Mark Taylor
Senior Editorial Manager
Open banking is finally moving forward in the US, following similar reforms in the UK and Australia that allow consumers’ financial data to be shared between organisations.
The Consumer Financial Protection Bureau (CFPB) gearing to formally introduce a rule on Personal Financial Data Rights it first floated in October 2023, which would for the first time provide Americans access to their data held at a bank or other provider at no charge.
Individuals would have the power to share data about their use of checking and prepaid accounts, credit cards, and digital wallets.
This allows for access to competing products and services, the CFPB said, without worrying that data might be collected, used, or retained to serve commercial interests over the individual’s own.
The changes would enable consumers to switch from banks that provide bad service and would forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data, the regulator said.
“With the right consumer protections in place, a shift towards open and decentralized banking can supercharge competition, improve financial products and services, and discourage junk fees,” said CFPB Director Rohit Chopra.
Experts believe US banks and financial services firms must consider the implications of this significant, “inevitable” shift and begin preparations immediately.
What is open banking?
Traditionally, only the consumer and their bank could access the individual’s financial data. Under open banking, that data can be shared with another financial service provider, which could be another bank or third party such as a fintech, currency exchange, merchant, or other similar platform.
Open banking began as a UK government initiative in 2018 to break the stranglehold a few big-name legacy banks had on personal finance.
Efforts at the wider European level soon followed, with regulatory frameworks that forced the largest banks to share their customers’ data with third parties for the first time, under the authorization of those customers.
Six years later, results have varied, and the European Union is revising its regulatory framework for payments to further stimulate open banking activity.
What is the CFPB’s proposed open banking rule?
The proposed rule implements Section 1033 of the Dodd-Frank Act. This requires a covered person to, upon request, provide a consumer with information concerning products or services obtained by the consumer.
This includes the consumer’s account or transactional data, in electronic form, subject to rules published by the CFPB.
The CFPB had taken several preliminary steps to implement Section 1033, such as issuing requests for information and an advance notice of proposed rulemaking. The new proposals are the first detailed explanation of how the CFPB envisions Section 1033 operating.
As for which entities are regulated under the rule, three primary personas are identified in the financial data ecosystem; data providers, authorized third parties, and data aggregators.
Data providers are banks, card issuers, or other financial entities that control or possess consumer information.
Authorized third parties are entities that have satisfied the authorisation requirements under the Proposed Rule and are therefore permitted to access covered data on behalf of a consumer.
Data aggregators are entities retained by authorized third parties as service providers to assist with accessing covered data on behalf of a consumer.
Screen scraping v open banking
Whilst open banking is not a well-known concept in the US, third parties currently can access consumer data under authorisation via the process of ‘screen scraping’.
Screen scraping involves accessing customer data from banks usually via a bot that can copy the information using the customer’s log-in details which have been shared.
However, this practice can be unreliable and contains risks, including the third party accessing more data than is necessary, and will be outlawed under the CFPB rule.
Open banking, by comparison, requires the use of application programming interfaces APIs by banks which are safer and only allow the necessary data to be accessed.
The CFPB says its rule will “require data providers to establish and maintain a developer interface for third parties to access consumer-authorised data”.
Who pays for the APIs?
The issue of who pays caused controversy in the UK, where the banks had to fund the technological changes, rather than the fintechs and challenger firms who stood to gain from accessing the networks.
Some banks reportedly spent over half a billion dollars on the project, which caused conflict.
Wall Street titans are unlikely to have any problem in covering the cost but given there are thousands and small and medium-sized banks and credit unions across the US, not all will have the budget.
The CFPB said there are “more than 9,000 banks and credit unions across the country, most of which serve as data providers, as do numerous non-depository financial institutions”.
It will fall on the regulator to ensure every financial institution works together, and as the CFPB makes clear in the rule, banks will be forbidden from charging for API access.
How have US organisations reacted to the open banking proposals?
“This will be game-changing for financial providers and will spur a raft of consumer-oriented innovation as banks look to prevent attrition,” said Jacob Morgan, principal analyst at the consultancy Forrester.
He said despite initial reservations, there had been a “positive tone” from businesses “reflecting the CFPB’s broad, blended market and regulatory approach”.
The Consumer Bankers Association, which represents retail banks, welcomed the rule, as the proposals also aim to regulate fintech companies.
“Many of these entities that are collecting, storing and selling this consumer information are not subject to the same rigorous data security and privacy standards as well-regulated and supervised financial institutions,” it said.
Whilst the Financial Technology Association, on behalf of fintech firms, said the changes will bring consumers “one step closer to having a strong right to control their financial data”.
How should firms respond?
Europe and the UK lead the way for organizations seeking to understand the market for A2A in North America, said McKinsey fintech partner Andy Dresner.
“In these markets, payment-initiation-service-provider (PISP) open banking enables third parties to move money from a consumer’s account to a merchant’s account, usually via a real-time rail. These account-to-account (A2A) payments are typically for bill paying or e-commerce but could migrate to the point of sale (POS) over time.”
Until now, A2A payments in the US have been slow to catch on, he said, noting that consumers are often unwilling to move away from credit cards due to loyalty points.
“One reason is that, in the absence of a regulatory framework, banks have been at a competitive disadvantage in staking out a strong presence in the payments marketplace,” he said.
Such portability of personal data would also allow consumers to pick and choose “different products that either their bank don’t offer or [does] offer but someone else offers a version that better matches your need”, Pitts added.
A customer would be able to use those more suitable products without leaving their main bank.
Whilst the practice is common in the UK, it is more complicated to move banks in the US due to the lack of control individuals have over their own data.
“Account ownership is sticky in the US, where you are more likely to get divorced than to switch bank accounts,” said John Pitts, global head of policy for US fintech Plaid, and a former CFPB official.
When would compliance with the CFPB open baking rule begin?
Once a final rule is published in the Federal Register, data providers are required to comply with its requirements on a staggered schedule based on asset and revenue thresholds.
Other factors that influence the timeline are whether the data provider is a depository institution or a non-depository institution.
Compliance would be required within:
- 6 months for depository institutions holding at least $500bn in assets or for non-depository institutions that generated at least $10bn in revenues in the prior calendar year, or are projected to generate $10bn in the current calendar year;
- 1 year, for depository institutions that hold between $50bn and $500bn in assets and for all other non-depository institutions;
- 2.5 years, for depository institutions that hold between $850m and $50bn in assets; and
- 4 years, for depository institutions that hold less than $850m in assets.
CUBE comment
The US is embarking on a journey toward open banking that would align standards with other financial markets, and there is no going back. Understanding and adhering to compliance requirements, especially in the face of rules like those governing Open Banking, is of paramount importance.
Financial institutions must be proactive in identifying and reacting to regulatory changes to ensure they remain compliant with the latest standards.
Open Banking, with its emphasis on data sharing and innovative financial services, requires a thorough understanding of the associated compliance frameworks to safeguard customer data and maintain the integrity of financial systems.
Failure to stay informed about these shifting regulations can expose institutions to legal risks, compromise data security, and hinder their ability to participate effectively in the dynamic landscape of modern finance.
CUBE’s industry-leading horizon-scanning solutions can proactively help your business adapt to regulatory changes and help your business thrive in the era of open banking.