When the new CFPB rule - Section 1033 of the Dodd-Frank Act is passed, major banks will need to be ready in as early as 6 months.
The financial services industry has been transforming over the past decade, with the 2011 Dodd-Frank Act leading the way. The keyword has been choices - more ways to pay, more providers to choose from for various financial services, and more options to keep private data safe.
The new CFPB proposed rule Section 1033 on personal financial data rights combines many of these trends. At the recent Money20/20 conference in the US, one of the main topics discussed was the impact on financial institutions when this rule is passed. When active, this rule is set to transform how banks handle customer data.
What is the CFPB 1033 proposal?
Under the CFPB proposal, financial institutions and data providers must make a consumer's financial information available to the consumer or to an authorized third party. Checking and savings bank accounts, prepaid cards, credit cards, and digital wallets all fall under this umbrella.
Expanding on the trend of opening up access to financial information to create more financially savvy customers, this rule will make it easier for consumers to share financial information across their bank and authorized third parties with just an email address.
Consumers want to have the freedom to work with financial institutions that best serve their financial needs, offer competitive pricing, and protect their data. They also want to work more easily with third-party providers like credit reporting and mortgage services. Once implemented, this rule will enable consumers to easily and safely transfer their account history to a new institution or provider when they wish to switch. The CFPB wants to make it easy for consumers to choose products that best meet their personal criteria of rates and services while preventing vendor lock-in for consumer financial services.
What sensitive data will need to be shared?:
Under CFPB 1033, banks (called “Data Providers” in the proposal) will be required to furnish covered data related to a consumer's financial product or service in an electronic format that can be used by consumers and authorized third parties. They must provide the most recently updated covered data they have at the time of the request, including information about authorized but not yet settled debit card transactions.
The full list of data types to be shared includes payment initiation, account verification information, transaction history, account balances, and more.
- Payments initiation: Under CFPB 1033, Tokenized accounts and routing numbers are allowed. VGS supports this point since sensitive banking information would be far more secure when tokenized than in its raw form.
- Basic account verification information: Name, physical address, email, and phone number associated with the consumer's financial product or service.
- Upcoming bill information: Covering scheduled third-party bill payments and upcoming payments due from the consumer to the data provider.
- Transaction information for the past 12 months: Amount, date, payment type, pending or authorized status, payee or merchant name, plus rewards credits, and fees or finance charges.
- Account balances
- Terms and conditions of the financial product or service
What should a financial institution consider when sharing data?
When a financial institution needs to share data, they will want to do so in the most secure way possible to protect their customers from having their data compromised and their business from suffering a breach. This isn't just best practice but also good business sense at a time when the CFPB is leveling the playing field with rules like the 1033 proposal.
Financial institutions will want solutions that are:
- Safer than Raw Data - if a bank account number is stored in its full form in any platform or system, it can easily stolen or misused if the system is hacked. If banks need to share this information, they will want to prioritize eliminating this security risk.
- Control a Breach - if there is a breach, data providers will want to identify compromised points more easily to avoid the friction and time needed to close the old bank account and open a new one.
At the same time, these solutions should:
- Avoid Duplication - banks will want a solution that minimizes extra internal work due to data-sharing requirements and simultaneously works across large customer populations.
- Control Complexity - banks typically have an involved infrastructure across home-grown and vendor products. Any solution that needs to be implemented in a tight timeframe should have light implementation needs and not add to tech debt.
Tokenized Account Numbers (TAN) as a solution
Tokenized Account Numbers (or TANs) can meet regulatory changes and the increasing demand for data sharing. TANs enable banks to support the shift to Open Banking while complying with the changing landscape. While it isn't a requirement to use TANs (yet), they are the most secure and future-facing option available.
What are Tokenized Account Numbers (TANs)?
Tokenization will play a crucial role in complying with CFPB Section 1033. Payment tokens provide a secure method for sharing sensitive account information while minimizing the risk of exposing raw data.
Tokenized Account Numbers:
- Obfuscate Raw Data
Tokenized Account Numbers (TANs) replace raw debit and credit account data and routing numbers with a series of numbers without connection to the underlying account.
- Pinpoint a Breach
Since Tokenized Account Numbers (TANs) are merchant-specific, Banks (data providers) can identify compromised points more easily and revoke payment credentials on a targeted basis. If there is an issue with a particular merchant, the TAN associated with that merchant can be isolated and deactivated without affecting the entire account number. Plus, every transaction using TANs requires a cryptogram fetch, allowing transactions to be tracked to stay on top of what's happening with an account at all times.
- Promote Scalability
Tokenized Account Numbers (TANs) from VGS are interoperable across the payments ecosystem, facilitating seamless data sharing between banks, data providers, and third-party services. Banks adopt tokenization, and data aggregators pick up these tokens to pass them to third parties authorized by the consumer. All players benefit from secure data exchange enabled by an interoperable token.
- Offer Simple Implementation and Reliable Technology
VGS Tokenized Account Numbers (TANs) are used by customers today, with no new technology needed. As part of the move toward ensuring equal access across providers, the proposed CFPB Section 1033 states that financial firms (or data providers) must set up secure APIs with clear, standardized documentation and guarantee 99.5% uptime. Not only do VGS TANs meet these requirements and more, but you can also go live within days with our low code or no code integration paths.
When will the CFPB 1033 proposal become the new reality?
The proposal is open for comment until the end of next month - December 29, 2023. Once passed, the implementation timing differs by size of banks, with the largest banks asked to comply the soonest.
|Size of Institution||Timeline to Comply|
|More than $500bn in assets
(or more than $10bn in revenue)
|6 months from publication|
|$50bn to $500bn in assets||12 months from publication|
|$805m to $50bn in assets||30 months from publication|
VGS Tokenization Service for Banks
VGS offers a tokenization solution with Tokenized Account Numbers (TANs) at the center. Adopting this will ensure banks can meet the requirements for CFPB 1033. Even independently of a regulatory requirement, adopting the provider-neutral tokenization platform that VGS offers is the most secure choice.
Tokenized Account Numbers (TANs) are a smart choice for banks and fintech companies by being an all-in-one solution that offers security, flexibility, and control over data sharing. Our provider-agnostic TANs create process efficiencies and seamless interoperability by avoiding the duplication of working separately with each provider. Sensitive data is protected while still enabling open banking through seamless data sharing. Banks can have peace of mind knowing that their customers' data is safe, they comply with CFPB rules, they are on the edge of innovation, and their reputations are secure from the risk of a data breach.
As the CFPB 1033 proposal shows, consumers today want the freedom to choose their financial institutions and work effortlessly with third-party providers. Tokenization is the key to meeting their needs while keeping their data safe.