The status of the Section 1033 rule is currently in flux. Plaid will enforce any 1033 related requirements as necessary when the rule becomes effective, but at this time is not proactively enforcing 1033-related requirements. As clarity develops on the future of Section 1033, Plaid will provide more information on 1033-related requirements.
\nThe CFPB has released the final Section 1033 rule for the U.S., which establishes stronger financial data rights for consumers. Section 1033 also introduces new compliance requirements for authorized third parties who access consumer data (i.e. data recipients), such as capturing authorization from the consumer to share their data.
\nWhat are the regulatory requirements from Section 1033 that Plaid can help my business with?
\nYou may also have obligations as a data provider if you offer covered financial accounts. Learn more.
\nHow can Plaid help my business comply with Section 1033?
\nPlaid’s solutions can simplify compliance so you can focus on growing your business. Please review our readiness guide for a summary of all the solutions available now to help you easily comply with the new regulation.
\nIf my customers are businesses (B2B), is my business expected to comply with Section 1033?
\nSection 1033 compliance applies to the data that you may be accessing from personal consumer accounts. While your products and services are for businesses, we often find that businesses like sole proprietors may be connecting their personal accounts to share data with you. In this example, you would be subject to the requirements from Section 1033.
\nWhat is Data Transparency Messaging and how do I configure it?
\nData Transparency Messaging (DTM) is a feature of Link that can help manage authorization capture on your behalf to help comply with Section 1033. To learn how to configure Data Transparency Messaging, please review our API docs.
\nWhen DTM is enabled for your traffic, Plaid will show in Link the data scopes and use cases for a consumer to review and authorize. To review and update your use cases, go to the Plaid Dashboard - navigate to Link Customization and then Data Transparency. You can select up to 3 use cases from the provided list for each Link customization. Data scopes are based on the products you initialize Link with.
\nWhich countries are available for testing Data Transparency Messaging?
\nData Transparency Messaging is available in both Sandbox and Production for the United States and Canada.
\nAre there minimum SDK / client library versions in order to enable Data Transparency Messaging?
\nTo use the additional_consented_products configuration field, the following minimum client library versions are required:
Will my conversion rate be impacted by Data Transparency Messaging?
\nPlaid has been testing Data Transparency Messaging for two years to ensure a seamless user experience while making it easier for consumers to understand their data sharing. Conversion will vary by customer, but we don’t anticipate significant impact to your conversion. You can test Data Transparency Messaging now to monitor for any impact to conversion before DTM is enabled for your business to assist with the regulatory requirements.
\nMy business offers multiple products and services: which use cases should I choose for Data Transparency Messaging?
\nPlaid has preselected default use cases for customers based on both billable and enabled products. You can view and make changes to your use cases at any time from the Plaid Dashboard. In general, you should configure DTM to show the use case(s) that the consumer is requesting and the data scopes needed to provide that use case (product/service). If your users are requesting multiple use cases then you can show up to 3 use cases for each Link customization. Please note that more use cases and data scopes will result in a longer disclosure for consumers to review in Link. You can also create separate Link customizations for each use case if you prefer requesting consent separately.
\nHow will a customer know if an Item requires additional data authorization?
\nIf a customer wants to pull data from an existing Item that they did not yet obtain consent for, we will return additional_consent_required. The customer should put the user through update mode to consent to additional data scopes.
What happens if we add a new Plaid product to access additional data?
\nIf a consumer has already connected their account and you require additional authorization for other data scopes and/or use cases, you can use update mode to obtain and capture authorization.
\nTo see the currently authorized and consented products on an Item, first use the /item/get endpoint. If the Item does not have consent for the desired product, create a Link token for update mode with the link_customization_name field set to a customization with Data Transparency Messaging enabled.
What Plaid products are covered and which are not covered by Data Transparency Messaging?
\nSection 1033 requirements apply to all Plaid products that require Plaid to access data from a Regulation E account, Regulation Z credit card, or an account that facilitates payments from a Regulation E account or Regulation Z credit card. This includes Auth, Balance, Identity, Transactions, Assets, and more. The following Plaid products are excluded from the 1033 requirements:
\nAm I able to manage Data Transparency Messaging myself after it has been enabled by Plaid?
\nOnce Data Transparency Messaging is enabled for your business to assist with the regulatory requirements, you will not be able to disable it from the Plaid Dashboard. However, you can update your use cases at any time.
\nIs it required to use update mode for capturing reauthorization every 12 months?
\nUsing update mode is not required, but we recommend integrating with it to provide a seamless experience for reauthorization. Update mode can be used to add permissions to Items, or to resolve ITEM_LOGIN_REQUIRED status. For reauthorization, Plaid will consolidate all of the elements of authorization into one screen for the consumer to review and reauthorize. Some institutions will require consumers to reconnect their accounts using OAuth for reauthorization.
Note that 12-month reauthorization is not a blanket Plaid behavior today. Specific US institutions (American Express, Bank of America, Capital One, Citibank, and others) enforce 12-month consent windows on their own data-sharing requirements; the 1033 rule, once enforced, would extend this as a regulatory baseline.
\nTo track Items approaching disconnection, integrate the PENDING_DISCONNECT webhook, which fires when an Item is expected to be disconnected (roughly 7 days before disconnection for US Items). For European institutions on PSD2 consent windows, listen for PENDING_EXPIRATION instead.
Will there be a way to track when consent is scheduled to expire for an Item?
\nThe consent_expiration_time field will track when consent is scheduled to expire. Currently, this field is only populated for institutions in Europe and a small number of US institutions; for all others, it returns null.
If a consumer revokes access to their data or their consent expires after 12 months, do I have to delete their data from my systems?
\nThere is a general obligation to not retain the data, but there are some exceptions. We recommend consulting with your legal team to determine when you are required to delete data and when any of the exceptions apply to you.
\nIf I have a consumer’s account and routing number to use for facilitating payments, will reauthorization apply to my business and my use case?
\n1033 says that after consent expiration, unless reauthorization is obtained, authorized parties may no longer use or retain covered data that was previously collected pursuant to the most recent authorization, unless use or retention of that covered data remains reasonably necessary to provide the consumer's requested product or service.
\nHow can I obtain a record of my customers’ authorizations?
\nWith Plaid’s consent logs, you can retrieve a history of the authorizations for your customers which can be used for audit purposes. See our API docs to learn more.
\nHow do I review if I have any missing business information that is required under Section 1033?
\nPlaid’s Compliance Center in the Dashboard allows you to review and fill in any missing business information that is required under 1033, such as legal entity name, contact information (email), website URL, and your Legal Entity Identifier (LEI). Once the information is complete, Plaid will share it on the behalf of our customers with data providers as needed to enable data access.
\nWhat is a Legal Entity Identifier (LEI) and do all businesses need to obtain one?
\nLegal Entity Identifier (LEI) is a 20-digit alphanumeric code that is used across markets and jurisdictions to uniquely identify a legally distinct entity. The 1033 rule, once enforced, would require third parties to register for and provide an LEI, with data providers able to deny access to those that don't. As of today, given the uncertain status of 1033 enforcement (see top of this article), there is no active LEI requirement. Businesses that want to register proactively can follow the steps below.
\nHow do I register for a Legal Entity Identifier (LEI)?
\nFollow these steps to obtain your LEI:
\nOnce you have your LEI, please provide it to Plaid in the Compliance Center of the Dashboard (under the Company Profile tab).
","user_segment_ids":[]}}