CFPB to Step Down on Section 1033 Rule  

In a rare acknowledgement of its missteps, the Consumer Financial Protection Bureau (CFPB) is planning on unwinding its finalized rule on section 1033 of the Dodd-Frank Act. The move is ultimately a win for consumer data privacy and will prevent data-sharing risks from endangering consumers and placing undue liability on banks.  

The CFPB’s change comes in the wake of its litigation with the Bank Policy Institute and the Kentucky Banker’s Association in court, where the two aforementioned parties sought injunctive relief, arguing the bureau had exceeded the bounds of its statutory authority. The CFPB filed to vacate the rule in May, making a complete 180 acknowledging the rule exceeds the original intent of the statute as intended to be implemented in statute. The original intention of the rule was to ensure consumers have access to information about banking services. 1033 was never meant to mandate data sharing for third parties on behalf of bank customers.  

The finalized rule would have pushed to establish open banking. The 1033 rule, if implemented, would give consumers the right to freeely share their account information with authorized third-parties such as fintech companies, and other financial institutions. 

The type of data could range from account balances, transaction records, and fee schedules. The CFPB intended on using the rule to stimulate competition and allow consumers to compare banks and switch financial service providers. However, the rule contained several unaddressed oversights posing risks to consumers and banks alike.  

The rule would have required data providers (a term covering depository institutions, card issuers, and other financial institutions) to offer free access to consumer data at the customer’s request to an authorized third party. Banks would be responsible for the establishment and maintenance of a developer interface such as an API to facilitate data access.  

The CFPB’s prohibition on fee collection to offset compliance costs associated with the rule became a focal point of scrutiny. The CFPB argued in its memorandum of support that the silence on fees within the statute does not confer a reasonable justification for a blanket fee prohibition within the rule.  

Another concern emerged regarding the ability of third-parties to engage in screen-scraping. The final rule lets customers authorize third-parties to use their login credentials and directly access data through the customer’s user interface. The rule would even classify account and routing numbers as data that must be shared by banks with third parties.  

In other jurisdictions where comparable measures have been implemented already, such as the U.K. and the EU, rules are set in place designating liability risks among relevant parties when a third party suffers a data breach. The CFPB’s rule offered no such equivalent protection. This meant that banks could be held liable if a third party data recipient suffered a data breach, even if a customer authorized data sharing permission.   

The current system for third-party data sharing by financial institutions involves individual bilateral agreements on how data is shared and what that data can be used for. Government agencies should not attempt to involve themselves in upending private contracts and set data-sharing agreements.  

Section 1033 never intended to establish an open banking regime. The CFPB’s reversal on 1033 demonstrates the agency’s acknowledgement that its interpretation of the statute was far too overreaching. Federal agencies must respect consumer data privacy and avoid intervening to open a pandora’s box of safety issues financial institutions already keep well contained.