.svg)
The final version of the rule on data sharing was welcomed by much of the industry, but some in the sector consider it a missed opportunity to advance safer open banking in the US.
In late October, as covered by Vixio, the US Consumer Financial Protection Bureau (CFPB) issued a final rule to implement the personal financial data rights established by Section 1033 of the Consumer Financial Protection Act of 2010.
The CFPB’s final 1033 rule requires banks, credit unions and financial service providers to open consumer data upon request to consumers and authorised third parties.
It also sets obligations for third parties accessing consumers’ data and privacy, and paves the way for fair, open and inclusive industry standards.
Although many see it as a step forward for open banking, some sources suggest the final rule could have gone further than it did, and say issues of funding, liability and enforcement remain prominent.
“It is finally here, we've been waiting for a long time,” said Natalie Talpas, head of retail digital and emerging payments at PNC bank.
“The exciting part is that it lays the groundwork and foundation for everybody else to get on board in terms of data providers, like digital wallets.”
However, she added that the rule was not comprehensive, saying that, for example, the lack of finality on screen scraping — the process of a third-party collecting display information to use elsewhere — was a letdown.
“The industry is aligned on the harms and security risks to consumers to engage in screen scraping, so it was surprising to see that there wasn't a specific date to end it within the role itself,” she said. “So that was a miss, as were the lack of details on liability and responsibility.”
The rule’s mixed success
The final 1033 rule was an attempt by the CFPB to take the open banking that is already prevalent across the US and de-risk the process for users.
It mandates increased security and privacy protections for consumers, improving reliability and moving to secure the use of application programming interfaces (APIs).
APIs prevent the need for screen scraping, which is risky for users who must share security credentials with third parties.
Speaking at the Clearing House annual meeting, Ashwin Vasan, a partner at FS Vector and former senior advisor to the director at the CFPB, said with rulemaking you cannot make everyone happy.
“The statute is pretty clear, consumers have a right to access their data. How you actually do that is quite complicated. A good rule has a north star to consumer control, and yet makes everyone a little unhappy in some ways.”
He acknowledged that several stakeholders had issues with the CFPB’s rule, but said that everyone was generally taken care of, to an extent.
For example, he said, third-party data users are not happy about the restrictions on the data they can use in terms of secondary user price, and although aggregators had hoped for a special role in the ecosystem, they were instead put on a level playing field with other third parties.
In addition, banks did not get the cost recovery funding model they desired, which would make open banking self-sustainable, but did get implementation deadlines, and the smallest banks (under $850m) were exempt from implementation altogether.
Vasan added that although there were no provisions for liability sharing, other solutions such as tokenised account numbers will prove useful in other circumstances.
“There's a balance here, and by and large all the stakeholders and bipartisan consumer groups, everyone, is pretty positive and recognises that there are tradeoffs,” he said.
The objective of 1033
Part of the Dodd-Frank Act of 2010, the US response to the global financial crisis, Section 1033 mandated the facilitation of open banking by obligating data providers to give access to covered data to consumers and to authorised third parties.
Although the CFPB’s final rule is a step towards finally achieving this goal, it faces challenges such as the mounting cost of open banking for banks and other data providers.
By using APIs, the rule aims to standardise access to data, which the CFPB hopes will improve transparency and access.
It also aims to improve financial control, increase transparency and enhance competition, which would allow consumers to make informed decisions about their financial health.
Data providers are required to allow customers to give third parties permission to access their data, and must pay for updates to infrastructure, environment, and to create and organise data in a way that aligns to expected standard financial data exchange.
Providers also need to maintain a data portal so that entities that wish to receive data can interact and enable the authentication flow, so that the consumer can benefit from being able to access tools that might require direct feeds of data or information.
Fintech applications, banks and other entities should benefit from receiving data in an organised, standard format that they can use and leverage and build into their processes — but must pay the cost.
However, the inability of banks to charge fees to open this data will be restrictive and impose a financial burden on data providers, which must absorb the full cost of compliance, including technology, security and portal development.
This will be particularly burdensome for smaller and mid-sized banks — larger banks have already largely made technological investments and will be better equipped.
Vasan suggested that although the cost of this implementation falls on data holders, it may not only be consumers that take value from open banking.
“Competitors might see this as an opportunity to learn more about their customers and to get better offers to them, clearing their consent,” he said.
What else is missing?
Alongside the lack of a definitive end to screen scraping, another potential issue with the CFPB’s new rule is that it is unclear exactly who is responsible in the instance of data mismanagement or leaks.
This means there is room for legal disputes between data providers and third parties, which could lead to reputational risk that would discourage the sort of collaboration that open banking requires.
The rule promotes certain data industry standard providers, such as the Financial Data Exchange, which seeks to unify the financial services ecosystem around one interoperable technical standard that can be used for data sharing, known as FDX API.
It suggests that industry standards bodies have an important role to play in supporting compliance, but does not go as far as to imply any sort of liability provision.
Kevin Feltes, CEO at FDX, suggested that once developer interfaces are in use and cover data is available, there will no longer be any point screen scraping for that data.
However, he did suggest that “the rule could have been a little bit more explicit”, and that there “there was silence on liability, some things have to be worked out in the ecosystem”.
“We were hoping that a standard setting body would actually be being recognised,” he added. “We think we're making progress there, but actually calling it out would be helpful.”
Data and account providers need to think about how they protect customer data when it is shared with third parties, while also collaborating with them.
“It's a many-to-many ecosystem — you cannot enable safe consumer permission, data sharing for your customers in a vacuum,” said Feltes.
“It requires working with other participants in the ecosystem to build end-to-end journeys, so people are going to continue to need to collaborate. They're going to continue to need to invest in safe data sharing portals. They're going to continue to have a demand for standards and standardised methods to cut down on costs and build good experiences for consumers.
“But I do think there is a good bit of uncertainty how the next few months play out, and those details will matter for everybody.”
As covered by Vixio, the incoming Trump administration has signalled a distaste for consumer protection and for the CFPB more generally.
However, the final 1033 rule attracted bipartisan support and is not considered a likely target for rollback, with consumer data protection and rights popular on both sides of the aisle.
Nevertheless, the issues with cost, liability, enforcement, screen scraping and scope must be addressed in the near term if Section 1033 is to be truly effective.
