Across the globe, the financial information of individual consumers is assembled, maintained, and preserved by financial companies subject to regulatory oversight as to its accuracy and completeness.
Consumers, financial institutions, fintech companies, and financial regulators have increasingly recognized consumer financial data’s importance and intrinsic value. The explosive rise of innovative financial technologies is focusing growing attention on how to enable consumers to use and benefit from new financial products and services. At the same time, these developments pose new issues around how to better understand and manage the risks involved in the sharing and controlling consumer financial data.
Consumers increasingly seek access to these new financial technologies, often through fintech companies that depend on data aggregators to obtain the information needed to facilitate such products and services. The growing commoditization of financial data access can be beneficial in the long term. As standards for financial data exchange are now being established, the emphasis is shifting from data access issues to the need for effective third-party risk management for data recipients.
Data Recipient Risk Management has become more urgent as consumer demand expands, and consumer expectations become better established and more sophisticated. With the continued evolution of consumer experience, the tenets of open banking are being refined to shape and respond to what customers are demanding to meet their broader financial needs, including traditional banking products and investment, insurance, and retirement services. Any prior notions of “status quo” banking are now clearly outmoded, as the playing field has become deeply dynamic.
Open Banking in the United States: The Essential Role of the 1033 Rule
As the global open banking market is growing exponentially, Canada and the United States are seeing open banking adoption, regulation, and standardization mature rapidly. In 2010, in the Dodd-Frank Act that created the U.S. Consumer Financial Protection Bureau (CFPB), Congress mandated that the new agency adopt a specific regulation governing consumer financial data access. In particular, Congress stated that any person who offers or provides consumer financial products or services shall make available to a consumer, upon request, the information it has concerning the products or services that the consumer obtained from it, including information relating to any transaction or account, including costs, charges, and usage data. At the time, Congress’s decision to impose this regulation – known as the 1033 Rule for the authorizing section in the Dodd-Frank Act – reflected the need for greater clarity in addressing the realities of a market that had already begun moving rapidly on its own to address the challenges of consumer access to financial data for third-party uses.
Over the past decade, the CFPB engaged in extensive data gathering and supervision of consumer financial products and services to help evaluate the issues implicated by the 1033 Rule. It then embarked on the lengthy formal rulemaking processes that Congress required in the Dodd-Frank Act. On November 9, 2024, the CFPB issued its final rule to carry out the personal financial data rights established by the law. The final rule requires banks, credit unions, and other financial services providers to make consumer data securely and reliably available, upon request, to consumers and their authorized third parties. It defines the obligations for third parties that access such consumer data, including essential privacy protections. It also promotes fair, open, and inclusive industry standards for data access and data sharing.
It is generally recognized that financial institutions face conflicting incentives in meeting their obligations under Section 1033, which mandates data access for consumers and their authorized third parties, and under the safety and soundness regulations outlined by the Gramm-Leach-Bliley Act (GLBA) for entities with a banking charter. While Section 1033 promotes openness in sharing information, the GLBA emphasizes the need for appropriate controls and sensible risk management. These two imperatives need to be reconciled as a practical matter, which presents some difficult challenges for those involved in assuring compliance with these provisions.
Risks Posed to a Stable Consumer Data Ecosystem
The 1033 Rule addresses some of the ambiguities within the realm of open banking in the United States. It facilitates consumer data portability, competition and innovation in financial services, and a more interoperable financial ecosystem. Yet it does not resolve all the issues implicated by this approach. Like those in the United States, open banking ecosystems worldwide face similar foundational challenges related to trust and risk. As the adoption of open banking expands, data providers encounter increasing liability risk. Current third-party risk management solutions are fragmented and do not adequately address modern data-sharing needs or align risk with data usage and access volume. A typical bank focuses on managing conventional vendor risk, which presents a very different risk profile and thus requires a different approach to the risks brought about by Data Recipients, especially given the scale of activities involved. While a bank may be accustomed to managing a few dozen vendors, it now must contend with the burden of dealing with thousands of open banking businesses.
This disparity has led to several gaps in the market as it stands today, including:
- Traditional third-party vetting processes being inadequate for the realities of an open banking ecosystem with thousands of third and fourth parties in the transaction chains.
- A lack of a standardized accreditation process.
- No real-time monitoring for ongoing risk management.
- Inadequate liability solutions transfer risk to the aggregator, who may be unable to cover significant losses.
At the same time, as described more fully below, the CFPB may now not be in a position to supervise the market effectively, due to staff layoffs, budget cuts, and restrictions on its activities imposed by the new Administration. To help implement the 1033 Rule, regulatory guidance would normally be formulated to provide greater clarity on issues that the financial industry will inevitably surface as it works through the details of applying the new provisions. The data-sharing practices between data providers and data recipients are particularly relevant for new and improved financial experiences like budgeting tools, access to lending, and payment apps. Nonetheless, it seems doubtful that the agency will be inclined or even capable of producing such guidance in the current unsettled environment, which is also jeopardizing the future of the 1033 Rule itself.
Timeline and Recent Developments
The environment surrounding the adoption of the 1033 Rule has become chaotic after the change of Administrations, which has created great uncertainty around the future direction of leadership at the CFPB. The agency’s priorities and its level of administrative capability for now are highly unpredictable. Listed below are some of the recent developments that are pertinent to the implementation of the 1033 Rule:
- On October 22, 2024, the CFPB issued its Final Rule to carry out the personal financial data rights established by the law.
- On October 23, 2024, a group of Kentucky bankers filed a lawsuit challenging the validity of the 1033 Rule. The case is on a “medium” fast track, with briefings set for May and June 2025. It is unclear how the disposition of the lawsuit may affect the rule, which again is mandated by an act of Congress. The CFPB has begun engaging with the industry to implement the rule, but the ongoing disruptions at the agency have slowed further work. Unless the rule is enjoined or withdrawn, the first compliance deadlines it imposes for the largest financial institutions (those with more than $250 billion in total assets) are set for April 1, 2026, with staggered annual deadlines set thereafter for progressively smaller institutions.
- On January 8, 2025, the CFPB officially recognized the Financial Data Exchange (FDX) as an industry standard-setting body for the U.S. open banking ecosystem. FDX plays a crucial role in setting and maintaining industry standards for data sharing and security, thereby promoting a fair, open, and inclusive open banking ecosystem.
- On February 1, 2025, President Trump fired CFPB Director Rohit Chopra and initiated a series of interim leaders at the agency. Russell Vought, the OMB Director, is currently the acting CFPB Director. Jonathan McKernan was nominated as the CFPB Director, and his nomination was pending before the Senate but has recently been withdrawn.
- In May 2025, Bloomberg reported that the CFPB is likely to revisit the 1033 Rule based on requests from banks about potential liability for data breaches and the ability to charge for access to customer data and that banks are also seeking the ability to block companies that misuse their access to customer data from the open banking system. Acting CFPB Director Vought has already set aside numerous regulatory, supervisory, and enforcement actions by the agency in a clear effort to reduce its footprint in the financial sector. He also dismissed most agency employees responsible for the 1033 Rule as part of an April reduction-in-force (RIF) plan that would have cut the agency’s workforce from about 1,700 members to about 200 members. The National Treasury Employees Union and other plaintiffs sued to block the RIF plan, which is on temporary hold while the litigation proceeds and is currently pending on appeal to the D.C. Circuit.
Although the CFPB appears to have followed all the required legal processes to produce the 1033 Rule, the current legal challenges and the unprecedented disruptions to the agency’s ongoing work environment will at least undermine the rule’s effectiveness and perhaps lead to it being no longer legally binding altogether. Yet even in the face of these uncertainties about the rule, many larger banks are already committed to making the intended changes and are likely to press on with the current deadlines pending more definitive guidance. Further pressure from state regulators may spur many smaller banks to lead their own compliance efforts.
The turmoil unfolding at the CFPB still leaves other financial regulators (including state regulators) in place to carry out their standard responsibilities to ensure safety and soundness at the financial institutions they oversee. There is consensus within those engaged with open banking about the need to enhance secure access to financial data while ensuring this access is not unfairly restricted for the many fintech companies already innovating in the financial services sector on behalf of consumers who have expressly authorized their efforts. Despite the overhang of regulatory uncertainty, the marketplace requires a cohesive solution that effectively vets and monitors third parties, manages risks, delivers actionable insights, and addresses challenges related to fraud and liability.
Transform your approach to Data Recipient Risk Management with the Invela Network. Partnering with leading industry experts, we empower Financial Institutions to scale effectively and navigate uncertainty with confidence. Ensure you’re prepared for today and future-proof your success. Let’s connect and secure your risk management strategy now!
