When the Dodd-Frank Act was passed in 2010, it included Section 1033. This section required the Consumer Financial Protection Bureau (CFPB) to create rules and standards requiring institutions to make information regarding financial accounts available to consumers. By the time the Bureau published draft rules and standards in 2020, ten years had passed. The final rule was released in October 2024, and it appears that the CFPB needed more time to get it right.
The most common criticism has to do with third-party oversight. The original text of the Dodd-Frank Act required that consumers be given access to their data and does not mention needing to give third parties access at all. But the final rule is all about third-party access. It requires institutions provide account and transaction data to any third party that a customer desires at no charge. The third party needs to provide documentation to the customer saying that they will secure the data, but the rule does not provide any oversight over the third party by any regulatory body to ensure that they do secure the data. The rule also does not put responsibility for ensuring the third party is secure on the customer. Instead, the rule makes the financial institution providing that data responsible for ensuring the third party has proper security controls in place. The rule also contains verbiage requiring access not be denied to the data unless the institution can clearly justify the denial.
The one glimmer of hope is that the CFPB rule provides for “standard-setting bodies” to sort out the details of how the actual implementation of the rule will be accomplished. These bodies, once established, could potentially create some sort of third-party accreditation process that would need to be followed before a third party could be granted access by an institution.
Besides the issue of third-party oversight being ignored by the rule, another aspect of the rule that will give institutions heartburn is the type and amount of data that needs to be shared. It is apparent that whoever drafted the rule did not understand how decentralized data is in most institutions. The rule requires institutions to share not just 24 months of balance and historical transaction data, but also data on upcoming bill payments, EFT transfers, gift cards, prepaid accounts, fees, APYs, credit limits, and information regarding rewards programs. In many institutions, the data required by the rule will be housed at multiple third parties and will not contain enough history, so the institution will need to build an internal data warehouse to facilitate the consolidation of data and then build APIs off the data warehouse to be used by customers and third parties to access the data. It will be a long, tedious project with no payback except to be “in compliance”.
The final major problem with the rule is the timeline. The largest institutions have under 14 months left to implement the rule, but no standard-setting bodies have been approved by the CFPB yet. If it takes the Bureau 6 months to approve the standard-setting bodies (a miracle based on their historical efficiency), the bodies can then start to create the standards. If it takes 6 months to create the standards (another miracle!), the institutions can start building the infrastructures based on the standards to deliver the necessary data, which will easily take a year to complete. In summary, I think the earliest anyone could be ready to deliver data would be 2 years from now, and even that date is extremely optimistic. Rushing things to move any faster will inevitably lead to security lapses and data breaches, which will then be blamed on the institutions instead of on overenthusiastic regulatory bodies.
Many in the industry are waiting to see what happens as the political landscape changes in early 2025. Remember that the squeaky wheel always gets the grease, so it is up to us to be squeaky. Make sure you are working with your banking associations to make it clear that this rule needs more work, otherwise other causes will be the priority.
Bedel Security is the leader in providing Virtual Chief Information Security Officer (vCISO) services to financial institutions nationwide. Our service is based on quality staff trained to understand the needs of an institution and processes that have been honed through years of experience. If you are in need of cybersecurity governance in a financial institution, please contact us for more information!