The Consumer Finance Protection Board (CFPB) is prodding banks and fintechs to move ahead toward open banking — a legal framework for individuals to let a third party have secure access to some of their bank records.
On Oct. 19 the CFPB proposed its Personal Financial Data Rights rule that it said would “jumpstart competition by forbidding financial institutions from hoarding a person’s data and by requiring companies to share data at the person’s direction with other companies offering better products.”
The rule would give people have the power to share data about their use of checking
and prepaid accounts, credit cards, and digital wallets. It invited comments and set a deadline of Dec. 29. The agency said it expected to have the rule adopted this year.
“That is a very tight timeline,” said Rodney Abele, Director of Regulatory and Legislative Affairs at The Clearing House (TCH). “What is different about this from other rule making by other agencies is that this is soup to nuts regulatory regime. The bureau has proposed a full scope end-to-end covering every stage of the process.”
That would be an improvement, but a challenge to do correctly.
“There are no rules of the road, there is no one uniform oversight and no uniform consumer protections,” said Abele. “When you download an app and they say they want to connect to your bank account, there are no rules governing how you are supposed to give your consent to that app and what the app is supposed to do with your data, how they keep it, or any required data security standards,” he said.
Customer information security is a leading risk, according to two industry associations.
“It is critical that consumers’ personal and financial information remains secure when it is shared between financial institutions and third parties and when it is stored outside of the financial institution,” The Clearing House Association and Bank Policy Institute said it a statement to the CFPB. Kieran Hines, the London-based senior analyst at Celent’s banking practice, said open banking needs an ecosystem approach, preferably with a single regulator in charge, as the UK has with the Financial Conduct Authority. A significant learning from early efforts is that open banking needs enforcement, he added. But the approach should be comprehensive and sustainable. If open banking becomes a top-down compliance directive, it can become just a box-ticking exercise.
CFPB in its October announcement said consumers would get access to their data “free of junk fees. Banks and other providers subject to the rule would have to make personal financial data available, at no charge to consumers or their agents, through dedicated digital interfaces that are safe, secure, and reliable.”
Hines and Costello head of data aggregation strategy at Morningstar Wealth, think that approach is wrong. Open banking adoption has been hindered by the lack of revenue to back it up. Developing and maintaining APIs and secure connections costs money, and storage may be cheap but it isn’t free.
“CFPB need to think about building an ecosystem, not just open API access but how can you support it. You need incentive for all parts of the value chain,” said Hines.
“Revenue helps accelerate development. In Europe there is a big focus on how to involve the ecosystem so banks are offer data and services beyond the regulatory minimum and charge for them,” he added. “That is getting a lot of traction.
“Experience shows it does require strong commitments to drive infrastructure growth and not just regulating. Regulation needs to be more active than passive and engaged in bringing together the banks, challengers and other stakeholders to commit to growing, adopting and solving roadblocks and other challenges on a collective basis,” said Hines. “You need to have a body driving standards — more than API standards, and data fields but also customer consent and harmonizing things like error messages.”
Abele said that the CFPB wants banks to certify the third party providers (TPP), which he thinks is a job for the bureau. Banks are subject to extensive regulation enforced through proactive supervision.
“It is harder to determine whether the thousands of apps that have access to your data with data aggregators are fully in compliance unless something goes wrong. But when it comes to data breaches and consumer protection, the important heavy lifting is all done on the front end. Offering credit monitoring after a breach is not enough — remediation is never as good as protecting it from happening. We think the CFPB needs to take a stronger role.”
The CFPB should expand the scope of its rule-making, he added.
“We think they need to make sure they have their eyes on everyone in this ecosystem that is important enough — both data aggregators and the largest third part recipients. The rule does not do that today and we think not extending authority over the third parties is a weakness.”
Instead, the rule imposes obligations in the financial institutions to be the eyes on the ground and look at third parties and make sure they have given the right disclosure to consumers.
“We think it is not appropriate and effective to attempt to deputize financial institutions to be the examiners of the tens of thousands of potential recipients. This is a job for the CFPB.”
The proposed rule says third parties “could not collect, use, or retain data to advance their own commercial interests through actions like targeted or behavioral advertising. Instead, third parties would be obligated to limit themselves to what is reasonably necessary to provide the individual’s requested product.”
The bureau should take the risk-based approach which it uses with banks — providing the heaviest supervision to the largest institutions — and apply the same approach to the largest recipients of bank data. It has rules for how aggregators can collect, use and store data. This rule-making will improve the safety of consumers’ financial information, Abele added.
“How many times have you linked your bank account to some entity that is not your bank? This rule will finally put in places some important consumer safeguards around that activity. Consumers will see the new disclosures and understand there is a process when deleting an app that your data actually gets wiped.”
Third party access to bank data through APIs will be an improvement over screen scraping, which ought to be banned once the APIs are in place, he said. Once an API connection is established and verified and the consumer account is permissioned, the aggregator can ask for defined data elements and just get back what the account owner has authorized.
“In screen scraping the consumer doesn’t have control. A payment app that does screen scraping can see your mortgage, your credit, etc. It is a pernicious practice. You have no idea what the aggregator is doing with that data and aggregators are not required to disclose how they are using it.”
Services from third party providers could include account aggregation and analysis, automatic saving, rounding up, investing, subscription management/cancellation, credit score management, payments, P2P, and FX.
Banks could offer much of this directly, and they got a start years ago with personal financial management apps, but then many dropped out, perhaps concerned about unclear regulation, suggested Morningstar’s Costello. It’s not too late to recover, he added, but fintechs have been faster to seize the opportunities.
Banks have a lot to lose, said Hines, starting with the value of deep relationships. Many years ago banking speakers warned that banks risked becoming dumb pipes while outside firms captured the greatest value, and perhaps eventually the deposits and investments, of their customers.