Section 1033 of the Consumer Financial Protection Act of 2010 (CFPA) provides that, subject to rules prescribed by the CFPB, a covered person must make information in their control or possession concerning consumer financial products or services to that consumer upon request. Although Section 1033 was enacted over thirteen 13 years ago, it had no effect until such time that the CFPB issued a final rule or regulation implementing the statutory requirements.
On October 19, 2023, the CFPB issued a proposed rule to implement Section 1033 (Proposed Rule). Under the Proposed Rule, the CFPB introduced a number of new regulatory requirements for persons acting as either: (i) “data providers” (which encompass financial institutions that hold consumer financial data); and (ii) “authorized third parties” (which means persons or entities that have obtained the consumer’s authorization to receive data from a data provider).
On October 22, 2024, the CFPB published the final rule to implement Section 1033 (Final Rule). At a high level, the Final Rule imposes an obligation on banks and credit unions that offer consumer purpose deposit accounts (subject to Regulation E) and consumer purpose credit cards (subject to Regulation Z) to provide the data associated with those products available to the consumer or authorized third parties upon request.
The Final Rule incorporates many of the same requirements set forth in the Proposed Rule, with some notable differences. For instance, the Final Rule excludes from coverage depository institutions that hold less than $850 million in total assets.
The Final Rule introduces a new, and potentially unfamiliar, set of compliance obligations for many financial institutions. Please join us at the November BCG Monthly Telephone Briefing where we will provide a detailed discussion of the Final Rule and its various requirements, such as the types of financial institutions and data that would be covered by the rule.
Download Handout Here!
