The Intersection of Financial Institutions and Technology Leaders

The CFPB Wants Open Banking. But How?

By Paul Davis

The Consumer Financial Protection Bureau seems intent to promote open banking in the U.S. at a time when most banks, and a large number of consumers, seem ill-prepared for it.

The CFPB in October released a proposal on Personal Financial Data Rights, seeking comments on regulations it asserts will make it easier for consumers to obtain and share financial data. A final rule is expected this fall.

The vast majority of the 100 comment letters submitted highlighted the need for an application programming interface (API) standard and measures for enhanced security.

The discussion among banks and nonbanks has revolved around what standard should be used and if the CFPB should make it mandatory for all. Hashing out those issues and having everyone on the same page is critical to making an interoperable open banking framework successful, industry observers said.

“I believe modern banking will be dependent on vast ecosystems that offer consumers more flexibility in managing their financial lives,” says Bryan Clagett at consulting firm Jamestown Associates.

“At this stage, I’m seeing bankers and fintechs become much more collaborative, and that’s certainly an imperative in maturity of open banking,” he adds. “At the same time, such collaboration is being reviewed by regulators, which by design should offer protection without slowing innovation.”

Setting the Stage
Many banks and consumers are still trying to understand the open banking concept, industry observers said.

“For bankers embracing open banking, there’s a need for consumer education regarding data and its security, and a clearer picture as to what benefits can be derived,” Clagett says. “Standardization and data protocols are going to be critical in gaining trust.

Open banking involves banks providing access and control of consumer data to third-party service providers, which are often fintechs. Consumers are typically required to grant consent to allow for data sharing. Third parties’ APIs can then access the data.

The argument has been that open banking will push big, established banks to become more competitive with new entrants, which in theory would lower costs, improve customer service, and lead to technological advancements.

Slowly, more financial institutions are warming up to open banking, and having a set of standards should expedite the process, says Jason Henrichs, CEO of Alloy Labs, a banking consortium. 

“[Previously], I believed that open banking would become a reality by market forces because once a major player leans in to leverage the data, others will need to as well to compete,” he adds.

Setting a Standard
Many of the comment letters made it clear that establishing an API standard is critical for open banking to gain more traction in the U.S. because it would streamline the hodgepodge system that exists.

For now, banks and third parties utilize a patchwork of APIs with varying programming languages and formats, making it challenging to distribute data throughout the system.

Financial institutions have tried to address this through bilateral agreements and custom-built APIs, but they have proven “suboptimal, given the scale and range of data holders, intermediaries, and recipients/users,” wrote the financial services research organization FinRegLab CEO, Melissa Koide, in her comment letter. 

Meanwhile, Manning Field, former chief operating officer at the fintech Acorns, wrote that every institution’s data is different, both in structure and how it is labeled, creating challenges for sharing. 

“Standardization will provide customers peace of mind that their data is secure and … ease the burden of compliance for financial institutions – both traditional industry stakeholders and new entrants – by mapping out the ‘rules of the road’ so that all participants know what is required,” he added.

There has been discussion over what standard should be used, with many stakeholders promoting the Financial Data Exchange (FDX), a nonprofit industry standards body. FDX has more than 200 members, including top-10 banks and fintechs; the group claims that 76 million consumers are using its API for data sharing.

“I think FDX will be the standard because it has the major players that want to make it happen,” Henrichs says. He notes that those participants include Plaid and MX and, to a lesser degree, Envestnet and Yodlee.

“I believe that, at this stage, FDX is the way to go,” Clagett adds. “It seems to have the most traction and I like that it’s embraced by the bigger players including wealth management firms like Fidelity.”

Still, there are detractors.

Charles Potts, chief innovation officer at the Independent Community Bankers of America, wonders if open banking is necessary in the U.S., noting that challenger banks such as Chime have onboarded millions of customers without a framework in place. Absent legislation, he questions if the CFPB has the authority to select and impose standards across the financial ecosystem.

“Let’s assume that we need to give everybody access to their financial information when and where they want it,” Potts says. “In the absence of clear guidance, we have a multifaceted, multitiered banking system with lots of regulatory entities. Nobody controls setting standards without a compelling legislative mandate.”

Setting the Expectations
The debate also involves whether the CFPB should require all financial institutions to follow an API standard, with many opposing a mandate due to concerns that it could keep smaller banks out of the ecosystem.

“Imposing an arbitrary mandate to transition to API-based access will do more harm than good,” according to a comment letter written by the management team at Digit, a finance app that helps consumers save by analyzing spending habits. Roughly 13% of Digit’s members have accounts at community banks or credit unions.

“A mandate would effectively cut off access to beneficial innovations for millions of consumers who bank with those institutions,” the letter said. “If this mandate were implemented today, these members would not be able to link their bank account to Digit.”

Potts agrees.

“Mandating and dictating that every bank provide something or follow something has its costs,” he says. “A mandate would force smaller banks to incur implementation costs or deal with the exclusion that comes with non-compliance.”

Another standard being discussed involves the safe and secure transfer of consumer data. Large banks such as Bank of America Corp. and JPMorgan Chase & Co. are already looking to strike a balance between enabling transactions, optimizing the customer experience, and countering potential fraud. 

“The key is making sure consumers know their information will be protected,” Allison Shonerd, Bank of America’s head of global digital disbursements, said at a recent conference. “Data security is extraordinarily important. … We need to add the right amount of friction to protect consumers from scams and take action when needed.”

Security concerns were a prominent issue in the comment letters.

“Consumer financial information cannot be protected if significant parts of the ecosystem are not subject to robust information security standards,” wrote Karen Larrimer, head of retail banking and chief customer officer at PNC Financial Services Group.

“We believe that the [CFPB] should define the larger nonbank participants in the data aggregator market and supervise them for compliance with applicable data security and consumer protection standards,” Larimer added.

Field recommended that market participants should be held to the same security standards. “An innovative product [should not] expose a consumer to a higher risk of a security breach than a traditional bank,” he wrote.

The CFPB’s full timeline remains unclear, though Director Rohit Chopra announced a final rule Wednesday to codify the attributes that standard-setting organizations must demonstrate to be recognized under open banking.

“Industry standards can be weaponized by dominant firms in order to maintain their market position, undermining competition for all,” Chopra said in a statement. “Today’s rule will prevent these firms from rigging standards in their favor by identifying attributes the CFPB will use to recognize standard setters.”