Open Banking is open for business: CFPB's proposed Rule 1033

The Consumer Financial Protection Bureau (CFPB) is formally inviting financial institutions to open their minds to the concept of Open Banking.

Proposed in October 2023, CFPB’s Rule 1033 empowers consumers to be more involved in their financial transactions, and it also outlines new requirements for the financial organizations that process consumer financial data.

For companies operating in the financial sector, understanding Rule 1033’s applicability – as well as its potential opportunities and challenges – is critical.

Considering Consumer Rights

Primarily, the Proposed Rule aims to grant new rights and protections to financial consumers, and by doing so, give them greater control of their data:

Easy access:

Consumers would have the right to access their financial information without having to jump through a million hoops or incur fees for such requests. Information would have to be delivered upon request, in a user-friendly digital format, and it must include all the helpful elements, such as account balances, transaction details, and other data points relevant to a consumer’s financial picture. To put it simply, access needs to be made easy for the consumer and comprehensive in scope. Also, customers can restrict the processing of their data just as easily.

Simplified sharing:

Consumers are not the only recipients of data contemplated by the CFPB with their recently introduced Rule. Under the Rule, Consumers could also request that their data be shared with third parties, like other financial organizations or Fintech companies, and in a simplified format.

This sharing should only take place for the purposes intended by the consumer. In addition to giving consumers more say in how and why their data is flowing, this move also hopes to stoke innovation in the financial world. When consumers can more easily take advantage of cutting-edge companies and tech, firms will need to compete to earn and maintain trust, and the benefits to consumers will naturally follow.

Enhanced security:

Part of the Proposed Rule also aims to supercharge the security efforts of organizations that handle consumer financial data. Traditional practices like “screen scraping” (which requires consumers to share usernames and passwords to access third-party apps) is discouraged, and the CFPB has also made it clear that organizations must implement strong security safeguards and authentication procedures moving forward.

Consumers should have increased control over their data and increased confidence that it is being respected and protected by those processing it. Organizations that take a lackluster approach to security can expect to hear from the CFPB and remember – consumers who lose trust in a service provider’s safeguards can now easily move their business elsewhere under the Proposed Rule.

Common challenges that arise with open banking

Clearly, open banking will be more than just a small change for many organizations. Here are some of the challenges may be on the horizon for organizations preparing for this new frontier:

Timing

The deadline for being ready for CFPB’s new rules currently depends on your organization’s scope and practices:

• Depository institution data providers that hold at least $500 billion in total assets and nondepository institutions that generated at least $10 billion in revenue last year, or plan to this year, must comply within 6 months of the publication of the final rule.
• Depository institutions that hold between $50 billion and $500 billion in total assets and nondepository institutions that generated less than $10 billion in revenue last year, or plan to this year, must comply within 1 year of the publication of the final rule.
• Depository institutions that hold between $850 million and $50 billion in total assets must comply within 2.5 years of the publication of the final rule.
• Depository institutions that hold less than $850 million of total assets must comply within 4 years of the publication of the final rule.

It’s worth mentioning that while some smaller institutions that offer no digital products may be exempt from the provisions of the proposed rule, if customers have begun to expect a certain experience due to the rulemaking, compliance may still be a prudent business strategy.

Security and governance

As highlighted earlier, increased security and governance measures are a point of focus of the Proposed Rule, and organizations must capitalize on whatever time they have to ensure that they rise to the occasion.

As the transfer of sensitive consumer data is anticipated to increase due to the ease with which consumers can now request it, organizations must be even more prepared to safeguard this rapidly flowing data. Companies must ensure they are only accessing and sharing data for the purposes outlined by consumers, and as transfers increase, so also does the risk of potential breaches.

How strong are your organization’s Data Governance and Cybersecurity practices, and how strong are those of the vendors and third parties which help support your business? The answers could mean the difference between success and failure in the new world of open banking.

Innovation

An obvious goal of CFPB’s Propose Rule is to increase competition in the financial sector. Winning the customer’s initial trust will no longer be enough. True, it’s great they’ve chosen to do business with you at the outset – but can you keep them interested?

The increased agility the Proposed Rule provides consumers to move their business from one organization to another highlights the role that innovation will play in customer retention moving forward. Consumers that were once tethered to a financial partnership because of the difficulty of leaving can now quickly move on with ease.

Financial organizations will need to constantly innovate to keep consumers interested – fee structures, terms, and product offerings need to all be eligible for updates to stay competitive.

Getting started

So…what now? As with most large-scale industry changes, there will be many organizations that resist the coming changes, whether vocally or simply in practice. This, however, only increases the opportunities for organizations who are quick to wrap their arms around the changes early on.

For those organizations who want to quickly stand out and impress consumers, start with these questions:

How embedded is consumer trust in our organization?

The Proposed Rule’s emphasis on consumer control, openness, and education may require substantial changes for some organizations. Processes should be designed with consumer trust in mind, and consumers should have a good understanding of how and why your company uses their data.

How strong are our data safeguards?

Being a responsible data steward will be a must in the new world of open banking. Organizations must implement purpose limitations in their data processing practices, and the security of consumer data is more paramount than ever.

Do customers see us as a strong partner?

Consumers will be looking for partners, not just financial providers, moving forward. The need to consistently deliver innovative products, be more inclusive to consumer demographics, and continually win customer trust will be the new standard that sets organizations apart from each other.

It goes without saying, CFPB’s Proposed Rule 1033 is a strong move forward in favor of consumers, and it signals that the old ways of doing business are changing.

In many ways, open banking will be a true reset of the financial industry – one with new obligations, and huge opportunities, for financial organizations. Those that rise to the occasion of the former will be the ones to reap the benefits of the latter.