The Consumer Financial Protection Bureau is expected to release its open banking rule in a few weeks giving consumers control over their own financial data. But not all banks are prepared.
The highly anticipated final rule establishes the federal consumer-privacy protections by prohibiting the sale and misuse of data by companies.
It's the culmination of years of political wrangling over how banks share the consumer data they collect. Open banking — the practice of a bank ensuring that a customer has access to their data and can share it with another bank or company — is also called 1033 for the section in the Dodd-Frank Act made into law 14 years ago. The section states consumers have a legal right to grant third parties access to their financial information.
The
The rule will be the major legacy of CFPB Director Rohit Chopra, who has championed consumer data privacy rights and has long sought to
Yet some bankers say they don't know exactly
Christopher Williston, president and CEO of the Independent Bankers Association of Texas, said he's been "beating the drum on 1033," but many community bankers are still in the dark.
"I'm telling you, hardly any community bankers are aware of 1033 and those that are 'in the know' have no concept of how it will work operationally," Williston said. "The typical community banker's perspective is: I don't know what I have to do to get ready."
Most community banks will rely on their core data processors or data aggregators to comply with the rule's requirements. The Independent Community Bankers of America has asked the CFPB to permit all banks to charge a reasonable fee for third-party access to data, but many experts say the bureau is unlikely to do so.
Under the CFPB's proposal, institutions must meet technical criteria including satisfying 99.5% of data requests within just 3.5 seconds — a timeframe that many hope gets extended.
"Banks need to be thinking about all the places that their data is held because the CFPB put this 3.5-second timeframe in the proposal for when the data is retrievable through a developer interface," said Kim Ford, senior vice president of government relations at Fiserv, in Milwaukee.
Bankers also are concerned that fintechs will use venture capital funding to subsidize lower rates on loans and other products while sending marketing blitzes to steal customers from big banks. Fintechs promise a wide range of financial benefits to low- and moderate-income consumers that bankers say may or may not be real.
"The [open banking] movement seems to be driven by profit-making businesses that want to use consumers' data to sell their products and services," said David G. Schroeder, senior vice president of federal government relations at the Community Bankers Association of Illinois.
Community bankers "have noticed there is a conspicuous lack of demand for data sharing among their customers," Schroeder said.
The rule will initially
Much of the preparation leading up to the final rule has been around connectivity and the requirements to create both consumer and developer interfaces to enable the transmission of data. Banks have focused more on the rule's technical requirements and some experts think less attention has been paid to providing the best experience to customers.
Creating a customer experience
John Pitts, head of policy at San Francisco-based
"The banks that are on a really successful trajectory right now are thinking about how do we give our customers the best experience," Pitts said. "That's strategically important to success in open banking."
When a consumer has multiple bank accounts, whichever bank account has the best experience linking to financial management and other apps "starts becoming the consumer's primary bank account," he said.
Close to 100 million consumers will be impacted by open banking, which is now at a critical mass, according to the nonprofit Financial Data Exchange, which has filed an application with the CFPB to become a standard-setting body.
"That customer experience is a real competitive advantage and there's something to be said for meeting a customer's expectations," said Jane Barratt, chief advocacy officer at MX, a Utah-based fintech provider of data aggregation and analytics. "If you're thinking of [open banking] only from a regulatory compliance perspective, you're missing the bigger picture. This is the right thing to do for your customer and the right thing to do for competition."
Data is a two-way street
Open banking isn't just about data leaving banks, it's also about data coming into banks from certain fintechs that hold consumers' payment data. The CFPB is requiring that neobanks — digital-only banks that offer financial services through a mobile app or online platform — and companies offering digital wallets share data with banks as well if the customer agrees.
The CFPB's short timeline for compliance has caused a bit of panic among banks that primarily think about how to comply with the rule rather thanabout data coming in from other providers.
"If you have a 'data-out' plan, but no 'data-in' plan, you have completely failed to understand why this rule matters," Pitts said.
Consumers are more likely to share data with a bank or fintech if they are given what Barratt calls "actionable advice." MX found that consumers increased the amount of time spent on a mobile app by 10% to 15% when a so-called "insights widget" was added to the front page of a mobile app suggesting the consumer could benefit from moving $500 to a savings account from a checking account.
"When you add these sorts of data-driven insight tools, you increase the amount of time people spend engaging with their money and if they're engaging their time with you, they're not over with your competitor," Barratt said.
Fraud, liability concerns
A point of contention is that the rule requires that banks create both consumer and developer interfaces but provides little opportunity to conduct due diligence, said Kim Phan, a partner at Troutman Pepper.
"The rule lays out
She described a worst-case scenario in which a fraudster could generate millions of consumer consent requests for data, send them to a bank and, due to the
Williston, with the Texas bankers group, said fraud and liability are huge issues. .
"I don't think that anybody can promise that the data is protected in 2024," he said. ""From government hacks to private corporations, nobody can promise the data is safe."
In comment letters to the CFPB, banks have repeatedly asked for a release from liability for data breaches and misuse of the data but it is unclear if the CFPB would carve out a "safe harbor" for those issues in the final rule.
"An unanswered question is what happens once that customer data is out of the secure and careful control of highly regulated community banks and gets into the hands of businesses that are anxious to use that data?" asked Schroeder at the Illinois bankers trade group. "Many of these businesses are unlikely to secure that data to the very high standards that community banks are held to by their regulators."
The CFPB's proposal requires that all entities adhere to the Gramm-Leach-Bliley Act data security requirements to safeguard sensitive information. But risk-averse banks are not happy to be stuck with the liability once the data moves to a third-party.
"If a business did not secure the data properly, even if they are found to be liable, will those companies be able to fully compensate for the harm they will cause consumers and their community banks?" Schroeder asked.
Working with core providers
Most banks depend on the Big Three core providers — Fiserv, FIS and Jack Henry — that have invested heavily in APIs to ensure data access. Core provides offer We have authentication, identity management, security standards, and controls that meet regulatory and compliance standards. The difficult work for banks comes from managing the consumer's preferences such as when a customer revokes consent, which they can do at any time.
"Banks are thinking about how to manage this whole consent process and how do they keep up with all the desires of their customers," said Danny Baker, vice president of market strategy at Fiserv. "A lot of that permission will happen through online banking. The more difficult work will be in that middle-layer of managing all the decisioning aspects."
Providers must ensure that the data shared through APIs is accurate, consistent, and up-to-date, and as the volume of API traffic increases, banks need to make sure their systems can handle the load and deliver a seamless user experience, said Hashim Toussaint, general manager of digital and open banking at FIS, a Jacksonville, Fla., core processor.
"Compliance is an ongoing process," he said. "Banks need to establish mechanisms for monitoring regulatory changes and updating their systems and processes."
Banks must maintain a detailed record of all entities receiving consumer data, including third-party vendors, data aggregators, and other financial institutions. They also must ensure that the recipients of data are authorized and comply with relevant regulations to prevent data breaches and misuse, he said.
Compliance is a significant hurdle for banks given that customer data has always been closely held by financial institutions.
"Consumer data feels like this Holy Grail and now that has to be spread around and accessed in a free way," said Ford at Fiserv. "It's going to be a shift in mindset for a lot of these financial institutions. It's a cause for some nervousness."
