Ten Take-Aways on 1033 for Community Bankers

Share :
Twitter iconlinkedin icon

The Consumer Financial Protection Bureau’s (CFPB) Rule 1033 is poised to reshape the way banks and third parties manage consumer financial data. The rule is designed to enhance consumer control over their own financial information while ensuring safe, secure data sharing with authorized third parties. Understanding Rule 1033 is crucial for community bankers to ensure compliance while maintaining competitive advantages. Here are the top ten things every community banker should know about Rule 1033.

1. Consumer Empowerment Through Data Access

Rule 1033 grants consumers the right to access their personal financial data and share it with third-party services, like budgeting apps or payment platforms. This access includes account information such as balances, transactions, and fees. Banks, including community banks, must ensure that consumers can request their data easily and securely​. The new rule only covers consumer Reg E (deposit) and Reg Z (credit) accounts. Other consumer products like loans, investment, and insurance accounts will likely be added over the next decade, but they are currently de-scoped. The “C” in CFPB is of course for “Consumer” and thus commercial accounts are not in scope at all. 

2. Staggered Compliance Deadlines Based on Asset Size

The CFPB has created staggered compliance deadlines based on the size of an institution's assets, giving smaller community banks more time to comply. Here are the exact deadlines by asset size:

  • April 1, 2026: Banks with assets of $250 billion or more.
  • April 1, 2027: Banks with assets between $10 billion and $250 billion.
  • April 1, 2028: Banks with assets between $3 billion and $10 billion.
  • April 1, 2029: Banks with assets between $1.5 billion and $3 billion.
  • April 1, 2030: Banks with assets between $850 million and $1.5 billion​.

If your bank is under $850mm, the CFPB is punting on applying these new rules to you for now, but they leave the door open to revisit in the future. I’ve shared before that smaller FIs that serve consumer customers have the MOST to gain by adopting modern open banking and knowing WHERE the data on their customers is being sent. 

Note: Your asset size is determined by the average of your quarterly reports from Q3 ‘23 to Q2 ‘24. 

3. Monitoring for Future Growth

If a community bank currently falls below the $850 million threshold but later grows to exceed that level, Rule 1033 allows a transition period. The bank will have up to five years to comply with the requirements after crossing the asset threshold. This means that banks experiencing rapid growth organically or via acquisition should begin preparing early for compliance with the rule.

4. Secure and Standardized Data Sharing

One of the main requirements of Rule 1033 is that consumer data must be shared in a secure, standardized format, typically through APIs (application programming interfaces). This ensures that consumers can share their data safely with authorized third parties. The rule requires replacing outdated practices like screen scraping, which is less secure and prone to breaches, not to mention its poor reliability​. 

Your digital experience will likely require updates to support on-demand downloads of data from your institution by individual end-users. This mandate was among the most surprising sections included in the draft rules, and it has persisted to the final rule. The CFPB seems to be taking inspiration from broader privacy laws around the world that require that users can easily access and download the information you have about them (e.g. Here’s how to get all the data Amazon or Google or Meta knows about you). 

Your compliance and digital leaders from the bank should be in active conversations with your digital banking vendor and your core. If your existing partners don’t have a clear solution for 1033, that probably tells you everything you need to know about that vendor. The bigger ones will build a solution in house, the smaller ones will partner with third parties that already offer compliant data-out for FIs. 

5. Prohibition on Charging Fees for Data Access

Community banks cannot charge consumers or third-party apps for accessing consumer data under Rule 1033. This provision helps ensure that consumers can freely access and use their financial data without additional costs​. Banks must provide this data as a service to consumers without seeking revenue from data sharing. HOWEVER, there is no prohibition from charging for access to additional data that is not in-scope for this rule. I anticipate that some of the folks building data-out solutions to help FIs comply with 1033 will include monetization tools for FIs to offer “premium” data to the aggregators (e.g. business accounts or loans). 

6. Explicit Consent for Data Sharing

Data sharing under Rule 1033 requires clear and explicit consumer consent. Community banks must obtain consumer authorization before providing data to third-party services. Practical examples of obtaining consent include:

  • In-app notifications: When a customer logs into their mobile banking app, a prompt can ask for permission to share transaction data with a budgeting tool.
  • Online forms: A clear, simple consent form on the bank’s website can explain what data will be shared and request explicit approval from the customer​.

7. Opportunities for Innovation

While Rule 1033 introduces new compliance obligations, it also offers community banks an opportunity to innovate. The default opportunity that everyone talks about is along the lines of: “By embracing open banking, banks can collaborate with fintech companies to offer personalized financial services such as automated savings plans, customized loans, or real-time financial insights. These innovations can attract younger, tech-savvy customers​.”

While that’s all fine and good, I see several bigger opportunities for FIs:

A) Monetize Premium Data: You already have to deploy the infrastructure to comply with 1033, you might as well use it for a new non-interest revenue stream. Many FIs currently pay way too much to have their OFX data made available to business customers using outside accounting systems. We are seeing a shift where the smart banks are flipping the script and are instead getting paid for sharing that data.

B) Follow the Data: Once your bank turns on modern open banking, you immediately get real-time visibility into WHERE any one of your customers is sharing the data from your bank. In the old world of screen-scraping, you are completely blind to that. If a prized commercial customer shares their data with the bank across town, don’t you want to know about it? Shouldn’t their banker get an alert to pick up the phone to check in with that customer?

C) Defense Against Embedded Finance: Every banker who is paying attention knows that they risk losing high value customers to embedded deposit, payment, and lending products that live inside of the non-bank applications your customers use every day. The harder your bank makes it for your accounts to link into other applications, the faster your customers will run to keep their payments inside of a Quickbooks deposit account…and take a loan out from Square or Toast instead of you. 

This integration is happening with merchants, law firms, oil and gas, agriculture, manufacturing and every other industry that your bank prides itself in serving. You might sponsor their kid’s little league team, but if your account is a pain to use in their day-to-day life, they are going to opt for an easier solution. Ask me about the accounts I closed because they didn’t work with my accounting software. That bank is missing out on a ton of deposits and payment revenue from me now.

D) Anything They Can Do, You Can Do Better: I’ve heard many bankers and community banking advocates who have lobbied against open banking for smaller FIs, because they see it as i) an additional cost; and ii) a way for bigger competitors to gain data on their customers. On point i, I always remind folks that the alternative is screen-scraping. The aggregation horse is out of the barn–the question is whether you prefer the risks and costs of screen-scraping vs. the opportunities presented from modern, safe open banking. 

On point ii, I believe these folks aren’t giving bankers enough credit. Smart bankers, at even the smallest institutions, are already stepping up to invite their customers to link external accounts INTO their bank. Again, this flips the script by putting the community bank on the receiving end of data from their bigger competitors. Any modern solution for lending, deposit capture, business banking, payments and more includes options for account aggregation–and they are not price prohibitive. 

8. Consumer Privacy Protections

Rule 1033 mandates that banks protect consumer data and ensure it is used only for the purposes authorized by the consumer. Unauthorized use of data for activities like targeted advertising or cross-selling is prohibited without separate, explicit consent. This ensures that consumer privacy is prioritized​. 

In my role as CEO at FinGoal, this is absolutely the topic I get asked about the most. “Hey, David. Does 1033 make it harder for FinGoal to derive next best actions from transactional data?” The answer, for FinGoal, is “Nope.” We’ve always taken a transparency-first and consumer-friendly approach. If your bank is one of the dozens of banks using FinGoal to analyze and determine where you can offer the customer a better product (like a better loan rate), you should PROMOTE that your bank is proactive about offering smarter options for your customers. 

Yes, we increase wallet-share and the dirty word of “cross-sell” conversions. But our foundation is always, “What is good for the customer?” So yes, you should continue to get consent as we’ve always preached. But that shouldn’t scare anyone. Your customers want their bank to let them know how the bank can help them better. 

9. Recordkeeping and Audits

Community banks must maintain detailed records of consumer data requests, authorizations, and how data is shared with third parties. These records must be kept for at least three years to comply with the CFPB’s audit and record retention requirements. Proper recordkeeping will ensure that banks can demonstrate compliance during regulatory reviews. As you evaluate options, you should ask your potential data-out vendors how they make the record keeping easy for you. 

10. Long-Term Compliance and Minimal Costs

Once a community bank has established compliance with Rule 1033, the ongoing costs of maintaining secure data access systems should be minimal. The market is still in a bit of price discovery right now as FIs evaluate their on-going options for 1033 compliance as data providers (and as third party recipients). I expect there to be some near term investments required by FIs, but the technology needed to support 1033 on an on-going basis shouldn’t be a massive ongoing expense. It will quickly become table stakes by all of the major players in digital banking. 

Conclusion

Rule 1033 marks a significant step forward in empowering consumers with control over their financial data. For community banks, complying with Rule 1033 involves ensuring that data sharing is done securely and transparently, while also embracing opportunities for innovation. Understanding the compliance timelines and focusing on secure, consumer-friendly data sharing will allow community bankers to gain a competitive advantage while adhering to the CFPB’s regulations.