Feature: Open Banking in the US – a new era of consumer-centric innovations?
Ellie Duncan | Features, News, Women In Open Banking
04 Dec 2024
The Consumer Financial Protection Bureau (CFPB) published the final version of its Personal Financial Data Rights rule on October 22, which in its own words, moves the US closer to “having a competitive, safe, secure, and reliable ‘open banking’ system”.
Up until now, the US has been one of very few countries to put Open Banking in the hands of market forces.
A study by Konsentus in October 2023, found that 64% of Open Banking initiatives are mandatory via legislation, while only four countries have pursued a market-led approach, with a preference for a hybrid approach beginning to emerge.
All eyes are now on the world’s largest economy, as its banks and other financial institutions prepare to comply with the CFPB’s new rule. The Personal Financial Data Rights rule is part of the CFPB’s efforts to “finally activate” Section 1033 of the Consumer Financial Protection Act, which is a “dormant legal authority enacted by Congress in 2010”.
Taking back control
The CFPB’s rulemaking is designed to shake-up the financial services industry in a way that puts consumers in the driving seat when it comes to their finances.
CFPB director Rohit Chopra has said that “too many Americans are stuck in financial products with lousy rates and service”, adding that the rule means they will now have “more power to get better rates and service on bank accounts, credit cards, and more”.
To get a sense of the size of the opportunity, consider how many Americans already use Open Banking in some form or another. The CFPB estimates that at least 100 million consumers have authorised a third party to access their account data.
It states that, in 2022, the number of individual instances in which third parties “accessed or attempted to access consumer financial accounts exceeded 50 billion and may have been as high as 100 billion”.
John Pitts, global head of policy at Plaid, explains that since Dodd-Frank was passed 14 years ago, financial services have moved online for the vast majority of Americans.
“Today, an estimated 80% of people in the United States use at least one fintech tool, and over one in three people in the US with a bank account have used Plaid to connect an account to an online app or service,” says Pitts.
“This shift has propelled consensus in the industry for stronger data rights and protections on behalf of millions of consumers as they continue to lean on digital finance to manage all aspects of their financial lives.”
“Consumers should own, have access to, and have the ability to control all their financial data — it’s their data,” says Jane Barratt, chief advocacy officer and head of global public policy at MX Technologies.
“Section 1033 of the Dodd-Frank Act is intended to ensure consumers have that right. Access to data is at the core of a consumer’s financial life — the ability to choose the right products and providers, the ability to grant and revoke access, and the assurance that their data isn’t being used for purposes other than what they permissioned.”
When the CFPB proposed the rule back in October 2023, it clearly stated that this would help clamp down on “risky data collection practices”, such as screen scraping, and that it would ensure consumers can get their data “free of junk fees”.
Kat Cloud, compliance principal director, Open Banking at Envestnet|Yodlee, says: “The key thing I noticed when I was reading the rule – and it summarises the whole spirit of the rule – is that it’s putting consumers back in control of their data.
“And it marries with all the other Open Banking regimes that we’ve seen across the globe – they’re all coalescing around the idea of putting consumers back in control of their data.”
Steve Boms, executive director at FDATA North America, says the new rule provides “uniformity”, so that, regardless of who an individual banks with and the third-party tool they choose to use, they “have certain rights”.
“And that’s been missing from the market for a really long time, since its inception,” he adds.
Time to market
In the near-term, US consumers are not likely to notice much of a difference in their daily lives, according to Eyal Sivan, general manager, North America at Ozone API.
That’s because compliance with the rule is being implemented in phases, with the country’s largest financial institutions required to comply by April 1, 2026, while the smallest covered institutions have until April 1, 2030.
“If we think about the longer term, the prospects are there for more consumer-centric innovations, products and services coming to market,” Sivan says, adding that these could take the form of KYC, digital identity and fraud detection mechanisms, as well as new types of insurance products.
“To date, financial data has been used more for segmentation and cross-selling,” says MX’s Barratt. “We expect more financial providers to focus on delivering a more personalised customer experience across use cases including advice, fraud prevention, and access to credit.”
Phased implementation
While financial institutions have compliance deadlines to meet, they are not approaching Open Banking from a standing start.
“The larger banks and fintechs that already have APIs in place are ahead of the curve, and those that are relying on older methods, like screen-scraping, will need to catch up on implementation,” Barratt adds.
“This includes building out APIs and platforms to manage both business and consumer access, consent, and disclosures, as well as developing bilateral agreements with intermediaries, like MX, to ensure coverage across the complex US market.”
FDATA’s Boms says: “Remember, this rule only applies to checking and savings, credit card and digital wallet accounts – that’s it. So, the overwhelming number of these banks are already making that data available through APIs.
“Will they have to make changes to the deployment of those APIs based on the specific standards the CFPB put out? Absolutely, there is a technology lift. But it’s not a mandate to make all of the data they hold available.”
In July this year, The Bank Policy Institute, The Clearing House Association, the Consumer Bankers Association, and the American Bankers Association wrote to CFPB director Chopra asking for a compliance date of “at least” two years from the issuance of a final rule.
Boms says: “From my perspective, the harder lift is for the small FIs in the US. Unlike Canada or the UK, we have thousands and thousands of financial institutions in the US. The overwhelming majority of them are incredibly small, so they are entirely dependent on their core provider for all their technology solutions.
“To tell them that they have to build an API and be able to do authentication management and authorisation management, that’s a big lift for them.”
Whether the 2030 deadline is enough time “really depends on the sophistication of the institution, how much resources it has and what it’s relationship is with its core”, he adds.
Cloud does not believe the small banks and credit unions will get left behind.
“Where they can find the easy fixes or the easy innovations that they can quickly implement that aren’t going to break the bank, they will look to introduce those.
“I do think they are not going to be as innovative as the largest financial institutions. But they are going to try and accept this challenge in their own way and they’ll start to push out things for consumers,” she says.
Plaid’s Pitts adds that consumers increasingly expect secure, flexible access to their financial data, regardless of where they bank and that, by embracing Open Banking, even exempt institutions can leverage data-sharing tools that improve customer experiences.
He says: “Open Banking offers these smaller institutions the opportunity to stay competitive by enabling them to provide modern, customer-centric services.”
Data sharing wishlist
With the CFPB’s Personal Financial Data Rights rule under 1033 published last month, the ecosystem has had a few weeks to digest the rule and consider what might be missing or need addressing in the future.
Ozone API’s Sivan says: “First, I want to applaud the CFPB’s efforts. I think what they’re doing is the right thing for the United States. It’s the right thing for the world, with them being the leading economy.
“Their rhetoric and approach to this in terms of couching it as a data rights rule is very forward thinking. And their stress on levelling the playing field and making sure that there is no manipulation of the market by large players is commendable. It’s very much in the spirit of Open Banking.”
However, Sivan says that given the CFPB has “doubled down on their rhetoric around payments being non-competitive and… it should be easier to initiate payments”, there is no requirement for a standards-based payment initiation API in the rule. He believes the inclusion of standardised APIs for payment initiation will help the CFPB achieve its goals.
Elsewhere, he points to liability as one of the “gaps” in the rule, “specifically the liability associated with third party risk management”.
“The final rule talks about liability extensively, but it’s rather vague on enforcement mechanisms and accreditation mechanisms,” he explains.
Barratt also believes that third-party risk management “could be more prescribed from an interagency perspective” and that, combined with a lack of guidance on liability sharing, this “puts significant strain on ecosystem players to resolve”.
Barratt, along with Envestnet|Yodlee’s Cloud and Boms of FDATA North America, would like to have seen more account coverage in this first iteration of the rule.
“We’d like to see the CFPB include brokerage accounts, retirement accounts, mortgage, auto, student loans in the future, and we’re still hopeful they will,” says Boms.
Cloud adds that the CFPB has been “very clear they want to expand the scope of 1033”.
Much of the ecosystem has also voiced concerns about the restrictions on secondary data use. These restrictions had previously been flagged by members of the House Financial Services Committee, who wrote to the CFPB requesting some revisions to the secondary data use restrictions in its proposed Personal Financial Data Rights rule earlier in the year.
“While on the one hand, we totally agree consumers shouldn’t have their data used for something they don’t need it to be used for, unlike GDPR and unlike the California Consumer Protection Law, there is no distinction in this rule between actual consumer identifiable data and anonymised data,” explains Boms.
“As a result, you can’t use data for academic research or policymaking analysis, even when it’s anonymised or de-identified. There are going to be implications there that we have some concerns about.”
Sivan suggests that the CFPB could have drawn “a harder line between secondary use for the purpose of marketing, and secondary use for the purpose of product development”.
In October, Rob Nichols, president and chief executive officer of the American Bankers Association (ABA) issued a statement in which he noted some of its “concerns” remain “unaddressed”.
“Privacy and security around consumers’ personal financial information are core bank values, and ABA and America’s banks share the CFPB’s goal of bringing consistency to the consumer-permissioned data sharing ecosystem,” he states.
“ABA has been deeply engaged in a 10-year conversation with the Bureau and other stakeholders to ensure customers have access to their financial data in a safe and secure way.”
Nichols continues: “While we are still evaluating the details of the final rule, it is clear that our longstanding concerns about scope, liability, and cost remain largely unaddressed. This is disappointing after so many years of good-faith efforts by parties on all sides to improve consumer outcomes.”
Lawsuit
On the same day that the CFPB issued its final Open Banking rule, the Bank Policy Institute and Kentucky Bankers Association filed a lawsuit “challenging aspects of the agency’s rulemaking under Section 1033 of the Dodd-Frank Act”.
The lawsuit, which was filed in Kentucky, asserts that the CFPB “overstepped its statutory authority and finalized a rule that jeopardises consumers’ privacy, financial data and account security”.
Boms says: “Any litigation that argues that a regulator has exceeded its congressional mandate is meritorious.
“I can only share my view, which is, the CFPB followed both the intent and letter of the law in putting this rule out. My own view is that it will hold up.”
What’s next?
MX’s Barratt concludes: “Institutions of any size that think of Section 1033 as a regulatory stick instead of a competitive carrot are at risk of being left behind.
“The institutions that adopt Open Banking and compete to deliver the best experience will be more likely to earn consumer loyalty and engagement for the long term.”
Further reading: CFPB issues final rule on supervision of digital payment apps