Financial Data Sharing & Consumer Privacy Protections by David Ritter

Section 1033 Establishes Important Rules for Financial Data Sharing & Consumer Privacy Protections.

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized Section 1033 of the Consumer Financial Protection Act, an important regulation that grants consumers new privacy rights and data protections over financial data. The rule moves the U.S. financial industry toward an open banking system, with the goal of creating greater competition and consumer choice for financial products and services.

Section 1033 is at once a framework establishing acceptable practices for data sharing between financial services companies, and also a data privacy regulation establishing rules for protecting the privacy rights of financial consumers. According to the CFPB, the final rule “establishes strong privacy protections, requiring that personal financial data can only be used for the purposes requested by the consumer. It ensures that third parties cannot use consumer data for other purposes that benefit the third party, but that consumers do not want.¹

Although many financial companies may not be excited about having to comply with new obligations imposed by Section 1033, increased data protections for financial consumers are long overdue and will ultimately bring much needed transparency and safeguards to the industry.

Who Is Covered by Section 1033?
The final rule imposes new compliance obligations on data providers – financial institutions, card issuers, fintech companies, data processors, and other entities that work with covered consumer financial data products or services. Data Providers identified in the final rule include:

• Financial institutions, a defined in Regulation E
• Card issuers, as defined in Regulation Z
• Any other entity or person that controls covered financial products or services. (This would include data processors, digital wallets, fintechs, and other entities that process covered consumer financial data).

Providing Data Access
The final rule requires that data providers make covered data available to consumers and authorized third parties. Covered data includes the following:

• Transaction Information: Including at least 24 months of historical transaction information in the control or possession of the data provider
• Account Balance Information
• Payment Information to or from a Regulation E account directly or indirectly held by the data provider. This category includes an account and routing number that can be used to initiate an Automated Clearing House transaction.
• Terms and Conditions: Agreements showing the terms of the legal obligation between a data provider and a consumer for a covered consumer financial product or service.
• Bill Information: Includes information about third party bill payments scheduled through the data provider and any upcoming payments due from the consumer to the data provider.
• Basic Account Verification Information: Name, address, email and phone number associated with the associated with the financial product or service.

Data providers will be required to provide consumer interfaces (such as online banking interfaces), as well as developer interfaces for data sharing. Covered data must be provided in a machine-readable format that consumers or authorized third-parties can use for transferring into other information systems. And the final rule makes clear that screen scraping will not be permitted as a mechanism for data sharing.

Exceptions: data providers are not required to provide access to confidential information, information collected for the purpose of preventing fraud or money laundering, or information that violates confidentiality under the provision of other laws. Confidential information under this exception may include algorithms used to derive credit scores or other risk scores or predictors.

Compliance Dates
The final rule made two significant changes from the original rule proposal. First, it pushed back compliance deadlines to give data providers more time to comply. Second, it established an exemption for financial institutions with fewer than $850M in total assets. Compliance dates in the final rule are provided below:

• April 1, 2026, for depository institutions that hold at least $250 billion in assets or for nondepository institutions that generated at least $10 billion in revenues in 2023 or 2024;
• April 1, 2027, for depository institutions that hold between $10 billion and $250 billion in assets and for all other nondepository institutions;
• April 1, 2028, for depository institutions that hold between $3 billion and $10 billion in assets;
• April 1, 2029, for depository institutions that hold between $1.5 billion and $3 billion in assets; and
• April 1, 2030, for depository institutions that hold between $850 million and $1.5 billion in assets.

Authorized Third-Party Obligations
An important section of the final rule addresses third-party data sharing. Remember that data providers are responsible to ensure that consumer data is shared securely and with the ability to protect the consumer’s privacy rights, which includes managing consumer consent requests. The final rule establishes the following obligations for authorized third-parties:

• Authorization Disclosure: Must provide clear disclosure to consumers, including details about the data collected and the purpose of data collection and processing activities.
• Obtain Consumer Consent: Authorized third parties must obtain express informed consent by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
• Limitations on Data Use: Third parties must limit collection, use, and retention of covered data to what is reasonably necessary to provide the consumer’s requested product or service.
• Restrictions: Third parties may not collect or process data for targeted advertising, cross-selling, or sale of covered data.
• Reauthorization: Third parties may only collect covered data for a maximum duration of one year. After that, the third party must obtain new authorization from the consumer.
• Revocation Mechanism: Authorized third parties must provide a means for the consumer to easily revoke the third party’s access to covered data.

Prohibition Against Evasion

The final rule prohibits data providers from taking actions with the intent of rendering data unusable or to otherwise interfere with consumers’ ability to access data.

Key Takeaways
While the rule-making process for Section 1033 was a long time coming, it represents a clear trend at both the state and federal level towards greater data privacy protections for consumers. Similar to the more than twenty state privacy laws that have been enacted, Section 1033 asserts that consumers – not their financial providers – own their financial data, and can exercise various rights to access, control, and limit sharing of their data. This also includes the right to request that a financial institution provide the consumer with their financial data in a format that can be brought to another financial institution – in other words, to facilitate a consumer’s choice to shop with competing financial services providers.

Some trade groups have already filed lawsuits against the final rule, which may impact the ultimate roll out of CFPB enforcement. Even so, strong consumer demand for privacy protections is sure to pressure financial businesses to take consumer privacy rights seriously. In its research, the CFPB sited a 2015 Pew Research survey which found 93 percent of Americans said it was very or somewhat important to have control over their information.² This kind of demand driver will be hard for financial companies to ignore, even if they fall into the exemption category for depository institutions with less than $850M in assets.

Why Section 1033 Is a Win for Banks, Consumers, and the Financial Industry
Financial data processing capabilities have moved far beyond regulatory protections for consumer data that were written decades ago. Too many consumers are having their bank accounts and credit cards compromised, and their sensitive financial information shared or sold without consent. Especially now, as AI technologies are finding their way into financial software and banking technologies, new data protections are essential to ensure that the U.S. financial services industry is secure, reliable, and consent driven. The use of AI products in financial services will significantly increase the quantity of consumer data that is collected and processed. Seen from this lens, Section 1033 is a necessary step to prepare banks and financial companies for the next generation of financial products and services.

About the Author.

David Ritter is CEO of Privacy Lock, the first privacy compliance platform built for financial companies.

Privacy Lock is a privacy platform that helps banks and financial companies automate compliance with state and federal data privacy laws. Our mission is to help businesses transform the way they collect and manage data by embedding privacy protections. Privacy Lock is the only privacy solution that never collects customer data. Find out how Privacy Lock can be your partner in privacy. To learn more, please visit https://www.myprivacylock.io

SOURCES:

¹ https://www.consumerfinance.gov/about-us/newsroom/cfpb-finalizes-personal-financial-data-rights-rule-to-boost-competition-protect-privacy-and-give-families-more-choice-in-financial-services/

² Pew Rsch. Ctr., Americans Hold Strong Views About Privacy in Everyday Life (May 19, 2015), https://www.pewresearch.org/internet/2015/05/20/americans-attitudes-about-privacy-security-and- surveillance/pi_15-05-20_privacysecurityattd00/

Connect with FinWise Bank.

Upcoming 2025 Events

• University of Utah Fintech Xchange, Salt Lake City, Utah, January 23-24 2025 
• Fintech Meetup, Las Vegas, Nevada, March 10-13, 2025 

Join us on a FinWise Podcast found here: