The Consumer Financial Protection Bureau (CFPB) proposed a rule in October that requires non-depository and depository entities to release certain types of data related to customer accounts and transactions to consumers and third parties.
As a result, larger financial institutions will need to adhere to the compliance regulations earlier than their smaller counterparts. Initially, community banks and credit unions lacking digital interfaces will be exempted. Advocates of this regulation argue that it will provide consumers with more control over their financial information, enabling them to make more informed financial decisions. Overall, this initiative is expected to foster competition within the financial services sector.
Kevin Hughes, Director of Aggregation Solutions at Fiserv, and Matthew Gaughan, Analyst of Emerging Payments at Javelin Strategy & Research, delved into this proposed rule during a recent PaymentsJournal podcast. They discussed some of the highlights of the CFPB proposed 1033 update and its impact on banks and credit unions.
Highlights of the CFPB Proposed 1033 Update
Known as the Required Rulemaking on Personal Financial Data Rights, the CFPB proposed 1033 update enables consumers to access and download their financial transaction data and other information from credit unions and banks.
With their consent, consumers can share their data with authorized third-party apps and services. In this data exchange, organizations are required to disclose the methods by which they collect, use, and share consumer data. The most important elements of this suggested rule revolve around ensuring security and establishing standardization.
“A part of this proposed rule is that banks and credit unions will have more visibility into what their customers are doing and who they’re sharing data with,” Hughes said. “It’s about being able to control the scope of data for aggregators in this community.”
According to Gaughan, the CFPB is providing standardization, which is needed. “These rule changes will bring consistency to the industry and make it easier for banks across the board to utilize some of these different data solutions and not rely on some of those less secure options like screen scraping,” he said.
How the Rule Could Affect Banks and Credit Unions
Consumers today have distinct preferences for payment and financial applications, favoring those that offer convenience and ease of use. Consumers are also increasingly gravitating toward financial institutions that align with their preferences.
Banks face a new challenge as customers reach out to customer service centers seeking to link their bank accounts with specific applications. Unfortunately, many banks lack the necessary partnerships to facilitate such integrations. Consequently, consumers may switch from smaller banks to larger ones capable of accommodating their preferences. The proposed rule aims to address this issue and maintain these crucial consumer relationships.
“The new regulation is going to give banks and credit unions more tools to get insight on servicing their customers better while they can comply,” Hughes said. “The original 1033 update, which talked about data availability and that the data belongs to the consumer, that needs to be made available for sharing. Some banks have historically really balked at that because of the security issues.”
The update, Hughes said, eliminates any security issues and gives banks and credit unions a nice runway to be able to provide that flexibility to consumers.
“One big impact is adopting some of these financial data exchange (FDX)-compliant API technology standards, which allows for an interoperable framework upon which a growing universe of different products and services can exist,” Gaughan said.
“This is especially important for some of the smaller banks, which have less resources available to them to provide some of these emerging products and services. What this allows them to do is to provide those open-banking APIs that are more common at the larger banks.”
Assessing the Opportunities
As larger financial institutions prepare for the proposed update, some have opted to build their proprietary infrastructure to accommodate the new requirements. This includes building secure APIs to enable customers and third-party apps to access financial data in a standardized manner. It can also involve implementing privacy frameworks to ensure data privacy regulations are met, or the FI could upgrade its current data management systems to integrate with the new API structure.
But these options may not be viable for most institutions, as they would require a massive overhaul of current legacy systems and involve a substantial investment of time and money.
“We’ve seen a lot of the larger institutions develop their own infrastructure that’s not typically scalable to smaller institutions,” Hughes said. “They obviously have the option if they want to develop and maintain a direct data access agreement with a third party.
“Most organizations of various sizes would put that option aside just because of the cost that it involves. But where we’re seeing the market emerging, and we’re seeing this at Fiserv, we’re seeing it through other providers, is the ability to offer a platform within the banking system that gives the banks the ability to adopt and plug into a framework rather than developing their own framework.”
Data aggregators will also play a key role, serving as trustworthy middlemen and providing a secure way for consumers to authorize the release of their financial data with third-party apps. The aggregators and financial services providers can then use this consumer data to develop financial tools and services that can be customized to customers’ needs.
Smaller banks will be able to benefit from this data to solidify their customer relationships and boost their competitiveness.
“Smaller banks are going to be able to benefit from some of those different value-added services that these financial data aggregators are building out,” Gaughan said. “Things like loan decisioning or fraud mitigation tools that could be crucial to helping them provide good services to their customers. It also helps ensure the acceptance of some more of their traditional products as well.”
Compliance Deadlines and Setting Expectations
The CFPB has suggested a four-year period for full compliance. This timeline is structured on a tiered system, taking into account the size of financial institutions and their asset sizes.
“The challenge with those four years for the smallest of institutions is that it isn’t that long of a time period because of the planning that needs to be involved,” Hughes said. “One year certainly is a very short time frame for a lot of institutions. What’s really going to be important here is that organizations not necessarily wait until their tier is up in terms of a deadline but that they start the planning process now.”
That’s happening. Regulators are sending inquiries to financial institutions to request compliance plans.
The first step, according to Gaughan, is that FIs take stock of what they currently have and put forth a plan of action to determine how the implementation will look.
“Banks across the board must unpack what resources they have available to them, both technological expertise and financial—and understand how they would go about implementing some of these changes,” he said. “For community banks and credit unions, if they don’t have a digital interface, they might be exempt from the rule. Once that’s finalized, we will know more about that.
“What’s most important is just understanding what it is that your bank needs.”