As third-party access to consumer financial data expands, regulators balance innovation, customer choice, and data protection.
By Brett Carr, Charles Weinstein, and Deric Behar
Consumers’ rights to access and use their personal financial information has been a key focus of innovators and regulators over the past decade.
The development of “open banking” fintech models has proliferated, as customers discover the value in allowing third-party financial service providers to access dispersed personal data through the use of either credential sharing and “screen scraping” or application programming interfaces (APIs), which allow systems and applications to communicate in a more prescribed way without credential sharing.
Historically, banks have monopolized access to customer account data. The bank-customer relationship has been a private one governed by one-sided terms and conditions, with the bank deciding how customer data is stored and accessed. Open banking seeks to democratize bank account data by putting the customer in charge.
The benefits of open banking to customers are manifold. Financial data at one institution can be accessed and juxtaposed with financial data from another institution, allowing a customer to get a better overall picture of their banking, investing, credit, and/or debt activity in aggregate. Open banking also allows for more targeted and bespoke marketing and commerce, and exposes customers to similar products with more favorable terms. While financial account aggregation is not necessarily new, the explosion of fintech firms trying to capture this market is.
While some may accuse regulators of fixating on risk at the expense of innovation, in the case of access to financial data, regulators in both the US and the UK appear to be embracing technology, albeit in different ways. In the US, the approach has been more hands-off (allowing for considerable and free innovation), whereas in the UK, the approach has been more prescriptive (providing innovators with better-defined data privacy and security guardrails, although with more limitations for consumers).
The Path to Open Banking in the US
In 2010, Congress authorized the Consumer Financial Protection Bureau (CFPB) under Section 1033 of the Dodd-Frank Act (Section 1033) to help ensure that consumers have access to the information in their financial accounts and the ability to leverage that data in their records. Financial institutions, data aggregators, and fintechs have since created new products and services to capitalize on these changes. But the CFPB has yet to issue any final rulemaking on the subject, apart from publishing non-prescriptive principles on consumer-authorized access and use of consumer financial account data that express the CFPB’s “vision for realizing a robust, safe, and workable data aggregation market.”
That reticence, however, may be changing. At a webcast symposium held on February 26, 2020 (the Symposium), the CFPB fielded opinions from consumer groups, fintechs, trade associations, financial institutions, and data aggregators on the state of the developing market for data access services based on consumer-authorized use of financial data. According to the CFPB, its approach to date has not been direct regulation, but focused rather on “identifying and promoting consumer interests — in access, control, security, privacy, and other areas — and allowing the market to develop without direct regulatory intervention.”
In a summary report of the Symposium proceedings issued on July 24, 2020, the CFPB highlighted stakeholders’ views on a variety of topics, including: (i) data access and scope; (ii) credential-based access and screen scraping; (iii) disclosure and informed consent; (iv) privacy; (v) transparency and control; (vi) security and data minimization; and (vii) accuracy, disputes, and accountability. According to the summary report, fintechs generally held that the CFPB, relying on the authority of Section 1033, should be more prescriptive in delineating a right for consumers and permissioned third parties to access their data. In the view of many fintechs, clearer rules would help “clarify some of the regulatory ambiguities” that stand at odds with innovation and consumer interests.
The CFPB appears to have heeded that call. On July 24, 2020, in tandem with its release of the summary report, the CFPB announced its intention to issue an advance notice of proposed rulemaking (ANPR) in 2020 on consumer-authorized third-party access to financial records. According to the CFPB, the ANPR will:
- Solicit stakeholder input on how to effectively and efficiently implement the financial-access rights described in Section 1033, as well as account for emerging market practices not contemplated by Section 1033
- Seek information regarding the scope of data that might be made subject to protected access and other issues related to data security, privacy, and accountability for data errors and unauthorized access
- Inquire into potential regulatory uncertainty with respect to Section 1033 and its interaction with other CFPB statutes (such as the Fair Credit Reporting Act), and assess any negative impact from such uncertainty on innovation and consumer benefit
The rulemaking will go a long way toward clarifying ambiguities and providing guardrails related to the interaction between fintechs and traditional financial institutions. It certainly stands to impact both traditional financial service institutions that are in possession of consumer data, as well as the fintechs and startups that seek to capitalize on open-banking models.
The Path to Open Banking in the UK
The UK’s path to open banking has been a rocky one. As a response to competition pressures, a desire to increase transparency in UK financial services, and to encourage bank account switching and better overdraft management for consumers, the UK developed an open banking legal framework (applicable only to the sharing of customers’ banking and payment account data) at the same time that Europe was seeking to implement a similar regime under the second payment services directive (PSD2).
Open banking regulation in the UK is delivered through the Open Banking Implementation Entity (OBIE), an independent body established by the Competition and Markets Authority (CMA), the UK’s competition regulator. It is funded by the nine largest current account providers in the UK, commonly referred to as the CMA9. This legislation, which is applicable only to the CMA9, established the OBIE as a central standards body and mandated the use of specified APIs to facilitate the required access to account data.
PSD2 requires all UK and EU online payment account providers to permit, on the instruction of underlying customers, open banking–style open access to payment accounts to appropriately regulated and authorized third parties. It does not specify the means of access or prescribe the scope of access in any great detail. These third parties can operate as account information service providers (AISPs) and/or payment initiation service providers (PISPs). AISPs aggregate account data and present it to the customer. PISPs utilize the customer’s account functionality to initiate credit transfers for the customer, enabling customers and merchants to cut-out card schemes from online transactions.
Reconciling the requirements of these two legal frameworks has been a significant hurdle in the path to open banking in the UK. But industry uptake of technology is constantly improving, and successful open banking API calls are in the hundreds of millions and increasing. In the UK, more than 240 of these regulated third parties are currently operating in the open banking ecosystem.
Open Finance in the UK
Open finance refers to the extension of open banking–like data sharing and third-party access to a wider range of financial sectors and products. Under this model, consumers and businesses could more easily compare price and product features, as well as switch products or providers. Open finance could, for example, be beneficial in the general insurance, pensions, cash savings, and mortgage markets; in widening access to advice and support; and in boosting efficiencies for businesses and access to credit.
On December 17, 2019, the Financial Conduct Authority (FCA) published a call for input on how open finance could transform financial services. The call for input is not driven by particular competition concerns or the need to remedy structural issues; rather its aim is to stoke discussion on the post-Brexit vision for digital financial services in the UK.
The FCA’s vision for open finance includes:
- Digital and standardized data
- The right of customers to authorize a third party to access their data
- Secure and authenticated communication between the parties in accordance with interoperable market-wide standards
- Regulation to ensure customer protection, the ethical use of data, and the apportionment of liability between the parties
In the call for input, market participants are asked to consider:
- Incentives — Will open finance develop without intervention? Crucially, do the incentives exist for established firms to provide access?
- Feasibility and cost — Can all firms develop and offer the access needed to support open finance? What are the costs and barriers involved?
- Interoperability and cohesion — What common standards are required for open finance to develop?
- Clear data rights — Is an adequate framework of data rights in place? If not, what would the framework look like, and how would it be provided?
Annex 1 to the call for input also sets out various use cases for open finance across different financial services sectors. The call for input is open for comment until October 1, 2020.
On March 13, 2020, the Bank of England (BoE) published a paper explaining its proposal for open data for small and medium-sized enterprise (SME) financing.
The BoE has identified, as a priority area, the development of an open platform to boost access to finance for small businesses. It proposes a vision for how open data across the whole economy could ease frictions in the financial system and close a funding gap for SMEs across the UK.
BoE envisions a decentralized network of data providers, using APIs to move data around the financial system instantly, at the request of the SME. In the same way as open banking, no data would move without the customer’s (SME’s) permission, there would be no central data repository or physical credit file, and no central infrastructure would need to be built. The BoE says that, like the internet, the protocols and standards would enable interoperability and provide a platform for firms to innovate upon. The SME would permission an API call to data providers with whom it already has a relationship (such as its bank or insurance company) to instantly share specified data fields with a third party (such as a non-bank business lender) to help that third party reach quicker, and better informed, decisions. The data transfer would be encrypted end-to-end and would provide access for a specified (minimal) period of time.
Conclusion
Open banking in the UK is now at an advanced stage, and the OBIE framework has set a standard to be considered for other regulatory efforts around the world. In contrast, in the US, the CFPB is only now initiating direct regulatory action, with the goal of clarifying regulatory ambiguity.
The unexpected shift driven by COVID-19 to widespread remote working and decentralized business operations indicates that financial services has room to evolve. Open finance initiatives are therefore likely to shape the policy approach of regulators for the foreseeable future. Ideally, regulatory efforts to balance customer choice with safety will promote — rather than stifle — technology and innovation.