Sharing Financial Data Securely: What Compliance with CFPB’s Personal Financial Data Rights Rule Means for Financial Institutions

The impending Consumer Finance Protection Bureau (CFPB) Personal Financial Data Rights rule, also referred to as Dodd-Frank Act 1033 Implementation, are set to reshape the financial market in the United States by giving consumers greater control over their financial data. CFPB’s upcoming requirements boil down to one goal — making financial institutions securely share their customer data with authorized third-party applications, fostering a more equitable, interoperable, and competitive financial ecosystem for everyone involved.

To create a data access framework that fosters some of the most beneficial financial use cases for consumers, CFPB aims to leverage the financial institutions’ (data providers’) existing capabilities, ensuring consumers have open access to financial data of all kinds:

  • Historical transactional data for the past 24 months
  • Current account balances
  • Payment initiation details
  • Terms and conditions of financial products
  • And more…

To promote a safe, reliable, and competitive environment for data sharing — an open banking ecosystem — CFPB aims to establish basic standards for data access, transition the market from screen scraping practices to more secure alternatives, and ensure that the full range of technical issues in the open banking system are addressed using fair, open, and adoptable industry standards.

 

Personal Financial Data Rights Rule Technical Impact on Financial Institutions

As the CFPB’s Personal Financial Data Rights Rule looms on the horizon, financial institutions (FIs) are under increasing pressure to adapt and comply with the impending regulations set to revolutionize consumer data management. With deadlines approaching — ranging from three months for large institutions to up to four years for smaller ones — there is a critical need for swift and effective solutions.

For financial institutions of all sizes, the Personal Financial Data Rights Rules mean the institutions will need to open financial data to authorized fintech applications servicing a myriad of use cases like personal finances management, accounting reconciliation, payments, tax preparation, and wealth management. To do so, FIs will need to create developer interfaces — APIs — according to the set standard ensuring interoperability of their system and making the integration much easier for third-party providers (TPPs). CFPB proposes that the FIs should also disclose its developer interface — publicly and in a readily identifiable manner — along with the documentation sufficient for TPPs to access and use the interface.

In a bid to move away from screen scraping and risks from relying on credential-based access, the CFPB emphasizes the importance of maintaining standardized, machine-readable data access and requires FIs to enable TPPs acting on behalf of a consumer to access covered data. And as CFPB proposed, FIs will be required to confirm the consumer’s identity in the data-sharing process. Although the CFPB proposed rules require capturing consumer consent from TPP applications, it mandates financial institutions to confirm whether the TPP is acting on behalf of the consumer and to ensure that the consumer understands the key terms of access and can make an informed decision about whether to grant third-party access to the consumer’s financial data.

Once the authorization takes place, financial institutions will have to authenticate the third party’s identity and make sure the requested data is consistent with the scope of a consumer’s request and does not present unreasonable risks to the security, confidentiality, and integrity of covered data.

Having an open banking API, however, is not enough. CFPB mandates that the exposed interfaces must perform at a commercially reasonable level — not yet defined, but subject to further specification even for different API endpoints.

The comprehensive requirements, ranging from opening financial data to third-party applications to the establishment of standardized APIs, present a substantial burden for FIs. This regulatory overhaul introduces significant operational complexities, heightened overheads, and the imperative need for robust, cost-effective solutions. Navigating through these intricacies while adhering to deadlines requires a strategic and efficient approach to ensure compliance without unduly straining resources.

 

Solving Dodd-Frank 1033: Ninth Wave Open Finance Solutions for Financial Institutions

The rise of fintech has created a world that demands interoperability, security, and simplicity in financial management. Financial institutions must take an active role in supporting their customers’ demands within the broad and complex ecosystem of apps and software requiring financial data to function. Ninth Wave’s platform is an enterprise solution for FIs that enables consumers and business customers to share financial data securely and reliably with third parties, making it a comprehensive solution to all Personal Financial Data Rights rules proposed by CFPB.

DF 1033 Requirement

Ninth Wave’s Answer

Developer interface (API) for financial data sharing

Ninth Wave open finance APIs are a set of interfaces enabling consumers to access their accounts, transactions, and other kinds of financial information.

Our APIs enable data access for TPPs servicing a multitude of use cases including personal finances management, accounting reconciliation, payments, tax preparation, and wealth management. The open finance APIs are built according to Financial Data Exchange (FDX) standards ensuring their implementation follows a commonly adopted standard.

APIs are available publicly and well documented

TPPs and/or FI developers can utilize Ninth Wave's developer portal as well as a sandbox environment for testing.

Fintech application developers can be onboarded and supported using the Ninth Wave APIs.

Data must be in a standardized, machine-readable format

Our open finance APIs are designed to be interoperable — our platform is protocol- agnostic, combining open standards support and custom APIs to meet FIs needs.

Third-party access to financial data is possible on behalf of the consumer

In addition to having the APIs, the platform enables fintech applications to dynamically register their client applications (using OAuth DCR) as well as the application users.

TPP authorization can be confirmed and consumers can make an informed decision on whether to grant the TPP access to their data

The platform ensures robust fine-grained customer authorization through three-legged OAuth protocols. It makes it possible, for example, to authorize access only to a particular account.

With Ninth Wave, the user's consent is verifiable at an app/account level.

Data-sharing consent can be revoked at any time

The Ninth Wave platform enables customer-level revocation of data-sharing permissions and has the consent administration portal built in.

FI is able to confirm customer identity

Ninth Wave is able to utilize the three legged OAuth model with integration to the financial insitution's identity management solution and and/or authentication server.

FI is able to confirm the TPPs identity

Ninth Wave uses OAuth standards in order to enable TPPs to register their client applications, authenticate them, get access tokens, and access the APIs.

In addition to supporting the requirements coming from the CFPB’s Personal Financial Data Rights rules out-of-the-box, Ninth Wave comes with a number of different benefits for FIs:

  • Single integration point: Our single-platform approach allows larger clients to benefit from one vendor across all divisions, rather than managing multiple solutions and relationships, while clients of all sizes can benefit from our ecosystem.
  • New apps onboarded to our platform can easily be added to any client’s Ninth Wave solution. We handle the maintenance and upkeep of integration connectors, adaptors, and exchange formats. You focus on the core functionalities of your business.
  • Configurable terms and conditions.
  • Migration from industry-wide screen scraping DAPs: Migrate easily from legacy solutions that put your customers’ data at risk to a secure screen scraping alternative.
  • Portal access for application management, user provisioning, and reporting.

Instant Financial Data Exchange (FDX) Compliance

Although CFPB did not officially embrace any standard-setting organization yet, it is very likely it will at some point strive to unify the financial services ecosystem around a common, interoperable standard for user-permissioned financial data sharing. Financial Data Exchange (FDX) requirements emerge as a strong contender to be the one officially chosen — already unifying hundreds of financial institutions in the United States.

FDX has established stringent standards and guidelines through its open finance API, ensuring a secure and standardized data-sharing environment. It defines data APIs and outlines user consent requirements for financial institutions, streamlining permissioning processes. FDX adheres to the financial-grade API (FAPI) profile globally, providing specific security guidelines derived from the OAuth standard. This aligns with CFPB’s standards, emphasizing robust security mechanisms. FDX promotes an open, collaborative, and secure framework, fostering innovation and empowering consumers.

Ninth Wave open finance APIs are built on top of the FDX API, ensuring that FIs of all sizes and types will be able to leverage them to their full potential and open their data for TPP access. Financial institutions engaging with FDX are poised for a smooth transition to comply with the CFPB’s Personal Financial Data Rights rule, benefiting from standardized data sets and enhanced API security. Institutions aligning with FDX requirements are well-placed to meet the CFPB’s deadlines, emphasizing the importance of prompt FDX implementation for compliance.

Summary

As the CFPB’s Personal Financial Data Rights rule looms, financial institutions face a complex landscape of regulatory demands. Navigating these challenges becomes streamlined with Ninth Wave’s open finance APIs. Offering standardized interfaces and transparent documentation, Ninth Wave facilitates seamless financial data integration for developers, ensuring compliance with CFPB’s data-sharing requirements. The platform’s fine-grained authorization and identity confirmation further enhance security, positioning financial institutions to not only meet but exceed the evolving regulatory standards.

Ninth Wave not only aligns with CFPB’s stringent requirements but also goes beyond, providing a secure, user-centric pathway for compliance. With Ninth Wave, financial institutions can confidently navigate the intricate landscape of data-sharing regulations, ensuring operational efficiency and a robust approach to consumer data protection.

Contact us to learn more.

About Ninth Wave

Ninth Wave delivers secure, seamless, and standardized data connectivity to fintechs and financial institutions of all sizes, through a single point of direct integration to a universal suite of open finance APIs. With configurable controls, visibility, and insights into all data sharing and data acquisition connections between aggregators, third-party apps, and internal applications, Ninth Wave empowers financial institutions and their customers with access and oversight to their connected apps, enabling secure data exchange in a holistic and scalable open finance ecosystem. Offering solutions for retail and commercial banks, wealth managers, credit card issuers, tax providers, and more, Ninth Wave provides unparalleled connectivity and universal compatibility to complex information systems, unlocking innovation, potential, and performance for your data. Contact us to learn more about Ninth Wave’s secure data connectivity features. Empowering open finance. At scale, at last.