The Consumer Financial Protection Bureau's highly-anticipated open banking rule is expected radically to reshape how consumers access their financial data. The final rule, which the CFPB is expected to release as early as Monday, will impact the entire banking ecosystem from Wall Street to Main Street.
Open banking is the practice of safely sharing financial data held at a bank with another bank or third-party company. The
Banks are concerned the rule will expose them to greater liability for potential for data breaches and fraud, and also require costly oversight of third-party fintech companies.
"The CFPB is providing the rules of the road, and increasing the potential for consumer privacy and data security," said Corey Stone, senior advisor at the Financial Health Network and a former assistant director and senior advisor at the CFPB. "Everyone is going to have to adjust."
The CFPB was given the authority by Congress in Section 1033 of the Dodd-Frank Act of 2010 to enact a rule for consumer data rights. The actual rule-writing did not begin in earnest until Chopra took over the agency in 2021. That late start has allowed far more data sharing and innovation in the U.S. compared with the U.K. and European Union, where data access rules have been more prescriptive, Stone said.
The final rule is expected to phase out the practice of screen-scraping, a common way in which consumers provide access to their data to a nonbank by sharing their banking login credentials. The CFPB's rule would further the adoption of secure APIs [application programming interfaces].
"The CFPB is trying to ensure uniformity and certainty of access on the one hand, and encourage innovation and discourage screen scraping on the other," he said. "They are looking at the biggest risks associated with the sharing of financial information and also the biggest benefits."
The CFPB plans to restrict the sale or misuse of data, barring companies from feeding consumer data into algorithms or artificial intelligence for activities not authorized by the consumer, such as targeted marketing. Thousands of companies will be impacted including regional and community banks, credit card issuers, financial technology companies and data aggregators.
Here are some of the main issues banks are anticipating in the final 1033 open banking rule:
Protection from fraud
The
Bankers had asked the CFPB to state explicitly that liability rests with the third party or data aggregator if a consumer's credentials are misused or stolen in a data breach and the consumer suffers harm.
"Unfortunately it's going to be the bank that's expected to make those customers whole," said Mickey Marshall, assistant vice president and regulatory council at the Independent Community Bankers of America. "Even in the case where it's not a bad actor and a third party had a legitimate fraud or a data breach where information is compromised, the customer is going to say to the bank, 'Hey, my money was stolen,' and the bank makes the customer whole."
Banks also want the CFPB to mandate that third parties and data aggregators certify that they are adequately capitalized and carry sufficient indemnity insurance — and that they accept liability obligations. Banks also want the CFPB to publish model disclosures with specific language that states third parties certify their acceptance of liability in certain circumstances such as a data breach.
Most experts think the CFPB will hew closely to its proposal and make no specific change to the liability provisions.
Under the proposal, the CFPB has stated only that all companies are required to adhere to the Gramm-Leach-Bliley Act's data security requirements to safeguard sensitive information. Data providers that are not subject to Gramm-Leach-Bliley must comply with the Federal Trade Commission's standards for safeguarding customer information.
Marshall compared the lack of liability to how banks currently are dealing with the pervasive problem of check fraud.
"In check fraud, it's the bank whose customer the check was stolen from that makes the customer whole and then they have to go and seek money from the bank that accepted the fraudulent check," Marshall said. "It's the same here. The bank makes the customer whole and now it's waiting in line trying to recover from that fintech, which it may or may not ever be able to do."
Secondary uses of data
CFPB Director Rohit Chopra has said that companies should not be able to gain access to a consumer's data in order to cross-sell other products or services or to profit off the sale of data. Still, many experts recommended that the CFPB allow for some secondary uses of data primarily for research purposes and for limited use for product testing of underwriting models.
"Models have to learn, and in order to learn, models have to get data," said Stone. "And that's where the secondary use comes in."
Jason Rosen, founder and CEO at Prism Data, a New York-based cash flow underwriting firm, said the CFPB's proposal was restrictive of secondary uses but that many academics and consumer advocates, as well as industry players, are in favor of using data on a de-identified basis to develop new products and services or improve existing ones.
"If you look at the bureau's stated goals for this rulemaking around greater competition, I think a more common sense standard on secondary use is really required for those objectives to be met," Rosen said. "That gives me a reason for optimism that the final rule will land in a slightly more permissive place than the initial draft rule."
Misha Esipov, co-founder and CEO at Nova Credit, a San Francisco-based cash flow underwriting firm, said credit risk officers want to see how data performs over time to fine tune their credit models and policies.
"I think taken to the extreme, secondary use can quickly become a violation of privacy. Just because I linked my data once, doesn't mean that it can be used wherever, whenever," Esipov said. "But I think there are secondary use cases that are essential to the safety and soundness of our banking sector. If you can't reuse this information to understand how well it can separate risk and to develop analytical products, then your ability to convince risk officers to use it in the first place is significantly impaired and they will dramatically slow down the adoption by industry,"
Ability to charge reasonable fees
Banks have asked the CFPB for the ability to charge third party fintechs and data aggregators reasonable and proportional fees for accessing data. Banks say they need to offset the significant implementation costs of creating developer interfaces and of responding to a potential deluge of data requests. Banks also are expected to bear the cost of responding to customer service inquiries and litigation if a consumer sues a bank claiming the bank didn't protect their data from a third-party breach or theft.
Banks have told the CFPB they may have to pass costs on to consumers through higher account maintenance fees or even indirectly through a reduction in services.
"Passing costs on to consumers or reducing services would be a perverse outcome that undercuts the purpose of the Section 1033 rulemaking in the first place," said Brian Fritzsche, vice president and associate general counsel at the Consumer Bankers Association.
The justification for charging fees is to distribute market-based costs and risk allocation, and offset the operational costs of providing the data in the new data access ecosystem, bank trade groups say. They have estimated that data sharing will cost some banks tens of millions of dollars.
Bank trade groups also have noted an imbalance in the CFPB's proposal on charging fees.
The CFPB's proposal allows data aggregators to charge fees but banks would not be able to do so. In comment letters on the proposal, bank trade groups said that third parties are likely to pass fees charged by data aggregators onto consumers, which creates an anticompetitive windfall for data aggregators at the expense of a competitive market.
Responding to data requests
Banks also will be looking to see if the CFPB changes its requirement that a bank respond to requests within 3.5 seconds [technically
Banks are required to authenticate and identify a consumer request but it is currently unclear whether that process will be easy for consumers or involve some level of friction.
Still, banks can respond to data requests by sending a text, email or phone call to their customer to double-check that the customer did in fact authorize that their data be shared.
"That's something that's good in the proposal, which is that banks can have a valid response to check with their customer," Marshall said. "There are pros and cons to that. On one hand, it does create more friction because it's another step of the process, but at least the bank can ensure that their customer did intend to share that information."
Under the proposal, a third-party fintech or bank will get authorization from the customer and provide a disclosure, and the customer responds by signing or verifying their consent, which gets sent by the third-party to the consumer's bank.
"Banks certainly feel the need to have a step in the process that says, "No," said Stone. "How that will happen is an open question."
