Back to Blog

How the CFPB’s 1033 Final Rule Differs from the Initial Proposal

How the CFPB’s 1033 Final Rule Differs from the Initial Proposal

Today is a day the U.S. financial services community has been waiting for for at least a year– the Consumer Financial Protection Bureau (CFPB) issued its final 1033 rule making. The new rule, issued in the form of a 594-page document, aims to enhance consumers’ rights, privacy, and security over their own personal financial data.

In order to accomplish this, the CFPB is requiring financial institutions, credit card issuers, and third-party fintech providers to make consumers’ personal financial data available to transfer to another provider for free. As a result, consumers will be able to add or switch providers in order to access better rates, receive better terms, and find services that best suit their needs. The CFPB states that the rule promotes competition and consumer choice, and will ultimately help improve customer service.

“Too many Americans are stuck in financial products with lousy rates and service,” said CFPB Director Rohit Chopra. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.”

Today’s rule comes about a year after the CFPB issued a much shorter, 29-page document that proposed the change. So, aside from the document length, how does last year’s proposal differ from this year’s official ruling? Here are a aspects to note.

As you may expect the final ruling provides a much more comprehensive and detailed explanation of the CFPB’s approach to regulating consumer access to financial data. The new document offers the rationale behind the rule, defines key terms, specifies requirements for data providers and third parties, and analyzes the rule’s potential impact on the market. Here are some specific differences between the proposed rule-making and today’s official rule.

Transitioning away from screen scraping

The final rule-making discusses the issues of screen scraping and emphasizes the aim to promote safer and more standardized methods to access data via developer interfaces.

Liability considerations

Today’s rule touches on the liability that stems from data sharing and explains the CFPB’s approach to addressing the liability with regulations and industry standards.

Interaction with other laws

The final rule includes a discussion on how it interacts with other existing laws, such as the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA).

CFPB oversight and enforcement

The rule released today includes the CFPB’s plans for overseeing and enforcing the rule’s requirements, including details on supervising third parties and addressing consumer complaints.

Scope of data coverage

The final rule offers a detailed look at the types of data covered by the rule, including discussions about specific data fields and potential exclusions.

Definition of consumer

Today’s rule specifically defines what constitutes a consumer for the purposes of the rule. It also offers explanations about why it includes trusts established for tax or estate planning purposes in its definition of consumers.

Requirements for developer interfaces

The final rule lays out specific requirements that data providers must adhere to when it comes to the performance, security, and functionality of their developer interfaces.

Prohibition on fees

Today’s rule offers an explanation on why it is prohibited to charge fees to access data.

Authorization and revocation procedures

The final rule details how consumers can authorize and revoke third-party access. It also discusses what organizations must put into their authorization disclosures, and details the consumer notification process.

Third-party obligations

Today’s final rule details obligations for third parties that access consumer data, including limitations on data collection, use, and retention, as well as requirements for data accuracy and security.

Impact analysis

The final rule analyzes the potential benefits and costs of the rule for various stakeholders, including data providers, third parties, and consumers.


Photo by Gratisography