By: Ben Soccorsy, Tom Carpenter and Urooj Burney
Published: August 02, 2024 | Updated: August 08, 2024
Read time: 5 minutes
This is part of Mastercard’s “CFPB Section 1033 Preparedness” series, which is designed to help Financial Institutions understand and prepare for the pending CFPB 1033 regulation. The series will include insightful articles and webinars featuring industry leaders discussing the implications of the regulation and how financial institutions and other market participants can best set themselves up for success as the rules are finalized. Stay up to speed on the conversation here.
What impact will the proposed Consumer Financial Protection Bureau (CFPB) rulemaking to implement section 1033 of the Dodd-Frank Act have on consumers and small businesses? What are the opportunities and challenges for financial institutions and other market participants?
To answer these questions, we hosted a panel of four experts: Ben Soccorsy, executive vice president of open banking at Mastercard; Anthony Burton, senior vice president of open banking at Truist; Urooj Burney, senior principal for cyber & enterprise risk at Mastercard and Tom Carpenter, senior vice president for open banking industry & policy engagement at Mastercard.
The top takeaways from the conversation included:
1. Consumer empowerment is at the heart of CFPB Section 1033 rulemaking
Section 1033 gives consumers and their representatives the right to access and securely share their financial data with third parties via APIs that follow soon-to-be CFPB-recognized industry standards.
The financial data in focus in the proposed rule includes account details, transaction information (amounts, dates, payees, historical data and fees), account balances, terms and conditions, upcoming bill information and account and routing numbers.
What does this mean for consumers? For one, they will be able to more easily manage accounts from multiple providers and switch providers if they discover a product or service that more clearly fits their needs. Additionally, it creates more opportunities for financial institutions to offer services like cash flow-based underwriting, which can improve pricing and access across credit markets.
“Consumers have a right to their financial data, and they have a right to maximize the value of it to their benefit. Empowering consumers and small businesses is at the heart of what open banking is all about,” said Soccorsy.
2. There are a wide range of considerations to prepare for the rulemaking
By thinking strategically about how to plan for the CFPB 1033 regulations, financial institutions can better prepare to drive more value for consumers in an increasingly competitive environment. Key questions for institutions to address include:
- API enablement: Do you have APIs already enabled? How will you monitor and report the performance and reliability of your APIs to ensure seamless and secure data sharing with third parties?
- Third-party risk management: What criteria will you use to evaluate and onboard third-party data recipients to ensure they meet security and compliance standards? How will you continuously monitor and manage the risks associated with third-party data liability?
- Operations and processes: What changes will you need to make to your current operational processes to align with the regulation requirements? How will you train and support your staff to ensure they understand and effectively implement the new processes and procedures?
- Information security: What security measures will you put in place to protect the data shared via APIs from unauthorized access, breaches and other cyber threats? How will you regularly test and update your information security protocols to stay ahead of evolving threats?
- Data-in opportunities: How can you leverage data to create more value for your consumers and your business? How can you ensure that third-party data is accurate, relevant and integrated securely into your systems and data analytics?
3. Financial institutions should explore the benefits of being a data recipient
The proposed CFPB 1033 rule creates an important moment for traditional banks, who are often data providers, to also become data recipients. With more data, financial institutions can unlock a more holistic picture of their customers—and can design experiences, products and advice that better fit customer needs.
Soccorsy noted, “Those that lean in and double down in their organizations to say, ‘Okay, how can we think holistically about leveraging this data to drive more value back to consumers’ ... are going to be at an advantage.”
4. Data security is more important than ever
It goes without saying that financial data is personal, which is why security must be front and center when designing a gameplan to become CFPB 1033 compliant. Financial institutions should be evaluating how they are going to assess potential risks posed by third parties, understanding different avenues to authenticate consumers and implementing appropriate data governance and data protection controls.
There is a need for the “proper setup of controls that enable data protection” and for a “trusted ecosystem in which these transactions can take place,” stressed Burney. This involves determining what data is being shared, where it is from, how it is being used and who is using it and why. A trusted ecosystem is critical to accelerate adoption by data providers and acceptance by consumers.
For Burney, three key areas should be considered from a security and business process perspective:
- Third-party risk management when exposing APIs to third parties and when using third party-provided APIs
- Internal risk controls and proper API configuration around authentication, authorization, encryption, rate limiting and monitoring
- Data governance and protection to ensure responsible practices around data access and use
5. Industry standards provide the structure to transition to APIs
While a significant amount of consumer data is still accessed through screen scraping, the proposed rulemaking seeks to move away from those practices for covered data. “The whole ecosystem is moving to APIs,” noted Carpenter.
However, the proposed CFPB 1033 regulation does not define specific technical API standards like some other markets. Rather, CFPB is asking qualified standard setting organizations to seek formal recognition to set technical standards and enable scalable, safe and secure data transfers. Standards bodies like the Financial Data Exchange (FDX) are likely to play such a role.
- Learn more about industry standards
Hear FDX co-chairs, Franklin Garrigues from TD Bank and Steven Smith from Mastercard, discuss the open banking industry’s leading technical standards body and areas of consideration for the ecosystem within CFPB’s 1033 rulemaking in our latest webinar with American Banker. Watch here!
Conclusion
As the technical standards and a trusted open banking ecosystem continue to evolve, platforms become more scalable, secure and safe, powering the use cases that will benefit consumers and businesses well into the future.
To see the full conversation and hear more insights, watch the ‘Navigating CFPB’s 1033 open banking regulation’ webinar on-demand.