ICBA to CFPB: Section 1033 should not be mandated for community banks

ICBA told the Consumer Financial Protection Bureau that community banks already meet the requirements of Section 1033 of the Dodd-Frank Act by providing consumers with electronic access to their financial data through online banking portals and mobile apps—and the statute only mandates data access directly to consumers, not third parties.

Details: In a letter to CFPB Director Russell Vought following a meeting between ICBA and CFPB officials, ICBA said:

• Section 1033 does not require banks to share consumer data with third parties, especially those acting in their own commercial interest without fiduciary duty, and that the CFPB's 2024 rule mandating such sharing exceeds its statutory authority.

• It supports a consumer-demand-driven approach to open banking that allows banks to innovate and manage data sharing through contractual relationships rather than prescriptive regulations that mandate specific technologies like developer interfaces.

Recent Court Action: The CFPB earlier this month asked a federal court to vacate its 1033 rule on consumer data security and privacy, saying the rule is unlawful.

ICBA View: ICBA has long expressed concerns about the impact of the rule on consumer data security and privacy. While the rule included an ICBA-advocated provision exempting community banks under $850 million in assets from a provision requiring institutions to create and maintain a third-party developer interface, ICBA has repeatedly called on the CFPB to focus its implementation of Section 1033 on promoting data security at third-party entities.

Ongoing Advocacy: Addressing the 1033 rule is a key priority of ICBA’s “Repair, Reform, and Thrive” plan for the new Congress and Trump administration. ICBA’s Open Banking Guidebook details the rule as well as its advocacy efforts, including securing exemptions for community banks under $850 million in assets.