U.S. open banking regulation (known as Section 1033) is expected in October 2024, which will establish stronger financial data rights for consumers. Section 1033 will also introduce new compliance requirements for authorized third parties who access consumer data (i.e. data recipients), such as capturing authorization from the consumer to share their data. Plaid is ready to support our customers and partners with solutions available today to simplify compliance. To learn more about Section 1033 and how to comply with the new regulation, read our resource article and readiness guide.
FAQs
For third parties, what is the compliance timeline for Section 1033?
As currently proposed, the rule will become effective 60 days after it is issued. We expect the rule to be issued in October, which could mean that compliance could begin as early as December 2024. This may change in the final rule. More information will be shared once the final rule is issued.
What are the regulatory requirements from Section 1033 that Plaid can help my business with?
- Authorization management: This requirement governs how consent should be captured, and how often, to maintain access to consumer data. It can be broken down into three parts: initial authorization capture, revocation and reauthorization.
- Record retention: Authorized third parties will need to be able to prove that they’re compliant. This includes providing evidence that you are following the authorization management requirements outlined above. Also, you’ll need to show that your data usage is limited only to what Section 1033 permits and that you received consent from the consumer during authorization.
- Onboarding: Under the proposed rule, third parties accessing consumer data will need to provide certain company details to data providers to help verify you are a legitimate entity. This includes fields such as legal entity name, legal entity identifier, contact Information, and website URL. Third parties will also need to provide evidence of adequate security practices.
You may also have obligations as a data provider if you offer covered financial accounts. Learn more.
How can Plaid help my business comply with Section 1033?
Plaid’s solutions can simplify compliance so you can focus on growing your business. Please review our readiness guide for a summary of all the solutions available now to help you easily comply with the new regulation.
- Data Transparency Messaging (DTM): Plaid can manage authorization capture on your behalf by showing the 1033-required information such as use cases and data scopes in Link for a consumer to review and authorize.
- Compliance Center: Review and input all your required business details in the Compliance Center of the Dashboard. Plaid will provide the information on your behalf to data providers as needed to verify that you’re a legitimate entity.
- Consent Logs: This is a new API that enables you to access the authorization records for each Item, which can be used to show compliance with 1033’s authorization capture requirements if you were to be audited.
If my customers are businesses (B2B), is my business expected to comply with Section 1033?
Section 1033 compliance applies to the data that you may be accessing from personal consumer accounts. While your products and services are for businesses, we often find that businesses like sole proprietors may be connecting their personal accounts to share data with you. In this example, you would be subject to the requirements from Section 1033.
Authorization Management
What is Data Transparency Messaging and how do I configure it?
Data Transparency Messaging (DTM) is a feature of Link that can help manage authorization capture on your behalf to help comply with Section 1033. To learn how to configure Data Transparency Messaging, please review our API docs.
When DTM is enabled for your traffic, Plaid will show in Link the data scopes and use cases for a consumer to review and authorize. To review and update your use cases, go to the Plaid Dashboard - navigate to Link Customization and then Data Transparency. You can select up to 3 use cases from the provided list for each Link customization. Data scopes are based on the products you initialize Link.
Which countries are available for testing Data Transparency Messaging?
Data Transparency Messaging is available in Sandbox mode for both the United States and Canada.
Are there minimum SDK / client library versions in order to enable Data Transparency Messaging?
DTM is compatible with legacy public key integrations, but the additional_consented_products
configuration field will not be usable. All products will have to be passed in through the standard products field. Minimum client library version for using additional consented products:
- Python: 9.3.0
- Node: 10.4.0
- Ruby: 15.5.0
- Java: 11.3.0
- Go: 3.4.0
There are no minimum SDK versions to use additional_consented_products
.
Will my conversion rate be impacted by Data Transparency Messaging?
Plaid has been testing Data Transparency Messaging for two years to ensure a seamless user experience while making it easier for consumers to understand their data sharing. Conversion will vary by customer, but we don’t anticipate significant impact to your conversion. You can test Data Transparency Messaging now to monitor for any impact to conversion before DTM is enabled for your business to assist with the regulatory requirements.
My business offers multiple products and services: which use cases should I choose for Data Transparency Messaging?
Plaid has preselected default use cases for customers based on both billable and enabled products. You can view and make changes to your use cases at any time from the Plaid Dashboard. In general, you should configure DTM to show the use case(s) that the consumer is requesting and the data scopes needed to provide that use case (product/service). If your users are requesting multiple use cases then you can show up to 3 use cases for each Link customization. Please note that more use cases and data scopes will result in a longer disclosure for consumers to review in Link. You can also create separate Link customizations for each use case if you prefer requesting consent separately.
How will a customer know if an item requires additional data authorization?
If a customer wants to pull data from an existing item that they did not yet obtain consent for, we will return additional_consent_required
. The customer should put the user through Update Mode to consent to additional data scopes.
What happens if we add a new Plaid product to access additional data?
If a consumer has already connected their account and you require additional authorization for other data scopes and/or use cases, you can use Update Mode to obtain and capture authorization.
To see the currently authorized and consented products on an item, first use the /item/get
endpoint. If the item does not have consent for the desired product, create a Link token for Update Mode with the link_customization_name field set to a customization with Data Transparency Messaging enabled.
What Plaid products are covered and which are not covered by Data Transparency Messaging?
Section 1033 requirements apply to all Plaid products that require Plaid to access data from a Regulation E account, Regulation Z credit card, or an account that facilitates payments from a Regulation E account or Regulation Z credit card. This includes Auth, Balance, Identity, Transactions, Assets, and more. The following Plaid products are excluded from the 1033 requirements:
- Identity Verification
- Monitor
- Payroll Income
- Document Income
- Enrich
- Payment Initiation (EU only)
- Variable Recurring Payments (EU only)
Am I able to manage Data Transparency Messaging myself after it has been enabled by Plaid?
Once Data Transparency Messaging is enabled for your business to assist with the regulatory requirements, you will not be able to disable it from the Plaid Dashboard. However, you can update your use cases at any time.
Is it required to use Update Mode for capturing reauthorization every 12 months?
Update Mode is not required, but we recommend integrating with it to provide a seamless experience for reauthorization. Update Mode can be used to add permissions to Items, or to resolve ITEM_LOGIN_REQUIRED
status. For reauthorization, Plaid will consolidate all of the elements of authorization into one screen for the consumer to review and reauthorize. Some institutions will require consumers to reconnect their accounts using OAuth for reauthorization. Additionally, we recommend integrating with the PENDING_DISCONNECT
webhook to be notified when a consumer’s consent is expiring soon.
Will there be a way to track when consent is scheduled to expire for an item?
The consent_expiration_time
field will track when consent is scheduled to expire. After the final 1033 rule is issued, new DTM-enabled Items will be scheduled to expire 12 months after consent is granted, and consent_expiration_time
will be populated with this date. Items created in the US and Canada prior to DTM enablement will be scheduled to expire 12 months from the effective date of the final 1033 rule. However, until the final 1033 rule is released, consent_expiration_time
will return null.
If a consumer revokes access to their data or their consent expires after 12 months, do I have to delete their data from my systems?
Under the proposed rule, there is a general obligation to not retain the data, but there are some exceptions. We recommend consulting with your legal team to determine when you are required to delete data and when any of the exceptions apply to you.
If I have a consumer’s account and routing number to use for facilitating payments, will reauthorization apply to my business and my use case?
The proposed rule says that after consent expiration, unless reauthorization is obtained, authorized parties can: No longer use or retain covered data that was previously collected pursuant to the most recent authorization unless use or retention of that covered data remains reasonably necessary to provide the consumer’s requested product or service.
This suggests that after 12 months, generally you must obtain reauthorization for the covered data, otherwise you should delete this data. Plaid will delete this data and will no longer make new or previously extracted data available to you, and will notify you of an item’s expiration.
We recommend you consult with your legal team on whether your anticipated use of retained data “remains reasonably necessary to provide the consumer’s requested product or service”– an example of this may be if the consumer has shared payments data (such as account and routing numbers) for a recurring payment or autopayments. However, if the data was only needed for a one-time payment prior to the 12-month expiration, this data may need to be deleted.
Record Retention
How can I obtain a record of my customers’ authorizations?
With Plaid’s consent logs, you can retrieve a history of the authorizations for your customers which can be used for audit purposes. See our API docs to learn more.
Onboarding
How do I review if I have any missing business information that is required under Section 1033?
Plaid’s Compliance Center in the Dashboard allows you to review and fill in any missing business information that is required under 1033, such as legal entity name, contact information (email), website URL, and your Legal Entity Identifier (LEI). Once the information is complete, Plaid will share it on the behalf of our customers with data providers as needed to enable data access.
What is a Legal Entity Identifier (LEI) and do all businesses need to obtain one?
Legal Entity Identifier (LEI) is a 20-digit alphanumeric code that is used across markets and jurisdictions to uniquely identify a legally distinct entity. The proposed rule requires that third parties register for and provide a LEI. Data providers can deny access to third parties that do not provide this information.
The scope of who is required to have an LEI is being expanded by 1033 and applies to all authorized third parties seeking access to consumer-permissioned data, regardless of whether they enable trading or financial transactions.
How do I register for a Legal Entity Identifier (LEI)?
Follow these steps to obtain your LEI:
- Visit www.gleif.org and scroll to the bottom of the page.
- Lookup country (USA) and select a LOUs/Registration Agent. For example, choose Bloomberg Finance L.P.
- Signup for a Bloomberg account by completing all required fields.
- Sign into Bloomberg account with credentials.
- Complete 2FA via email.
- Once logged in, choose to complete via web form or Excel workbook.
- If web form, complete required fields to submit application.
- Pay $60 for registration ($40 annual renewal).
Once you have your LEI, please provide it to Plaid in the Compliance Center of the Dashboard (under the Company Profile tab).