The financial services and banking industry landscape continues to evolve in the face of new and emerging technologies. This phenomenon is especially prevalent in the sharing of consumer data between financial institutions and third parties. Consumers expect their banks, credit card companies, and other financial institutions to be able to share a consumer’s data for the consumer’s benefit in a secure and accurate manner. Third parties, including fintechs, other creditors, and consumer reporting agencies, seek to access consumer data to provide new products and services, which may include underwriting using nontraditional data, credit counseling, financial management tools, and even the ability to port one’s account from one financial institution to another.
To date, the data sharing regime in the United States has developed with little oversight from federal regulators. That is likely to change when the Consumer Financial Protection Bureau (CFPB) finalizes the proposed open banking rule that it recently issued. In general, the rule would establish that consumers are the owners of their financial data and would require “data providers,” initially institutions subject to Reg E and Reg Z, to establish electronic facilities for the secure and accurate transfer of consumer data at the consumer’s request and only for the purpose authorized by the consumer. To facilitate the development of new protocols for secure and accurate data sharing, the rule directs industry participants, including data providers and fintechs, to cooperate in the establishment of consensus-based industry standards.
The CFPB has stated that the proposed rule is meant to foster competition and innovation, while reducing the cost of financial services to consumers. Whether the rule can achieve these goals in a manner that is feasible for businesses remains to be seen. In this article, we provide an overview of the proposed rule and discuss some of the challenges that it may pose to entities subject to the rule.
HOW DID WE GET HERE?
With the rise of mobile and online banking, consumers have come to expect greater access to digital banking services. Financial institutions can collect and share digital financial information more easily and use that information in offering new products. The CFPB has noted that open banking can provide benefits to consumers when, for example, financial institutions share consumer data to enable consumers to seamlessly switch between financial services providers and take their account histories with them. Yet, according to the CFPB, current data sharing arrangements between financial institutions, third parties, and consumers may result in the overcollection of consumer financial data, often lack a means for verifying consumer consent and thus may be vulnerable to fraudulent activity, may result in the transmission of inaccurate data, and may not provide a secure environment for storing data.
The CFPB has also observed that banks and third-party open banking providers may develop an adversarial relationship because of the lack of standards governing data sharing practices. Additionally, the CFPB has noted that as banks face increased competition by third-party open banking companies, they may begin to limit access to data. Such disruptions may interfere with third parties’ businesses and with consumers’ directives.
Furthermore, the CFPB has taken issue with a common form of data sharing known as “screen scraping,” in which a third party gains access to consumer financial data through use of a consumer’s log-in credentials. The CFPB has expressed concern that screen scraping may expose financial institutions and consumers to risk for fraud or collection of data for purposes beyond the scope of the consumer’s consent.
HOW DOES THE NEW RULE IMPACT OPEN BANKING?
Referred to as a rule concerning “personal financial data rights,” the idea influencing the CFPB’s proposed rule is generally referred to as “open banking” because it provides more open access to customers’ banking data. The rule would implement, for the first time, Section 1033 of the Consumer Financial Protection Act. As proposed, the rule would place significant burdens on “data providers” to create application programming interfaces, also known as developer interfaces, for consumers and third parties to access consumers’ data. The proposed rule defines data providers as financial institutions holding Reg E accounts, credit card issuers governed by Reg Z, and other institutions that may hold data relating to payments to and from such accounts. Data providers would not be able to charge a fee for the design or implementation of developer interfaces but rather would have to internalize those costs. Interfaces would also have to allow access through a standardized protocol and provide third parties with the ability to obtain data in a machine-readable format with a 99.5% accuracy rate. The types of data that data providers would have to make available include, for example, consumers’ transaction history, reward credits, fees and finance charges, fee schedules, and upcoming bills.
Furthermore, the rule seeks to eliminate screen scraping. A developer interface would have to be capable of limiting the collection of data, and the rule would limit the use of the information to that which a consumer had authorized. Third parties would only be able to use the data for a one-year period without obtaining consumer reauthorization, and would no longer be able to sell consumer data, or to use it for targeted advertising or cross-selling of other products or services. Finally, third parties would have to provide secure storage of consumers’ data.
Depending on the size of the institution, the proposed rule would give data providers from six months to four years to establish a developer interface and otherwise comply with the rule.
WHAT ARE SOME OF THE POTENTIAL CHALLENGES TO IMPLEMENTATION OF THE OPEN BANKING RULE?
The proposed rule elicited numerous comments from many different types of industries participants expressing a great variety of viewpoints. Data providers in particular identified a number of concerns that they urged the CFPB to resolve in the final rule, including the following:
- Numerous commentators expressed concern with what they understand to be the burden that the proposed rule would place on data providers both in terms of the cost and the ongoing obligations of complying with the rule.
- In its current form, the proposed rule forbids data providers from charging a fee for the establishment and maintenance of a developer interface. Several commentators noted that the restriction may impact CFPB’s goal of promoting innovation and competition.
- Some commentators noted that the proposed 99.5% accuracy rate for data transmissions is very rigorous and would require frequent and costly testing to ensure compliance.
- Some commentators took issue with the rule’s requirements concerning steps to be taken to ensure that a third party has adequate safeguards for securing consumer data and the applicable standard for determining compliance with this provision.
- Several commentators pointed to the rollout of the European Union’s open banking directive, and the follow-on directive concerning open finance, as suggesting the need for a longer timeline for compliance with the CFPB proposed open banking rule, particularly with respect to the timing for establishing and testing a developer interface.
- Several commentators discussed the proposed rule’s potential conflict with other state and federal laws concerning data privacy, data security, and management of risk with respect to third-party relationships.
- Several commentators have sought clarification regarding the potential interplay between data sharing through a developer interface and the Fair Credit Reporting Act.
It remains to be seen whether, and if so how, the CFPB addresses these comments in the final rule. Industry participants who may be impacted by the open banking rule may want to consider these issues as well as any changes that the CFPB makes to the final rule.
WHAT DOES THE INDUSTRY STANDARD SETTING RULE ACCOMPLISH?
While the CFPB has yet to fully finalize the proposed rule, on 5 June, 2024, it finalized the aspect of the rule governing the establishment of industry standard setting bodies. These provisions, which will become part of the larger final rule, set forth the qualifications necessary to become a standard setting body authorized by the CFPB. Under the rule, standard setting bodies must adhere to a process that:
- Develops standards in a transparent manner;
- Demonstrates openness to competing views and seeks consensus in the development of those standards without favoring one industry sector over another;
- Balances the needs of consumers along with those of industry participants; and
- Provides due process and appeals for contesting the establishment of a standard.
Under the final rule, standard setting bodies will obtain accreditation for three years, after which they would need to seek renewal of their accreditation from the CFPB.1
CONCLUSION
While the CFPB has indicated a desire to foster innovation and competition with its open banking rule, it is unclear whether the CFPB can realize its goals in the face of the many challenges that the rule presents. Nonetheless, industry participants will need to consider the rule’s requirements and plan for its implementation. Our lawyers are available to answer any questions and provide guidance on the rule and its implications.
FOOTNOTES
1 Other jurisdictions, such as the United Kingdom, the European Union, and Australia have already developed and implemented open banking and open finance standards: