No Open And Shut Path For Open Banking As CFPB Mulls Rules
If data is the oil that brings change to financial services, the pipelines are increasingly under scrutiny.
Late last week, the Consumer Financial Protection Bureau (CFPB) said it will look to issue advance notice of proposed rulemaking on “open banking” by the end of this year.
In other words, there may be a range of potential new rules coming into play in the U.S. And that means the path toward open banking, where, in Europe for example, banks share account data with authorized parties in standardized formats, may be anything but smooth.
In terms of the mechanics of process, the advance notice requests information from stakeholders about how to access financial data — and what data should be accessed.
The document released by the CFPB specifically targets the implementation of Section 1033 of the Dodd-Frank Act. That section, among other things, provides direction for information (and authorization) that a consumer financial services provider must make available to consumers about the data accessed, maintained and used about those consumers.
“This type of consumer-authorized data access and use holds the promise of improved and innovative consumer financial products and services, enhanced control for consumers over their financial lives, and increased competition in the provision of financial services to consumers,” said the CFPB.
And in an ecosystem that now has expanded well beyond banks and traditional financial institutions (FIs), the CFPB has recognized that “although data users may access consumer data from data holders without the use of any intermediaries, the Bureau understands that currently most authorized data access is effected via data aggregators.”
And as to what specifically — in terms of areas — the CFPB is seeking commentary on, the document noted that it seeks insight into cost/benefits of consumer data access; the scope of access; and security.
“The Bureau is also interested in comment on whether and how issues of potential regulatory uncertainty with respect to section 1033 and its interaction with other statutes within the Bureau’s jurisdiction, such as the Fair Credit Reporting Act, may be impacting this market to the potential detriment of consumers and seeks information that may help resolve such uncertainty,” the CFPB said.
Beyond the Comment Period
Comments are due 90 days after the publication of the advance notice.
There are already signs the data aggregators will draw new levels of scrutiny from watchdogs. The CFPB said in its advance notice document that in recent years, the number and usage of products and services that use or rely upon consumers’ ability to authorize third-party access to consumer data have grown substantially and quickly. To date, most consumer-authorized third parties have accessed consumer data through data holders’ digital banking portal using digital banking credentials the consumer shared with third parties.
“More recently, however, the authorized data access ecosystem has seen the emergence of formal, bilateral access agreements between large aggregators and large data holders, which seek generally to move authorized access away from credential-based access and screen scraping towards tokenized access, commonly through application programming interfaces, or APIs,” the CFPB stated.
That’s a direct nod to the aggregators.
As PYMNTS reported late last month, Visa’s proposed acquisition of FinTech Plaid is being examined by the Department of Justice (DOJ), and antitrust concerns may trigger litigation (although the deal got the go-ahead in the U.K. via the Competition and Markets Authority).
Bloomberg reported that the DOJ may be eyeing the push by payment networks such as Visa and Mastercard (which struck a deal to buy aggregator Finicity) to gain access to consumer bank account data and the scores of apps that could use that data.
The path ahead for open banking, at least here in the U.S., might have gotten a bit murkier.