Authorization or Annoyance: Will 1033 Reauthorization Requirements Create a Ticking Time Bomb?

Jane Barratt is Chief Advocacy Officer and Head of Global Public Policy at MX. Jane serves as FDX Board Co-Chair and has been a member of the FDX Board of Directors since 2021. She is a personal finance expert and champion of financial strength. In her role, Jane collaborates with financial institutions, regulatory bodies, policymakers and the financial ecosystem to ensure people have better financial outcomes through permissioned and secure data-driven innovation. She is a financial educator through LinkedIn Learning. Prior to MX, Jane was CEO of GoldBean, an education first investment advisory platform; and spent two decades driving growth for Fortune 500 companies.

The final rule under Section 1033 of the Dodd-Frank Act from the Consumer Financial Protection Bureau (CFPB) is here. And while we’re excited about how it will give consumers greater control and rights over their personal financial data, including a new era of permissioned data sharing and standards, Open Banking itself is not a new concept. It’s been here for years, and that means there are many lessons learned by the companies that have been making it work for decades.

The 594-page rule is a lot to unpack – and I won’t do it here – but one key question is what the CFPB learned from a relatively mature market when it wrote the rule. The good news is that they clearly paid attention to some things. Take, for example, the transition from older methods of data sharing, like screen scraping, to modern methods, like APIs, that the industry has driven over the past 5 years. Do consumers who use Open Banking know about this transition? No, but they do have significantly improved user experiences, completion rates, security, and privacy. And, they have rapidly gotten used to this new world of fast, secure, permissioned (and revocable) access. 

The CFPB’s tailored, stepped approach to transitioning more banks to APIs shows that they understand that the best technology transition is one that is invisible to consumers yet benefits them, and that this is best achieved when it is flexible and industry-led. 

But the final rule has another requirement that isn’t being talked about yet: the new reauthorization requirements outlined in Section 1033 and what they will mean for consumers and financial providers. The rule limits the duration of third party collection of covered data to no more than one year after a consumer’s most recent authorization. Here, unfortunately, it seems that the CFPB may have missed some key evidence from consumers and the market.  

This is where adding new regulatory parameters can get challenging. The clock is now ticking for financial institutions and fintechs to reach compliance. And, once those compliance deadlines arrive, the reauthorization clock begins, and with it the risk that consumers have an unexpectedly bad experience with Open Banking.  

The reauthorization requirements are intended to act as “added protections against potential harms related to third parties accessing covered data based on long-term authorizations.” The intent is good but the final rule takes a blunt approach of expiring all connections rather than evaluating approaches that enable companies to drive a better customer experience without compromising consumer control. 

Consumers increasingly demand and expect frictionless experiences when connecting, aggregating, and analyzing their financial data. These same consumers are increasingly conscious and wary of online privacy issues. Companies need to meet both expectations, and this rule may limit our ability to do so.

So, how do we avoid creating a ticking time bomb that leads to broken connections, lost insights, and customer frustration? And, how do we balance reducing friction with increasing security and privacy? 

Balancing Control and Convenience

The smartphone industry is one of the best examples of granular control today. Instead of granting full access to your location, microphone, and camera roll just so you can create a profile picture, you can share just one picture with an app. And, you can change those permissions at any time. You’re in control. 

Now think about your financial data. Section 1033 brings us closer to that same level of granular control. However, the reauthorization requirement could break down some of the convenience that consumers have come to expect and demand in their digital experiences. Words with Friends doesn’t ask  to reauthorize your profile picture every year. So why should the budget tool you use every day to make ends meet be required to do so? 

People don’t like when things break and, in financial services, that frustration is even more apparent. It is your money and your data. From being annoyed that transferring money from Venmo requires reconnecting your bank account to being infuriated that historical data goes missing in your budgeting app, Open Banking can be a bad experience if you have to constantly repair it. In fact, Visa’s 2024 report on Open Banking, Open Possibilities calls out that the top 3 most common frustrations consumers face include: 

• Connection to account lost (25%)

• Failure to find or link an account (24%) 

• Refresh required too often (24%) 

Regardless of reauthorization processes, it has to be easy to avoid this spectrum of frustration and risk. In MX’s research, 43% of U.S. consumers say the most important factor in bringing together all their financial accounts in a single app is being able to do so easily. Knowing their financial data is safe and secure (31%) and the ability to control and manage who has access to their financial data (14%) are secondary factors. 

In the final rule, the CFPB acknowledged that the 12-month reauthorization requirement “may result in some increased friction for consumers, but it will also allow consumers to periodically confirm their previous choices, including that they continue to want the third party to access their data for the requested product or service.”

I believe there is a time and place for reauthorization requests that should work with the consumer instead of disrupting them. As financial services providers, we need to find a balance between giving consumers full control over their financial data and creating an easy and seamless process. 

If something is too complex — or annoying, will they stop doing it? Or, on the flip side, will consumers just default to always granting access in the same way that many click “I Agree” on the Terms and Conditions rather than reading them?

Creating Helpful Insights, Not Hindering Financial Wellness  

One of the most impactful use cases behind Open Banking is enabling consumers to more easily create a 360-view of their finances and leverage personalized digital money management tools to better understand, track, and manage their finances — saving them time, empowering them to make better financial decisions, and, ultimately, improving their financial strength. 

With better insights and personalized recommendations based on their permissioned financial data, consumers can better understand and take control of their finances to reach their goals. Personal financial management tools and insights can be a significant differentiator for the average consumer. Our research shows more than half of consumers agree they want their financial provider to help them better manage their finances (57%). 

But delivering on what consumers want doesn’t work if the slate is wiped clean. In order to deliver on the insights that consumers want, expect, and need, it requires context and history. If a consumer misses that reauthorization ping or fails to take immediate action at the 12-month mark, they may lose that historical context. 

Perhaps the path forward follows a similar path that we’ve seen in the telecommunications industry. Instead of a blanket approach that treats all use cases and instances the same, there is more nuance involved. 

A Nuanced Approach to Reauthorizations

A 12-month reauthorization requirement is a blunt force instrument that doesn’t take the consumer or innovation into account. Managing consumer-permissioned data sharing shouldn’t be a black and white scenario. There are gray scenarios in the mix that require a more nuanced approach to de-risking the ecosystem.

For instance, not every mobile application follows the same approach to consumer consent and authorization. Think about the times when you receive a pop-up notification on your mobile device asking if you still want to continue sharing your location with that Jimmy John’s app. 

A similar approach could become the next evolution of Open Banking in the United States — testing and learning how to approach reauthorization based on the unique scenarios involved in financial data sharing. For example, consumers may benefit from persistent authorization for budgeting and personal financial management tools where historical context is key to delivering value. Consumers are actively engaged in use cases like this and shouldn’t pay the price of a blunt instrument that breaks experiences where they engage on a consistent, meaningful basis. 

On the other hand, authorization to access data to process a loan or make a one-time payment don’t need the same kind of ongoing permissions. Looking at consumer engagement should be an important part in defining the consensus standards related to reauthorization. 

It’s about enabling the consumer to reap the benefits of Open Banking while leading with a privacy-first approach. 

According to a Pew Research Center study conducted in 2023, 72% of Americans thought that more online privacy regulation is needed, with only 7% saying they think less regulation is required. Notably, there is strong bipartisan support for enhanced government regulation of how companies across industries manage consumers' personal information. 

In the long term, the wind is blowing in the direction of more consumer privacy protections. Privacy protective approaches to data sharing, including Open Banking, will eventually become a consumer expectation — and likely the law. 

To account for this, and balance it with functionality and value for consumers, reauthorization practices should focus on risk-based approaches that take into consideration the sensitivity of data and services being provided. 

Getting the balance right between a frictionless experience and data protection hygiene sounds great in theory, but is admittedly hard in practice to design well. And, it’s critical to continue to drive pro-consumer innovation forward to deliver on the promise of Open Banking and the goal of Section 1033. 

The financial services industry, fueled especially by the Financial Data Exchange (FDX), has already enabled widespread adoption of Open Banking ahead of any regulation. Looking ahead to Section 1033 compliance deadlines — and the reauthorization clock, the industry should take a test-and-learn approach to calibrating reauthorization that balances the underlying risks and preferences of consumers. 

We need to invest not just in compliance, but in innovations (like modern reauthorization practices) that protect the consumer and the businesses that serve them. These learnings along the way will be invaluable in the inevitable refinements of the 1033 rule and Open Banking in the United States.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].