Open Banking, Data Sharing, and the CFPB’s 1033 Rulemaking




INSIGHTi
Open Banking, Data Sharing, and the CFPB’s
1033 Rulemaking

September 9, 2021
New technologies that use digitized consumer financial data have led to the development of new financial
products and services for consumers in recent years. Open banking refers to the practice of giving
financial services firms access to customer banking and other financial data to facilitate the development
of new types of products and services for consumers. Innovation in financial technology—commonly
referred to as fintech—is a subject of great interest for the public and policymakers. While new
innovations, such as data sharing, can benefit consumers through new and affordable financial products
and services, increasing access to consumer data can also pose data security and privacy risks to
consumers.
This Insight discusses data sharing market and technological developments. Then, it discusses the status
of the Consumer Financial Protection Bureau (CFPB) Section 1033 rulemaking about consumer-
authorized access to financial data, which wil impact financial data sharing developments in the future.
Data Sharing Market and Technology Developments
Financial products and services that rely on consumer data can provide improved and innovative offerings
to consumers, enabling them to manage personal finances, automate or set goals for saving, receive
personalized product recommendations, apply for loans, and perform other tasks. For example, some
companies provide data aggregation services, a type of data sharing service wherein consumers give the
aggregator permission to access information across their financial accounts and put it into a standardized
summarized form to help make it easier for consumers to manage their money (e.g., Mint, Yodlee). In
addition, some payment processor companies enable other application services to connect to consumers’
financial accounts in order to provide new services, such as peer-to-peer transfers and other payment
services (e.g., Plaid).
One technology commonly used to collect financial account data is web scraping, a technique that scans
websites and extracts data from them. In general, web scraping can be performed without a direct
relationship with the website or financial firm maintaining the data. As an alternative, the financial
institution managing the account may provide customer account information to another financial firm
through a structured data feed or application program interface (API). Advantages and disadvantages exist
Congressional Research Service
https://crsreports.congress.gov
IN11745
CRS INSIGHT
Prepared for Members and
Committees of Congress




Congressional Research Service
2
when accessing consumer data by API rather than web scraping. For example, in certain circumstances
web scraping may be an easier way for companies to gather data immediately because it does not require
negotiating company agreements like APIs do. However, according to a Treasury Department report,
some industry observers assert that APIs are more secure in terms of cybersecurity and fraud risks.
CFPB’s Section 1033 Rulemaking
Section 1033 of the Dodd-Frank Wal Street Reform and Consumer Protection Act (P.L. 111-203)
provides consumers with a right of access to their financial information. This type of financial
information on a consumer could include, for example, information relating to consumer transactions or
account usage. If requested, this information should general y be made available electronical y to
consumers in a usable format. Under this law, confidential commercial information, such as proprietary
algorithms, are not included in this consumer right of access, and businesses are not required to maintain
information on a consumer beyond what they currently do for business purposes.
Rulemaking Developments
To implement this section of the law, the CFPB is currently working on a new regulation to clarify
standards around consumer-authorized access to financial data. In November 2020, the CFPB published
an advanced notice of proposed rulemaking to solicit information from the public to inform this
rulemaking.
Previously, the CFPB had been engaged in stakeholder outreach on this topic. In 2016, the CFPB issued a
request for information regarding consumer access to financial records. Using feedback from this request
for information,
in October 2017, the CFPB outlined principles for consumer-authorized financial data
sharing and aggregation. These nine principles included, among other things, consumer access and
usability, consumer control and informed consent, and data security and accuracy. The CFPB also
convened a symposium on the topic in February 2020.
Rulemaking Goals
In addition to achieving its statutory purpose, the Section 1033 rulemaking also has the potential to
facilitate consumer-friendly innovation in financial services markets, but it could also introduce new
consumer risks.
Data access could facilitate competition and innovation in consumer financial services, depending on how
data sharing practices develop and how the regulatory framework is structured. In July 2021, the Biden
Administration put out an executive order on promoting competition in the American economy. Among
its provisions, the order encouraged the CFPB director to consider “commencing or continuing a
rulemaking under section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial
transaction data so consumers can more easily switch financial institutions and use new, innovative
financial products.”
Questions exist about the extent that the CFPB should be determining API or other data standards to
facilitate data sharing between financial firms. These types of standards might affect market competition
in different ways. For example, standardized formats for consumer-accessed data could potential y make
it easier to create new products and services for consumers. While this could benefit consumers, the
process of changing financial institutions’ data formats to standardize them could create a burden on
industry or limit future innovation.
The development of consumer-authorized data systems raises a number of consumer protection concerns,
including the security of consumer data, unauthorized access liability, and how to ensure that consumers


Congressional Research Service
3
are informed of their access rights and potential risks. Questions exist about the extent that the CFPB
should be facilitating certain cybersecurity or unauthorized access standards to protect consumers from
fraud or il egal conduct. In addition, some have concerns that consumers may authorize the use of their
data for purposes beyond what is understood by the consumer, such as for marketing purposes.

Author Information

Cheryl R. Cooper

Analyst in Financial Economics




Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.

IN11745 · VERSION 1 · NEW