To become an authorized third party, the third party must seek access to covered data from a data provider on behalf of a consumer to provide a product or service the consumer requested and:

(a) Provide the consumer with an authorization disclosure as described in § 1033.411;

(b) Provide a statement to the consumer in the authorization disclosure, as provided in § 1033.411(b)(5), certifying that the third party agrees to the obligations described in § 1033.421; and

(c) Obtain the consumer's express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.

(a) In general. To comply with § 1033.401(a), a third party must provide the consumer with an authorization disclosure electronically or in writing. The authorization disclosure must be clear, conspicuous, and segregated from other material. The names included in the authorization disclosure as required by paragraphs (b)(1) and (2) of this section and by § 1033.431(b) must be readily understandable to the consumer.

(b) Content. The authorization disclosure must include:

(1) The name of the third party that will be authorized to access covered data pursuant to the third party authorization procedures in § 1033.401.

(2) The name of the data provider that controls or possesses the covered data that the third party identified in paragraph (b)(1) of this section seeks to access on the consumer's behalf.

(3) A brief description of the product or service the consumer has requested from the third party identified in paragraph (b)(1) of this section and a statement that the third party will collect, use, and retain the consumer's data only as reasonably necessary to provide that product or service to the consumer.

(4) The categories of data that will be accessed. Categories must have a substantially similar level of specificity as the categories in § 1033.211.

(5) The certification statement described in § 1033.401(b).

(6) A brief description of the expected duration of data collection and a statement that collection will not last longer than one year after the consumer's most recent reauthorization.

(7) A description of the revocation method described in § 1033.421(h)(1).

(c) Language access—(1) In general. The authorization disclosure must be in the same language as the communication in which the authorization disclosure is conveyed to the consumer. Any translation of the authorization disclosure provided to the consumer must be complete and accurate.

(2) Additional languages. If the authorization disclosure is in a language other than English, it must include a link to an English-language translation, and it is permitted to include links to translations in other languages. If the authorization disclosure is in English, it is permitted to include links to translations in other languages.

(a) General limitation on collection, use, and retention of consumer data—(1) In general. The third party will limit its collection, use, and retention of covered data to what is reasonably necessary to provide the consumer's requested product or service.

(2) Specific purposes. For purposes of paragraph (a)(1) of this section, the following are not part of, or reasonably necessary to provide, any other product or service:

(i) Targeted advertising;

(ii) Cross-selling of other products or services; or

(iii) The sale of covered data.

(b) Collection of covered data—(1) In general. Collection of covered data for purposes of paragraph (a) of this section includes the scope of covered data requested and the duration and frequency of collection of covered data.

(2) Maximum duration. In addition to the limitation described in paragraph (a) of this section, the third party will limit the duration of collection of covered data to a maximum period of one year after the consumer's most recent authorization.

(3) Reauthorization after maximum duration. To collect covered data beyond the one-year maximum period described in paragraph (b)(2) of this section, the third party will obtain a new authorization from the consumer pursuant to § 1033.401 no later than the anniversary of the most recent authorization from the consumer. The third party is permitted to ask the consumer for a new authorization pursuant to § 1033.401 in a reasonable manner. Indicia that a new authorization request is reasonable include its conformance to a consensus standard.

(c) Use of covered data. Use of covered data for purposes of paragraph (a) of this section includes both the third party's own use of covered data and provision of covered data by that third party to other third parties. Examples of uses of covered data that are permitted under paragraph (a) of this section include:

(1) Uses that are specifically required under other provisions of law, including to comply with a properly authorized subpoena or summons or to respond to a judicial process or government regulatory authority;

(2) Uses that are reasonably necessary to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;

(3) Servicing or processing the product or service the consumer requested; and

(4) Uses that are reasonably necessary to improve the product or service the consumer requested.

(d) Accuracy. A third party will establish and maintain written policies and procedures that are reasonably designed to ensure that covered data are accurately received from a data provider and accurately provided to another third party, if applicable.

(1) Flexibility. A third party has flexibility to determine its policies and procedures in light of the size, nature, and complexity of its activities.

(2) Periodic review. A third party will periodically review its policies and procedures and update them as appropriate to ensure their continued effectiveness.

(3) Elements. In developing its policies and procedures regarding accuracy, a third party must consider, for example:

(i) Accepting covered data in a format required by § 1033.311(b); and

(ii) Addressing information provided by a consumer, data provider, or another third party regarding inaccuracies in the covered data.

(4) Indicia of compliance. Indicia that a third party's policies and procedures are reasonable include whether the policies and procedures conform to a consensus standard regarding accuracy.

(e) Data security. (1) A third party will apply to its systems for the collection, use, and retention of covered data an information security program that satisfies the applicable rules issued pursuant to section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801); or

(2) If the third party is not subject to section 501 of the Gramm-Leach-Bliley Act, the third party will apply to its systems for the collection, use, and retention of covered data the information security program required by the Federal Trade Commission's Standards for Safeguarding Customer Information, 16 CFR part 314.

(f) Provision of covered data to other third parties. Before providing covered data to another third party, subject to the limitation described in paragraphs (a) and (c) of this section, the third party will require the other third party by contract to comply with the third party obligations in paragraphs (a) through (f) of this section and the condition in paragraph (i) of this section upon receipt of the notice described in paragraph (h)(2) of this section.

(g) Ensuring consumers are informed. (1) Upon obtaining authorization to access covered data on the consumer's behalf, the third party will provide the consumer with a copy of the authorization disclosure that the consumer has signed electronically or in writing and that reflects the date of the consumer's electronic or written signature. The third party will deliver that copy of the authorization disclosure to the consumer or make it available in a location that is readily accessible to the consumer, such as the third party's interface. If the third party makes the authorization disclosure available in such a location, the third party will ensure it is accessible to the consumer until the third party's access to the consumer's covered data terminates.

(2) The third party will provide contact information that enables a consumer to receive answers to questions about the third party's access to the consumer's covered data. The contact information must be readily identifiable to the consumer.

(3) The third party will establish and maintain reasonable written policies and procedures designed to ensure that the third party provides to the consumer, upon request, the information listed in this paragraph (g)(3) about the third party's access to the consumer's covered data. The third party has flexibility to determine its policies and procedures in light of the size, nature, and complexity of its activities, and the third party will periodically review its policies and procedures and update them as appropriate to ensure their continued effectiveness. The policies and procedures must be designed to ensure that the third party provides the following to the consumer, upon request:

(i) Categories of covered data collected;

(ii) Reasons for collecting the covered data;

(iii) Names of parties with which the covered data was shared. The names must be readily understandable to the consumer;

(iv) Reasons for sharing the covered data;

(v) Status of the third party's authorization;

(vi) How the consumer can revoke the third party's authorization to access the consumer's covered data and verification the third party has adhered to requests for revocation; and

(vii) A copy of any data aggregator certification statement that was provided to the consumer pursuant to § 1033.431(c)(2).

(h) Revocation of third party authorization—(1) Provision of revocation method. The third party will provide the consumer with a method to revoke the third party's authorization to access the consumer's covered data that is as easy to access and operate as the initial authorization. The third party will also ensure the consumer is not subject to costs or penalties for revoking the third party's authorization.

(2) Notice of revocation. The third party will notify the data provider, any data aggregator, and other third parties to whom it has provided the consumer's covered data when the third party receives a revocation request from the consumer.

(i) Effect of maximum duration and revocation on collection, use, and retention. If a consumer does not provide a new authorization as described in paragraph (b)(3) of this section, or if a third party receives a revocation request as described in paragraph (h)(1) of this section or notice of a consumer's revocation request as described in § 1033.331(e), a third party will:

(1) No longer collect covered data pursuant to the most recent authorization; and

(2) No longer use or retain covered data that was previously collected pursuant to the most recent authorization unless use or retention of that covered data remains reasonably necessary to provide the consumer's requested product or service under paragraph (a) of this section.

(a) Responsibility for authorization procedures when the third party will use a data aggregator. A data aggregator is permitted to perform the authorization procedures described in § 1033.401 on behalf of the third party seeking authorization under § 1033.401 to access covered data. However, the third party seeking authorization remains responsible for compliance with the authorization procedures described in § 1033.401, and the data aggregator must comply with paragraph (c) of this section.

(b) Disclosure of the name of the data aggregator. The authorization disclosure must include the name of any data aggregator that will assist the third party seeking authorization under § 1033.401 with accessing covered data and a brief description of the services the data aggregator will provide.

(c) Data aggregator certification. When the third party seeking authorization under § 1033.401 will use a data aggregator to assist with accessing covered data on behalf of a consumer, the data aggregator must certify to the consumer that it agrees to the conditions on accessing the consumer's data in § 1033.421(a) through (f) and the condition in § 1033.421(i) upon receipt of the notice described in § 1033.421(h)(2) before accessing the consumer's data. For this requirement to be satisfied:

(1) The third party seeking authorization under § 1033.401 must include the data aggregator's certification in the authorization disclosure described in § 1033.411; or

(2) The data aggregator must provide its certification to the consumer, electronically or in writing, separate from the authorization disclosure. The certification must be in the same language as the authorization disclosure and must be clear, conspicuous, and segregated from other material. The name of any data aggregator in the certification must be readily understandable to the consumer. If, after the consumer has completed the authorization procedures, the authorized third party retains a data aggregator to assist with accessing covered data on behalf of the consumer, this data aggregator must provide its certification in accordance with this paragraph (c)(2).

(a) General requirement. A third party that is a covered person or service provider, as defined in 12 U.S.C. 5481(6) and (26), must establish and maintain written policies and procedures that are reasonably designed to ensure retention of records that are evidence of compliance with the requirements of subpart D of this part.

(b) Retention period. Records required under paragraph (a) of this section must be retained for a reasonable period of time, not less than three years after a third party obtains the consumer's most recent authorization under § 1033.401(a).

(c) Flexibility. A third party covered under paragraph (a) of this section has flexibility to determine its policies and procedures in light of the size, nature, and complexity of its activities.

(d) Periodic review. A third party covered under paragraph (a) of this section must periodically review its policies and procedures and update them as appropriate to ensure their continued effectiveness to evidence compliance with the requirements of subpart D of this part.

(e) Certain records retained pursuant to policies and procedures. Records retained pursuant to policies and procedures required under this section must include, without limitation:

(1) A copy of the authorization disclosure that is signed by the consumer electronically or in writing and reflects the date of the consumer's signature and a record of actions taken by the consumer, including actions taken through a data provider or another third party, to revoke the third party's authorization; and

(2) With respect to a data aggregator covered under paragraph (a) of this section, a copy of any data aggregator certification statement that was provided to the consumer pursuant to § 1033.431(c)(2).

If you want the CFPB to designate your organization as a recognized standard setter, you should follow the steps described below.

We may amend this process from time to time.

Step One: Requesting Recognition

Submit a written request for recognition. 1

1 Sensitive personal information should not be provided.

This should include key contact information, evidence of your organization's policies and practices, 2 and an explanation of how your organization satisfies each of the requirements in the Personal Financial Data Rights rule to be a recognized standard setter. 3 Your request should also describe how current and/or anticipated standards issued by your organization relate to open banking.

2 Evidence may include (but is not limited to) charters, bylaws, policies, procedures, fee schedules, meeting minutes, membership lists, financial statements/disclosures, publicly available materials, and issued standards.

3 Relevant legal requirements are described at 12 CFR 1033.141. When explaining how your organization meets these requirements, you should reference relevant elements of the evidence you submit in support of your application.

In advance of filing your request, you can seek a pre-filing meeting with us. We can walk you through the application process and help you make a complete submission.

Send formal submissions, as well as requests for pre-filing meetings, to: [email protected].

Step Two: Additional Information and Public Comment

After reviewing your submission, we may request additional information to ensure that your application is complete.

We may publish your application.

We may also seek public input on your application and invite your responses to any information we receive on that basis.

Step Three: Our Review

When reviewing your application, we consider whether your policies and practices meet all the requirements for recognition. We also evaluate whether your application is accurate and complete.

We prioritize and review applications based on the extent to which recognizing your organization helps us to implement open banking. 4

4 Section 1033 of the Consumer Financial Protection Act, 12 U.S.C. 5533, describes the CFPB's role in implementing open banking.

Step Four: Application Decision

CFPB recognition will be publicly disclosed on our website, along with the applicable terms and conditions of such recognition, such as its duration.

If the CFPB declines to recognize your organization, we will notify you.

You may withdraw your application at any time or for any reason.

If we determine that your organization is close to meeting, but does not yet meet, the requirements for CFPB recognition, we may ask you to provide a written plan specifying how and when you will take the steps required for full recognition. If that plan is satisfactory, we may state on our website that your organization has received contingent recognition. Once you provide us with evidence that you have successfully executed on that plan (or otherwise addressed the relevant contingences), the CFPB may extend full recognition.

Step Five: Recognition

There are several points to keep in mind about recognition.

As a recognized standard setter, you agree that the CFPB may monitor your organization and that you will provide information that we request.

You must also provide us, within 10 days, written explanation of any material change to information that was submitted with your application or during recognition, as well as any reason your organization may no longer meet underlying requirements for recognition.

In addition, you must meet any other specified terms and conditions of your recognition, which may include our reserving the right to observe or participate in standard setting.

If your recognition is set to expire, you can apply for re-recognition by re-starting at Step One at least 180 days before expiration. We may temporarily extend your recognition while we consider your request for re-recognition.

We may modify or revoke your recognition. The CFPB expects to notify you of the reasons it intends to revoke or modify recognition, and to provide your organization with an opportunity to address the CFPB's concerns.