What is Section 1033?
Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act provides that consumers have the right to access information held by financial institutions in electronic form. The CFPB's final rule, published October 22, 2024, operationalizes this right by requiring covered financial institutions to make consumer financial data available through secure, standardized interfaces. This creates a framework for open banking in the United States similar to regulations in Europe, Australia, and the UK.
Who is Covered by Section 1033?
Section 1033 applies to depository institutions (banks, credit unions, savings associations), credit card issuers, and other entities offering consumer financial products or services. The rule establishes tiered implementation timelines based on institution size, with largest institutions (assets over $500 billion) required to comply first. Third-party data providers and authorized parties accessing consumer data must also comply with specific requirements regarding data security, privacy, and consumer revocation rights.
Consumer Data Access Rights
Covered institutions must provide consumers with access to transaction data, account terms and conditions, upcoming payment information, and basic account information. Data must be made available through developer interfaces (APIs) in machine-readable formats at no charge to consumers. Access must be provided in near real-time or with minimal delay. Consumers can authorize third parties to access this data on their behalf for authorized purposes.
Covered Data Types
Section 1033 covers transaction history, account balance information, account terms and conditions, information about upcoming payments, product features and fees, basic account information (account numbers, routing information), and information necessary to initiate payments. The CFPB may designate additional data types for coverage in future rulemakings.
Data Portability Requirements
Data must be provided in formats that enable portability and interoperability. While the CFPB doesn't mandate specific technical standards, data formats must be structured, machine-readable, and sufficient to enable third parties to provide financial products and services to consumers.
Third-Party Access and Authorization
Third parties accessing consumer data under Section 1033 must be authorized by the consumer and must use the data only for purposes authorized by the consumer. Authorization must be specific, informed, and time-limited. Third parties cannot require consumers to authorize broader access than necessary for the requested service. Screen scraping (using consumer credentials to log in) will be phased out in favor of secure API access.
Consumer Privacy and Security Requirements
Institutions and third parties must implement reasonable data security measures protecting consumer information. This includes encryption in transit and at rest, access controls, audit logging, and incident response procedures. The rule incorporates principles from the Gramm-Leach-Bliley Act (GLBA) and requires compliance with existing information security standards for financial institutions.
Implementation Timeline
Section 1033 compliance requirements phase in based on institution asset size: April 2026 - Depository institutions with assets over $500 billion. April 2027 - Depository institutions with assets over $50 billion. April 2028 - Depository institutions with assets over $850 million. April 2029 - All other covered institutions. Third-party compliance requirements apply concurrently with data provider obligations.
Screen Scraping Phase-Out
The rule establishes a transition away from credential-based screen scraping toward secure API-based access. Institutions must provide API access meeting specific performance and security standards. Once APIs are available, third parties must migrate from screen scraping within specified transition periods. Screen scraping is permitted during the transition but subject to stricter security and liability requirements.
