CFPB Open Banking Rules are Coming Soon: Four Actions to Take Now

The CFPB’s section 1033 rule is nearing finalization; what can financial institutions do to prepare?

Open banking has been top of mind for many financial services companies since October 19, 2023. That’s the day the Consumer Financial Protection Bureau (CFPB) released a notice of proposed rulemaking to implement section 1033 of the 2010 Dodd-Frank Consumer Protection and Wall Street Reform Act, which aims to enshrine personal financial data rights.

The proposed rule is intended to establish a regulatory framework to govern the sharing of certain types of financial data housed at financial institutions. Also known as open banking, the practice of data sharing has been happening for some time in the U.S., but this will be the first time that federal financial protections would apply to it.

For consumers, this means easy access and sharing of their financial data for just about any purpose imaginable. For financial institutions, much of the discussion has been focused on additional regulatory burdens and the level of investment required for compliance. 

However, in the 10 months since the rule was proposed, I’ve spoken extensively with industry participants and Fiserv clients about how they’ve been thinking through potential impacts to the market, both positive and negative. Over time, I’ve noticed a distinct shift in the thinking from financial institutions, particularly from regional and community institutions.

Financial institutions still have concerns, but many are starting to see that this regulatory framework can create opportunities for product efficiency and consumer ease of access. After all, open banking makes it possible for financial institutions to offer the kinds of new and improved products and services that customers want, including faster onboarding experiences; better and faster loan origination decisioning; easier mortgage applications; and robust in-house personal financial management dashboards. 

Where we sit today

The bureau is aiming for an October 2024 release of the final rule. If the final rule is unchanged from the proposal released in October 2023, then it will impose a tiered implementation based on the size of the organization.

So, what can financial institutions do to get ready for section 1033 in the remaining time before the issuance of a final rule? Entities covered as a “data provider” under the proposed rule have several intermediate steps that can be done now to hit the ground running when a final rule is ultimately released. (The CFPB defines a data provider in section 1033.111 of the proposed rule.)

1. Map the data elements

The proposed rule requires data providers, which are financial institutions, to make certain information available for consumer-permissioned data transfers. "Covered data" in the proposed rule ranges from a Regulation E or Regulation Z account and routing number to the rewards benefits associated with these account types. (A full listing of covered data can be found in section 1033.211 of the proposed rule.) 

Understanding where all this data resides within a financial institution’s architecture today as well as how that data can be retrieved is a foundational step to ultimately making these data elements readily available for permissioned data transfers.

Most financial institutions use more than one service provider to support their operations. A financial institution’s core provider may be different than its digital platform service provider, which may be different than the providers for data warehousing, loan origination software, rewards and benefits or other services. As a result, the data that needs to be made available under the proposed rule might be housed in a range of disparate systems.

Taking the time now to identify where all proposed covered data resides today, even if the final rule slightly alters the definition, can provide financial institutions with a solid baseline of how this information will need to be communicated between service providers, and with the financial institution’s developer interface.

2.  Begin thinking about how data elements will be consolidated

The proposed rule requires data providers to create “developer interfaces” to make data available when a consumer gives permission for its transfer. Data elements coming from multiple locations will need to be quickly accessible to comply with the data transmission requirements in the proposed rule. Identifying one centralized location or service provider to be responsible for this internal aggregation of eligible data will assist in meeting the standards contemplated in the proposed rule for developer interfaces.

Financial institutions should ask themselves: Where will that data consolidation happen when a data-request call comes in? This leads to the next question: Is it beneficial for my financial institution to build its own developer interface, or is it more beneficial to contract with a service provider to build the developer interface and run it on my institution’s behalf? 

Now is a good time to begin asking your vendors what kinds of solutions they have to support your developer interface needs. 

3. Understand your accountholders’ current data-transfer uses

To answer the questions regarding a developer interface, it is beneficial for a financial institution to understand how its accountholders are using data transfers today and with what level of regularity. These transfers could encompass anything from transferring money to an external investment account or online gambling site, to recurring monthly transfers to an external savings account, to the curation of financial management dashboards, or a pass-through transfer that facilitates the use of a peer-to-peer digital payments wallet. 

The usage and monthly volume of data will provide meaningful information that financial institutions can use to assess the potential cost of either building a developer interface or partnering with a service provider to offer one. While the cost structure for API portals is not uniform across the industry, several different models offer a fee structure based on the usage of the system, both in number of registered tokens and volume of traffic. When a financial institution knows how much activity it currently has, it will have a better idea of what future usage might look like and be able to better assess the most cost-effective way to offer a developer interface. 

Beyond using this data for a technology acquisition assessment, financial institutions will gain valuable insight about the services their accountholders are engaging in, which could result in new, more tailored product offerings to the customer base. 

4. Embrace the possibilities

While the CFPB’s rulemaking will impose new regulatory requirements on nearly all financial institutions in the United States, it also creates possibilities that go far beyond mere compliance. The ability to quickly and efficiently aggregate critical accountholder data from multiple sources will enable financial institutions to evolve their product experience, create new services and solutions, and improve their ability to serve their accountholders.

For example, think of the improvements to the mortgage application or loan origination process that could be made with more uniform banking options. Accountholders may no longer need to upload PDFs or other documentation into a secure portal, instead providing the lender with the ability to access the information through a consumer-permissioned data transfer. Financial institutions can also gain the ability to curate financial well-being dashboards that keep accountholders more engaged with them as their primary financial institution. 

At Fiserv, we believe the open banking framework creates real possibility to expand service offerings and make it easier to engage with potential and existing customers or members. 

Open banking is coming

There have been plenty of articles (like this one from American Banker’s Ryan Miller) about how open banking can be a net positive for financial institutions of all sizes. Like it or not, the CFPB’s section 1033 rulemaking will likely become a regulatory requirement. Now is the time to start preparing, and if you take the four actions outlined above, your financial institution will likely be better positioned to enact a plan to both achieve compliance with section 1033 and realize the potential benefits.