U.S. banks have shared their customers' account data with fintechs, an activity some call "open banking," for more than a decade. But they haven't always done it knowingly or willingly, and it's been a source of tension among banks, data aggregators and fintechs. Could the data-sharing rules the Consumer Financial Protection Bureau
The
The proposal would limit the data that data aggregators like Plaid, Envestnet Yodlee, Finicity and MX gather and retain to only what's reasonably necessary to provide the consumer's requested product or service. They would not be able to sell that data to hedge funds, other Wall Street firms or anyone else, nor use it for targeted advertising or to cross-sell products.
"My read of the rule is that it very clearly says that the consumer gets to decide who they authorize to access the data," said Amias Gerety, partner at QED Investors and a former Treasury official. "It codifies access in a specific way that gives the consumer control."
The proposal would bring a lot more scrutiny of what data is being exchanged and how quickly consumers can revoke access to data, said Ameya Talwalkar, CEO of the application programming interface security company Cequence.
The proposal also would give consumers some control and protection over their data once it moves from a bank to a data aggregator or fintech. For instance, consumers would need to reauthorize this data access every year.
For fintechs, the proposal should make data access easier and more stable, Gerety said. Today, generally speaking, fintechs' access to bank account data is pretty good, he said.
"But the failure rate for Plaid, Yodlee and MX is still strikingly high," he said. "Ten to twenty percent of the time, the connections break. And that's partly because much of this access today is done through screen scraping rather than through these API interfaces." A spokeswoman for Plaid declined a request for comment, but pointed to blogs about the proposal posted by the
The CFPB's 1033 plan would also require banks and credit unions to provide fintechs — typically through data aggregators — data about the terms and conditions of products, including all rates and fees. This is not standard practice today, and it could let third parties like Credit Karma, NerdWallet, BankRate and LendingTree gather data directly and provide consumers with more accurate product-comparison information.
"Stable, machine-readable, legally guaranteed access to terms and conditions will make the financial services industry more competitive," Gerety said.
The proposal also would require banks to provide information to initiate payment to or from an account.
"That moves the ball forward," Gerety said. "I thought that was very interesting from a control element — that it's not just data, but also this idea that the consumer can take action."
This could be a windfall for Plaid, which has been trying to become a payments provider.
"Account funding is such an important part of how Plaid really delivers value in the fintech ecosystem," Gerety said. "This does look like a step in that direction to make it easier for [data aggregators] not just to get the data, but actually move customer funds."
Would screen scraping be banned?
Because the proposed rule would require banks and other data providers to offer developer interfaces, there should be less need for screen scraping — in other words, logging in with a user's online banking credentials and copying and pasting their transaction data into another app. The term "screen scraping" does not appear in the language of the rule, so it's not clear if there will be an explicit ban on the practice. The CFPB did not answer a question about this by deadline.
The requirement that data be shared through developer interfaces could be a mixed blessing for the data aggregators and other companies that provide such APIs. Logically it should bring them more business. But some of the data aggregators' value comes from their ability to manage the complexity of screen scraping, Gerety noted.
"In the extreme case, imagine that every single bank in the country adopts the exact same API," he said. "Then you just need to know the name of the bank and then your code would read exactly the same way no matter which bank you were pulling the data from. That would be a world in which Plaid's market power basically disappears." A Plaid spokeswoman said the company has thousands of customers and offers a wide range of products and services including anti-fraud, identity verification, lending and payments software.
Vendors including Akoya, Plaid and MX are trying to help banks manage and view their application programming interfaces through data portals as an alternative to scraping consumers’ login credentials.
The CFPB proposal calls for the creation of industry standard-setting bodies that would create such a standard.
Today, the Financial Data Exchange and OAuth groups set some voluntary technical standards for data sharing. But other organizations may be created for this purpose.
Another factor is that it will take some time for all banks to have APIs.
"An end to screen scraping will take a lot of time due to the varying degree of technological capacity of our nation's financial institutions," said Jim Perry, senior strategist at Market Insights. "Will these rules offer enough incentive for the smallest institutions to quickly transition to APIs? The end to screen scraping may be a long way off."
While big banks would have to start complying in 2025, small banks would get about four years to be ready.
The backstory
Over the past two decades, the way bank account data is shared with fintech app providers has evolved. Data aggregators like Plaid, Mint and Yodlee started out by siphoning data out of bank servers in stealth mode, by getting consumers to give up their online banking credentials, logging in using their identities and screen scraping their data, without asking or telling the banks.
Bank leaders vehemently objected to every aspect of this — the way the aggregators created fake pages that looked like the banks' mobile apps and websites (including use of banks' logos) to get people to enter their usernames and passwords; the way the screen-scraping activity became so voluminous it clogged banks' servers; the way it sometimes tripped up fraud filters; and the way data aggregators seemed to scrape and retain much more data than was called for.
Data aggregators and fintechs have over the years
In December 2019, PNC Financial Services Group
In October 2020,
Two months later,
The claims raised in the lawsuits "do not reflect our practices," the Plaid spokeswoman said Tuesday. Plaid settled the TD lawsuit shortly after it was filed in 2020 and the PNC lawsuit is ongoing. Plaid denies the allegations.
"We make our role and practices clear and provide services that give consumers control over how and where they share their data," the spokeswoman said.
Over time, the data aggregators acquired so many fintech customers that they had the leverage to induce banks to sign data-sharing agreements to move bank account data through mutually approved APIs. In 2018,
Not all banks have signed agreements with all data aggregators. And even where there are agreements in place, disputes persist. Fintechs say the API agreements are too stingy with data. Banks say data aggregators and fintechs gather far more data than they need for the actions the consumer wants to perform.
Some observers said data aggregators rarely stick with their API-based agreements with banks.
"Oftentimes they will actually be screen scraping and not using those APIs," Talwalkar said. This is because they can get much richer context through screen scraping.
"If I use my credit card to do certain shopping at certain times of the day, there is a lot more context that you can get by logging in as a consumer and scraping that data versus the API that the bank has for you to scrape that data," Talwalkar said.
The impact on community banks
CFPB Director Rohit Chopra recently said the new proposal would
"I think Director Chopra is overestimating the promise of an open banking ecosystem for small banks," said Perry. "This new rule may have the intent to level the playing field for small banks, but it could actually have the opposite effect. Greater ease in switching accounts is a sword that cuts both ways, and you cannot automatically assume that small banks will be the primary beneficiary."
The proposal could most benefit big banks that already have the technology in place and the fintechs and digital competitors that depend on access to consumer's financial data, he said. Some small banks would have to depend on their core-banking providers to meet the obligations of the rule. Fiserv and Plaid recently struck an agreement along these lines.
Community banks are likely to view this proposal as another compliance challenge, he noted. On the other hand, 75% of banks would have four years after the rule takes effect to actually comply, Perry noted.
"They should use that time wisely," he said.