Guide
What CFPB Section 1033 Means for LOS Buyers in 2026
Section 1033 matters to lenders because it changes how consumer-permissioned account data is shared, governed, and audited. For most loan origination system buyers in 2026, this is an API, consent, and vendor-management problem first, not a stand-alone reason to replace the LOS.
Updated May 2026 · 12 min read
The short answer
CFPB Section 1033 is the open-banking rule that tells covered providers to make certain consumer financial data available to consumers and authorized third parties on request. The current rule focuses on deposit-account, credit-card, and certain payment data, not mortgage or commercial lending workflows directly.
That still matters to LOS buyers. If your consumer lending stack, or your small-business workflow, relies on consumer-permissioned personal account data, cash-flow verification, or third-party account-linking tools, Section 1033 hits your architecture, consent flow, audit trail, and vendor contracts even when the LOS is not the regulated front line.
What the rule actually does
The CFPB finalized its Personal Financial Data Rights rule in October 2024. The rule requires covered providers to make consumer data available in electronic form and sets obligations for authorized third parties that access that data. In the current version of 12 CFR Part 1033, the covered products are Regulation E accounts, Regulation Z credit cards, and certain payment-facilitation products. That is the first important filter for lenders: this is not yet a direct mortgage-LOS or commercial-LOS mandate.
The second filter is timing. The rule originally set phased compliance dates beginning April 1, 2026 for the largest covered providers, then April 1 of each year through 2030 for smaller tiers. But the CFPB's own compliance page now says those compliance dates were stayed by the court in Forcht Bank v. CFPB, and the Bureau opened a reconsideration process in August 2025 while signaling plans to extend the dates. So the right mental model in 2026 is simple: the rule exists, the direction of travel is real, and the first deadline is not functioning as a live enforcement trigger today.
| Rule element | What the current rule says | What an LOS buyer should hear |
|---|---|---|
| Scope | Reg E accounts, Reg Z credit cards, and certain payment-facilitation products. | Do not treat this as a direct mortgage or commercial LOS feature checklist. |
| Third-party access | Authorized third parties need disclosure, certification, and express informed consent. | Your vendors need clean consent language and named accountability. |
| Use limits | Data use must be reasonably necessary for the consumer-requested service. | Broad reuse rights in vendor paper are a problem, not a footnote. |
| Timing | Original phased dates start in 2026, but the CFPB says the compliance dates were stayed and are under reconsideration. | Use the pause to fix controls. Do not spend it pretending the issue disappeared. |
Why LOS buyers still need to care
The mistake here is thinking, "we are a lender, not an open-banking app, so this is somebody else's problem." That misses the operational point. If your LOS or adjacent tools use borrower-permissioned account data for income verification, cash-flow analysis, fraud checks, account ownership verification, or prefill, you have a real architecture question even if the legal obligation lands first on the data provider or aggregator.
In practice, that means four buyer-side questions matter more than the legal headlines. Who is the named third party in the consent flow. Which system stores the authorization and revocation record. Which vendor controls reauthorization when one year passes. Who can prove, on demand, what data categories were pulled and why. Those are software and process questions. They land squarely in an LOS evaluation, especially when the LOS vendor resells or embeds third-party data services.
This is the same reason core integration and contract language matter more than demo polish. The risk does not show up in a screenshot. It shows up when a borrower revokes access, when a compliance officer asks for the consent record, or when a vendor contract quietly grants itself data reuse rights your team never meant to allow.
The controls that matter now
Section 1033 is still a useful vendor-diligence lens because the rule is unusually concrete about third-party obligations. An authorized third party must provide a clear authorization disclosure, name itself and the data provider, describe the requested service, disclose the categories of data accessed, describe duration, and tell the consumer how revocation works. It also must limit collection, use, and retention to what is reasonably necessary for the requested service.
That last phrase does real work. The rule specifically says targeted advertising, cross-selling, and sale of covered data are not part of what is reasonably necessary. So if an LOS-adjacent vendor wants blanket rights to reuse consumer-permissioned data across marketing, product upsell, or resale programs, you do not have a minor drafting issue. You have a business-model mismatch.
The rule also forces discipline on time and evidence. Third parties have to limit collection duration to one year after the consumer's most recent authorization unless they obtain new authorization, and covered third parties have to keep compliance records for at least three years after the most recent authorization. That should immediately change how you evaluate LOS-connected data vendors. If a vendor cannot show where reauthorization lives, where revocation lives, and where records live, they are not ready enough for you to trust them in production.
What to ask LOS and integration vendors
This is the buyer checklist I would use now. It is narrow on purpose. You are trying to expose control gaps, not host a seminar on open banking.
| Question | Why it matters | Evidence to demand |
|---|---|---|
| Who is the named third party in the consumer authorization? | The rule requires the disclosure to identify the third party and the data provider. | A live consent screen, not a sales answer. |
| What data categories are pulled, exactly? | You need data minimization, not open-ended access. | Field-level or category-level mapping tied to the workflow. |
| Where do revocation and reauthorization happen? | The rule expects a revocation method and caps collection duration at one year without new authorization. | A tested user flow plus operational ownership. |
| What rights do you claim to the data after the underwriting task is done? | Targeted advertising, cross-selling, and sale of covered data are outside the rule's reasonably-necessary standard. | Contract language, product terms, and data-use exhibit. |
| How long do you keep compliance evidence, and where? | Covered third parties must retain records for at least three years after the most recent authorization. | Retention policy, sample audit record, and named system of record. |
| If your vendor changes, who updates the consent and control stack? | Embedded data services create handoff risk between LOS, aggregator, and lender. | RACI, implementation plan, and contract accountability. |
What not to do during the pause
First, do not rip out a working LOS because somebody said "open banking" in a board meeting. Section 1033 is not a stand-alone justification for an LOS replacement. If the real problem is an account-linking vendor, a cash-flow verification workflow, or weak contract paper, fix that layer first.
Second, do not let vendors dismiss the issue because loans are not directly covered in the current rule. That answer misses the operational point. The question is not whether your mortgage LOS is itself named in Part 1033. The question is whether your lending stack can prove consent, revocation, reauthorization, data-use limits, and record retention anywhere consumer-permissioned account data enters the flow.
Third, do not confuse regulatory uncertainty with strategic uncertainty. The court stay and CFPB reconsideration mean the exact dates and contours may move. They do not mean consumer-directed data sharing is going away. The work that survives almost any rewrite is boring and valuable: cleaner interfaces, clearer contracts, narrower data access, and named ownership across vendors.
My recommendation
- If you are buying an LOS in 2026, add a short Section 1033 diligence block. Keep it focused on consent, account-data flows, vendor roles, and record retention.
- If you already have an LOS, review the vendors around it. The highest-risk gap is often the embedded aggregator or verification tool, not the core LOS itself.
- If a vendor cannot show the live flow, assume the control is immature. This is one of those areas where screenshots and roadmap promises do not count.
How this fits into a broader LOS evaluation
Section 1033 should not dominate your whole selection process. It belongs inside the same buyer-side framework as integration depth, compliance ownership, total cost, and vendor accountability. That is why the best follow-on reading is still how to choose the right LOS, not generic open-banking commentary.
If your shortlist includes consumer, small-business, or multi-product platforms with a lot of connected-data dependencies, pair this guide with the directory's LOS RFP template and contract negotiation guide. If your bigger concern is regulatory control inside business-lending workflows, the closest sibling topic is Section 1071 readiness. Different rule, same lesson: buyers win by forcing vendors to prove the operational details.
FAQ
Does Section 1033 directly cover mortgage and commercial lending today?
No. The current rule is built around deposit accounts, credit cards, and certain payment-facilitation products. The LOS impact is usually indirect, through connected account-data workflows and the vendors that power them.
Is the April 2026 deadline real anymore?
Not as a live enforcement trigger. The CFPB says the court stayed the compliance dates and the Bureau is reconsidering the rule. Buyers should treat this as a pause, not a cancellation.
What is the single most important vendor question?
Ask the vendor to show the exact consent, revocation, and reauthorization flow for any borrower-permissioned account data product in the stack. If they cannot show it, they probably do not control it well enough.
Can we just push this onto the aggregator?
You can contract work out. You cannot contract attention out. Someone on your side still needs to own the control map, the contract terms, and the audit trail.
Next steps
Use Section 1033 to tighten diligence, not to create theater
The smartest move right now is a tighter vendor proof process. Make every vendor show who owns consent, who stores the evidence, and who is accountable when the borrower revokes access.
- How to Choose the Right LOS for the full buyer-side decision framework
- Core Banking Integration Guide for interface ownership and integration risk
- LOS Contract Negotiation Guide for data rights, accountability, and vendor paper
- LOS RFP Template & Evaluation Checklist for forcing proof before you buy
- Section 1071 Readiness by LOS Platform for another compliance-heavy buyer workflow
AI-powered underwriting by Aloan works alongside any LOS.