosystem full of data and an abundance of fintech newbies. As the main data providers, banks certainly have the ability to deny third parties access to consumer data if a company poses risks to the financial system.

CFPB Director Rohit Chopra signaled in prepared remarks that the bureau is in constant communication with other financial regulators to advance open banking.

“The final rule clarifies that if consumers authorize companies to obtain their personal financial information on their behalf, those companies will do so not “We act as a service provider to the financial institutions that hold the consumer’s data – these companies act on behalf of the consumer,” Chopra said in his prepared remarks. The comments mean that banks may not be able to rely on third-party risk management considerations to deny access to third parties.

The CFPB has not issued a broader participant rule for data aggregators, as some had hoped. Rather, all companies involved in data access – not just banks – must comply with the data security requirements of the Gramm-Leach-Bliley Act.

Another change from the proposal presented last OctoberThe final rule would permit secondary use of consumer-authorized information by third parties to improve the product or service requested by the consumer without obtaining separate authorization. Fintech providers and some consumer advocates called on the CFPB to provide for secondary use of the data for training underwriting models and anti-fraud tools, as well as research and product development.

“The rule is intended to ensure that open banking does not become a new data pipeline that fuels surveillance pricing or other manipulative mischief,” Chopra said in prepared remarks for a speech to be delivered at a Fintech Week conference hosted by the Federal Reserve Bank Philadelphia.

The final rule also makes some adjustments to the performance requirements that banks and other data providers must meet for data access. Under last year’s proposal, institutions would have been required to fulfill 99.5% of data requests in just 3.5 seconds – goals that some CFPB experts said would be too difficult to achieve. Exactly what adjustments these are was not explained in more detail.

The final rule also clarifies that tokenized account numbers—randomly generated numbers that replace a customer’s actual account number, thereby reducing the risk of financial fraud—are permitted as long as they are not used in an anticompetitive manner.

Chopra said the rule aims to address market concentration that limits consumer choice and allow consumers to access their own bank account transaction information – or allow a third party to access it – without charging fees.

“Personal financial information is sensitive and there are fundamental protections and rights that should accompany access to this type of information,” he said in prepared remarks.

Specifically, the rule is intended to ensure that data is collected and “used minimally, stored securely, transferred correctly, and deleted when no longer needed or when access is revoked by the consumer,” Chopra said.

Chopra said the suggestion would increase competition by helping consumers switch banks more easily. The rule creates strict data security and privacy standards and Chopra reiterated that consumer financial data must only be used for a specific purpose.

National Economic Adviser Lael Brainard echoed those views in a prepared statement, saying the rule “will make it easier for consumers to switch banks and use financial services that better meet their needs, provide more opportunities for innovative new businesses to compete, and reduce costs.” for consumers.”

The rule imposes strict privacy protections and requires that only personal financial data be collected

be used for the purposes authorized by the consumer. The final rule prohibits data collection and prohibits third parties from collecting, using, or retaining consumer information for targeted advertising, cross-selling products, or other business purposes. The rule does not prohibit any particular use of data, but rather requires that any use be guided by what is necessary to provide the product desired by the consumer.

The CFPB said it will develop additional rules to address other products, services and use cases that many believe affect mortgage and auto loans.

The CFPB gave the largest banks until April 1, 2026 to comply, while the smallest banks have until April 1, 2030. Only banks and credit unions with assets of more than $850 million and non-custodial businesses of any size are required to provide data under the rule. Certain small banks and credit unions are not subject to this regulation.

Consumers have been sharing their banking transaction data for years using the common but risky practice of “screen scraping” – sharing usernames and passwords with third parties. The CFPB said screen scraping carries inherent risks, such as: Examples include excessive data collection, inaccurate data sharing, and credential dissemination.

The rule would further promote the adoption of secure application programming interfaces (APIs) by allowing data exchange in a standardized format. The CFPB has already received a request for recognition from the Financial Data Exchange a body that sets industry standards of data formatting standards.

Under the final rule, consumers have the legal right to know what data is collected, where the data is stored, with whom the data is shared – and to revoke access at any time. If an individual revokes access, the rule requires that data access be immediately terminated and the data deleted. Data access may be maintained for one year unless the consumer agrees to further extended access.

Some experts think that Rule 1033 will strengthen community banks and fintechs to better compete with big banks and reshape the way consumers use their personal financial data. Open banking is also expected to accelerate the replacement of paper statements – and potentially eliminate the need for checks. Providing a digital data stream has the potential to significantly reduce fraud, say experts who have been working on the rule for years.

The ban on bank fees is in line with other countries. No other country with an open banking system – this list includes the United Kingdom, the European Union, Australia, India and Singapore – allows banks to charge fees.