Since President Joe Biden’s July 9, 2021, executive order, “Promoting Competition in the American Economy,” there has been a renewed focus and speculation surrounding the Consumer Financial Protection Bureau’s (CFPB) forthcoming rulemaking under Dodd-Frank Act, Section 1033. Many industry leaders are optimistic President Biden’s order and the CFPB’s previous request for comments are a sign the U.S. is moving closer to open banking. Open banking refers to “the opening of internal bank customer data and processes to other parties through digital channels” called APIs.[1] Open banking promises to foster greater consumer choice, competition and innovation.[2]
Banking in the United States is a relatively closed ecosystem in which banks act as gatekeepers for customer data. Open banking refers to a different ecosystem in which a customer can transfer bank account information and other data to other banks, third-party application providers and the proliferating fintech company products that rely on consumers’ permission to access their bank accounts or other sensitive financial information. Section 1033 of the 2010 Dodd-Frank Act directed the CFPB to create a formalized framework for consumer data sharing through rulemaking. Eleven years later, the CFPB has made no visible progress toward proposed rules addressing these issues. The president’s executive order should make open banking a priority for the CFPB.
While other countries such as the U.K. and Australia have had open banking regulations in place for several years, the United States has lagged behind its global peers. U.S. industry leaders in are eager for U. S. regulators to follow suit. Without well-established legal regulations, U.S. banks will continue to have little incentive to implement open banking.[3] Although the need for open banking regulations is well recognized, industry leaders still have concerns about what the regulations may entail. Many of these concerns are centered on privacy, data ownership rights, and consumer confidence. These concerns highlight the difficulty of balancing the competing goals of open banking and promoting access to data while continuing to safeguard consumer data. As the CFPB and federal regulators meet to establish new rules, they should learn lessons and find inspiration from the open banking programs implemented by their global peers.[4] A successful regulatory scheme must be able to balance security, a fair exchange of value, and transparency.[5]
Privacy Concerns
Historically, most of the laws in the U.S. “governing data collection and use focused almost exclusively on protecting consumers from harm arising from unauthorized access and inappropriate uses of their data.”[6] However, as other nations have moved towards open banking, “the regulatory emphasis has shifted to both give consumers a shield to protect their data and also hand them a sword.”[7] In other words, open banking regulations offer consumers a means to proactively use their data to further their financial goals.[8] As the threat of data breaches and cybersecurity risks continue to rise, one of the concerns with open banking is that it will only further magnify the impacts of breaches and cybersecurity incidents.[9] Moreover, increased interactions and reliance on third parties will require banks to continue to scrutinize third parties’ security capabilities and monitor their protocols.[10] Bank applications are often more secure than other external-facing applications that might be interfacing with the bank’s systems through APIs, making it all that more critical for banks to act quickly if there is a spike in suspicious activity.[11]
While many of the technologies underlying open banking are not necessarily new to U.S. banking, regulations requiring open banking will certainly increase the speed and volume at which organizations are sharing data.[12] With this increase in activity and volume, it will be imperative for organizations to have more controls in place to detect fraudulent activity.[13] Organizations implementing open banking will have to think deeply about privacy and embed it into their design from the outset.[14] This deep thinking requires resources and glosses over the fact that many banks, especially the smaller ones, are still using legacy systems that will require them to invest in brand new software architecture.[15] It is reasonable for banks to remain wary of the potential risks of opening up consumer data to third parties; however, if the CFPB successfully lays out a regulated approach to data sharing, the implementation of sound privacy policies for open banking in the U.S. will be much easier.[16]
Ownership Rights to Consumer Data
Beyond questions of who can access consumer data, open banking raises questions about who actually owns individuals’ financial data.[17] One of the biggest questions to hopefully be answered through the CFPB’s rulemaking is whether the financial institution is the “true keeper” of a customer’s shared information, or if the responsibility lies with third-party companies.[18] Whereas other nations have “concrete regulatory guidance on how to address fundamental issues such as informed consumer consent, the appropriate scope and duration of data access, and allocation of liability for data loss,” no such guidance exists for U.S. banks.[19] Beyond these ambiguities, there have historically been few incentives for banks to provide third parties with access to customer data.[20] This consumer data is one of the bank’s most valuable assets and provides the bank with a competitive advantage.[21]
As the CFPB looks to create its own guidelines, GDPR regulations have been praised for offering consumers transparency regarding the manner in which their data is being used, prohibiting data from being used outside the agreed-upon purpose, requiring consent requests to be in plain language, and requiring prompt notifications about breaches.[22] Open banking data regulations must go beyond merely regulating the use of data, open banking regulations must also “take into account APIs, data repositories, and other infrastructure elements.”[23] The CFPB must lay the groundwork for a data stewardship model to provide “accountability for privacy across the ecosystem” and to make sure that the use of data is “legal, fair and ethical.”[24] Many are calling for the CFPB to institute clear rules clarifying some of the existing regulatory ambiguities and delineating a right for consumers and permissioned third parties to access their data.[25] Moreover, once customers select their consent preferences, banks and third parties must have a system for ensuring these preferences are enforced.[26] As it stands today, enforcement of preferences creates administrative burdens even internally within a single organization. As more parties become involved in sharing data, data stewardship will become increasingly important. A final CFPB rule on data access rights and liability for data loss will be critical to driving open banking efforts in the U.S.[27]
Consumer Confidence
While addressing privacy concerns and clearly defining ownership rights will help promote consumer confidence in open banking, promoting consumer confidence must be a priority in and of itself. In addition to rulemaking, banks and regulators must be prepared to commit time and resources to educating consumers. As experience with other products has demonstrated, customers will engage with open banking if they trust and understand it.[28] Critical to this understanding will be banks’ ability to be transparent in how they are using and sharing the consumer’s data while also underscoring the value open banking offers consumers who share their data.[29] The CFPB’s rulemaking will be instrumental in laying the foundation of these disclosures, but it will remain the bank’s responsibility to effectively distill the information to its customers. Ultimately, in order for U.S. regulators to deliver open banking’s promise of innovation and freedom of choice to consumers, they must achieve two seemingly contradictory goals: prioritizing transparency and, ensuring privacy.
*Lindsey Adams is a summer associate and not licensed to practice.
FOOTNOTES
[1] PwC, Canadian Banks 2019: Open Banking is Coming (2019)
[2] Pascal Gautheron & Katrina Cuthell, Open Banking in Australia: An Opportunity to Regain Trust, Bain & Company (Sept. 18, 2019)
[3] Open Banking in the United States: Are You Ready to Catch Up?, Trustly [hereinafter Trustly].
[4] Terry Ray, BankThink Open Banking Can Be a Privacy Nightmare, PaymentsSource (June 2, 2020 12:01 AM)
[5] Deloitte, Open Banking: Privacy at the Epicentre (Jun. 2018)
[6] Eversheds Sutherland, A CFPB Data Access Rule Could Be a Win for Open Banking in the US (Sept. 8, 2020)
[7] Id.
[8] Id.
[9] Sajith Nair, Jordan Prokopy, & Naren Kalyanaraman, Putting Security and Privacy at the Heart of Open Banking, PwC (2019)
[10] Tarun Bhasin, Open Banking Could Transform the Industry – But Security is Key, Forbes (Apr. 21, 2021, 08:20 AM)
[11] Id.
[12] Nair et. al, supra note 9.
[13] Id.
[14] Id.
[15] Trustly, supra note 3.
[16] Gregory Magana, The Consumer Financial Protection Bureau is Moving Toward Open Banking Regulation, Business Insider (Oct. 26, 2020, 09:43 AM)
[17] John Egan, What is Open Banking?, U.S. News (Jun. 2, 2021, 04:17 PM)
[18] Id.
[19] Eversheds Sutherland, supra note 6.
[20] Id.
[21] Id.
[22] Ray, supra note 4.
[23] Id.
[24] Nair et. al, supra note 9.
[25] Brett Carr, Charles Weinstein, & Deric Behar, Divergent Paths to Open Banking in UK and US, Latham & Watkins (Nov. 6, 2020 05:39 PM)
[26] Nair et. al, supra note 9.
[27] See Eversheds Sutherland, supra note 6.
[28] Deloitte, supra note 5.
[29] Id.