NewsFrom Screws to Software: The Power of Standards
Advanced CIAM Is Key to US CFPB Section 1033 Compliance

The United States Consumer Financial Protection Bureau (CFPB) has rolled out a new rule that will significantly impact how financial institutions handle data. Section 1033 of the Consumer Financial Protection Act (CFPA), or the Dodd-Frank Act, aims to give US consumers more rights and greater security over their personal financial data. It requires US financial businesses to provide consumers with full access to their data and, if the customer requests it, transfer their information to a third-party for free. It also prohibits third parties from screen scraping, a practice that introduces security risks by using customer login credentials to collect data.

The mandate is a move toward a secure US open banking system in which financial service providers share data through APIs. This enables existing financial businesses to add new services and products to their customer offerings. It also presents opportunities for financial service and fintech start-ups, like payment apps or mobile lending and digital banking. Open banking fuels innovation in the finance industry and encourages consumer choice by making it easier for individuals to switch providers and take advantage of better services and rates. 

Key takeaways

  • Section 1033 of CFPA/Dodd-Frank mandates open banking through APIs

  • Financial institutions must strengthen security, access control, and consent management

  • Advanced CIAM platforms provide the tools to achieve compliance efficiently

More Consumer Control and Improved Security

CFPA section 1033 will require financial institutions in the US to give their customers more control over their data and how it is shared. Through the rule, finance businesses will also be required to implement strong security measures. Specifically, financial service providers will need to: 

Provide consumers access to data that:

  • Is delivered through a consumer interface

  • Enables third-party access authorization, data sharing revocation, or data deletion

  • Includes control over what data can be shared

  • Allows unlimited data sharing requests

Enable third-party data access that:

  • Is delivered through a developer interface

  • Is provided in a standardized, machine-readable format

  • Prohibits screen scraping (implying the use of APIs instead)

  • Is available after third-party and customer identities have been authenticated and the scope of the data request is confirmed

  • Expires 12 months after the consumer provides consent unless authorization is renewed

  • Meets a minimum required response rate and doesn’t exceed downtime limits

Secure data access by adhering to Gramm-Leach-Bliley Act mandates, including:

  • Limiting data access and authorization to only approved users and only context-relevant data

  • Using encryption methods and multi-factor authentication to protect consumer information

Third parties requesting access to data will also need to meet the criteria specified in CFPB Dodd-Frank section 1033. They can only collect, use, and retain data for purposes necessary to provide the consumer’s requested service. They must also certify that customers have a simple way to revoke data access and that they will comply with data security obligations.

Now Is the Time for Advanced CIAM and API Security

To accommodate the varying resources across different financial business types and sizes, CFPB has outlined a phased schedule for compliance based on asset value tiers. The compliance deadline for financial organizations with the highest asset values is April 1, 2026. The next tiers must comply by April 1 of each subsequent year, with the smallest businesses required to comply by April 1, 2030.

With only a few years to establish compliance, US financial service providers cannot afford delays. They must ensure their data and access management technologies can handle the demands of CFPA section 1033. While many larger businesses already have IAM solutions in place, most will need to conduct an audit to identify gaps and demonstrate compliance.

Organizations with limited or ad hoc identity management may find it’s time to add a modern identity and access management platform to their infrastructure.

Key CIAM Features for CFPA Section 1033 Compliance

Compliance doesn’t have to involve implementing multiple tools or replacing existing infrastructure. A robust customer identity and access management (CIAM) platform that integrates with existing systems can be a key tool for achieving compliance.

However, not all CIAM solutions include the advanced, financial-grade features financial service providers need.

When evaluating options, make sure the CIAM solution includes:

  1. Strengthen API Access Security A core component of Dodd-Frank section 1033 is data sharing using APIs. With APIs increasingly under attack by cyber threat actors, securing identity authentication and the flow of data through these connection points is central to maintaining strong security. Look for a CIAM solution that supports API security best practices, such as token-based authorization, and that is based on industry security standards like OAuth and OpenID Connect.

  2. Leverage Consentors The ability to collect consumer consent for data sharing is an important part of CFPA section 1033. Providing customers control over how their data is shared and used requires a simple-to-use customer interface with sophisticated capabilities. Make sure the Customer IAM solution you are considering is configured to support the use of consentors - mechanisms that dynamically manage user consent and provide digitally verifiable proof of consent. You can enable customers to authorize and revoke data sharing and delete data according to Dodd-Frank section 1033 rules.

  3. Adopt Standards-based Technology The advantages of a solution built to industry standards, like OAuth and OpenID Connect, can’t be overstated. One benefit is a developer-friendly interface that reduces development effort and time. Plus, businesses gain peace of mind knowing their infrastructures align with the most up-to-date security practices vetted by security experts.

  4. Look for FAPI Certification Implement a Customer Identity Access Management system that is specifically designed for the rigorous security challenges facing financial businesses. A platform that is certified to OpenID Financial-grade API (FAPI) security profiles incorporates the features and developer tools needed to build strong defenses against common financial cyber threats, including credential theft, session interception, and account takeovers.

  5. Use Centralized Management To ensure CFPA section 1033-compliant practices are implemented across all regions and locations subject to the new rule, use a centralized CIAM solution. In addition to supporting the developer interface requirement, it allows internal developers to uniformly apply and enforce the required security measures, authentication methods, API access controls, and data-sharing features in one place. It also makes performing audits and demonstrating compliance easier.

  6. Utilize MFA and Adaptive Authentication A CIAM platform that supports multi-factor authentication is an important piece of satisfying the requirement to adhere to the Gramm-Leach-Bliley Act’s security mandates. A solution with customized authentication flows and ready-made authentication methods and actions will allow you to create seamless, secure user-controlled experiences. Additionally, context-aware, adaptive authentication will help you limit data access to only authorized users as the law dictates.

  7. Support Scalability Implementing a solution that is highly scalable helps meet the CFPA section 1033 criteria to provide unlimited data access requests per consumer. It also helps support open banking’s growing number of API connections along with the bonus of enabling future business growth. Plus, it makes it possible to adhere to the rule’s response time and uptime requirements.

  8. Ensure Extensibility and Future-proof Flexibility Dodd-Frank section 1033 is the beginning of CFPB’s efforts to facilitate the adoption of open banking in the US. Additional regulations are expected in the future as technology, cyber threats, and the finance marketplace evolves. A CIAM platform with built-in extensibility gives businesses a way to keep pace with these changes. Look for a solution that can be deployed in your existing infrastructure now without requiring unnecessary replacements or migrations, and make sure the platform is flexible enough to adapt to future requirements.

CIAM Benefits Go Beyond Compliance

Complying with regulatory mandates, like CFPB Dodd-Frank section 1033, can seem like a cost and resource burden, but it can also be an opportunity to reduce costs and support revenue growth. According to a Liminal Link™ Index report, by implementing a leading CIAM platform, financial services organizations can potentially save $500 million per year by reducing security risks, service center costs, and customer churn.

A solution with the right features can give finance businesses a competitive edge by paving the way for innovative new offerings and market leadership in customer experience, data privacy and security.

BlogView all tags

Frequently Asked Questions

Join The Discussion

Follow @curityio on X and Bluesky

Next steps

Ready to modernize IAM?

Start Today - Build security and improve ease of use to stay ahead of the competition.

Free trial icon representing Start a free trial

Start a Free Trial

Calendar icon representing Book a Call

Book a Call

User with a computer icon representing Speak to an Identity Specialist

Speak to an Identity Specialist

Book icon representing Explore learning resources

Explore learning resources