US moves towards open banking as financial data rights rule finalised

0
US moves towards open banking as financial data rights rule finalised

The Consumer Financial Protection Bureau (CFPB) has finalised a new rule to trigger the start of the open banking era in the US.

Open banking is being encouraged by government authorities worldwide, at different paces and in different ways, to encourage innovation and boost competition in financial services. ‘Open’ refers to the use of open application programming interfaces (APIs) – mechanisms that allow two software components to communicate with each other.

The ‘Personal Financial Data Rights’ rule, which has been formally presented this week, should enable the US to start catching up with nations including the UK, which launched open banking in 2017.  

Its arrival comes after president Joe Biden signed an executive order more than there years ago (July 2021) directing the CFPB to facilitate the portability of consumer financial transaction data to enable to more easily switch financial institutions and use new fintech products. The CFPB duly presented details of the proposed new rule in October last year via a 299-page document, inviting feedback.

Twelve months on from the proposal, the final version has now been published (in a 594-page publication; the regulatory text is 38 pages). ‘The rule moves the US closer to having a competitive, safe, secure and reliable “open banking” system,’ the Washington DC-headquartered agency said in a press announcement.

RELATED ARTICLE US consumer watchdog proposes data rule to ‘accelerate shift’ to open banking – a news article (23 October 2023) on the CFPB’s publication of details of the proposed new rule

Phased introduction

The new rule – whose requirements will be implemented in phases – requires financial institutions, credit-card issuers and other financial providers to ‘unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free’, the CFPB summarises in its announcement.

Consumers will be able to access, or authorise a third party (for example, a fintech company) to access, data such as transaction information, account balance information, information needed to initiate payments, upcoming bill information and ‘basic account verification information’. Financial providers are obliged to make this information available without charging fees.

The rule’s introduction will, the CFPB said, hand consumers ‘greater rights, privacy and security over their personal financial data’, adding that people will be able to ‘more easily switch to providers with superior rates and services’.

‘By fuelling competition and consumer choice, the rule will help lower prices on loans and improve customer service across payments, credit and banking markets,’ according to the agency.

The largest institutions will have to comply by 1 April 2026. The smallest covered institutions will have until 1 April 2030. Certain small banks and credit unions are not subject to the rule.

RELATED ARTICLE US consumer agency aims to finalise open banking rules in 2024 – a news story (31 October 2022) on CFPB director Rohit Chopra presenting an update on planned open banking rules at an event in Las Vegas

Technical standards to ‘evolve over time’

The rule establishes ‘strong’ data privacy protections, requiring that personal financial data can only be used for the purposes requested by the consumer, the CFPB states.

Its introduction also, the agency states, helps move the industry away from a process known as ‘screen scraping’, which it describes as a ‘still common but risky practice that typically involves consumers providing their account passwords to third parties who use them to access data indiscriminately through online banking portals.’

The rule sets out an architecture for standard-setting bodies to align on technical standards, which will ‘evolve over time as technology and market needs change’.

Just over four months ago (June 2024) the CFPB finalised a rule outlining the qualifications to become a recognised industry standard-setting body, which can issue standards that companies can use to help them comply with the Personal Financial Data Rights rule. At the time it described the new rule as ‘establish[ing a] process for recognising data sharing standards and prevent[ing] dominant incumbents from squelching startups.’

This rule also includes a step-by-step guide for how standard setters can apply for recognition and how the CFPB will evaluate applications.

Global Government Fintech’s open banking / open finance topic section

US payments infrastructure ‘lagging behind’

CFPB director Rohit Chopra delivered a speech about the Personal Financial Data Rights rule on day of its publication (22 October).

“Over the last few years, we have been working with players across the ecosystem to sketch out what open banking in the US could look like,” he told the audience in his speech, which was given at the Federal Reserve Bank of Philadelphia. “By connecting consumer transaction data, payroll data, credit reporting data, retirement and investment balances, payments information and more, we can accelerate the progress that the US is already making. We also closely studied the experiences with data-sharing in other sectors, like in healthcare, and in open banking frameworks in other jurisdictions.”

He went on to describe how the new rule activates a dormant provision (section 1033) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), which was enacted by Congress almost a decade-and-a-half years ago. “Section 1033 gives consumers new rights to access their personal financial data in a standardised format, subject to the rules of the CFPB. Since the CFPB never finalised any rules, it was essentially a dead letter. Our final rule is our first significant rule using this dormant authority,” he said.

Chopra described US payments infrastructure as “lagging behind many other developed countries.”

“By giving consumers the ability to more easily use secure payments information, we can create more options to make payments and facilitate what is often referred to as ‘pay-by-bank’,” he said, describing the potential to “make payment options like ACH and FedNow more mainstream.” ACH (Automated Clearing House) is an established network for electronically moving money between bank accounts across the US. FedNow was launched last year by the Federal Reserve System to make instant payments available ‘around the clock’.

“This could also benefit merchants, who face high fees to accept payments through Visa, Mastercard and other incumbent payment networks,” Chopra continued. “Some merchants have plans to incentivise payments through these alternatives through cashback, discounts and rewards.”

RELATED ARTICLE FedNow hits 900 participant institutions one year after launch – a news story (15 August 2024) on the US Federal Reserve System’s update on institutional take-up of its ‘FedNow Service’ one year after its launch

Priorities before April 2026

Chopra included in his speech various things that need to be done in advance of the first deadline for compliance (April 2026).

His list included that the CFPB was “working to prioritise reviewing applications by standard-setting organisations”.

The agency is also, he said, “continuing to be in constant communication with other financial regulators to advance open banking”, saying that “we are working together to ensure that incumbent fintechs [companies] and banks do not engage in tactics to choke off potential competitors.”

In addition, he said that the CFPB “will be developing a roadmap for the next set of rules to advance open banking”.

“This first rule covers a wide range of accounts for payments and transactions,” he explained. “We are considering a number of other use cases, such as how to reduce costs and complexity in the mortgage market. During the rulemaking process, there were a number of important issues raised, such as coverage of accounts used for government benefits, like EBT [Electronic Benefit Transfer] cards, and the ability for non-profit researchers to use consumer-permissioned data.”

The CFPB will, he said, be working on “additional guidance and advisory opinions to advance open banking and payments”, saying that the agency “will also look for opportunities for other types of financial data, such as those involving investments and securities in retirement plans, to plug into this ecosystem”.

*** JOIN GLOBAL GOVERNMENT FINTECH ON LINKEDIN ***

Fintech and banks’ differing reactions

Groups representing fintech and banking interests have markedly differing opinions on the new rule.

Penny Lee, president and chief executive officer of the Washington DC-headquartered Financial Technology Association (FTA), described the new rule as a “win for consumers, guaranteeing their right to own and securely share their financial data.”

She added that the FTA was “hopeful that future rulemakings will allow consumers to unlock more benefits by tapping into other aspects of their financial lives, such as payroll, student loan, investment and mortgage accounts.” 

American Bankers Association (ABA) president and chief executive Rob Nichols, however, was heavily critical.

Nichols said in a statement published on the ABA website that ultimately the process “devolved into a press release-driven, political exercise based on the false premise that consumers lack choices and a misunderstanding of whether Dodd-Frank grants CFPB the authority to radically reshape the financial services marketplace.”

“While we are still evaluating the details of the final rule, it is clear that our longstanding concerns about scope, liability and cost remain largely unaddressed,” Nichols said. “This is disappointing after so many years of good-faith efforts by parties on all sides to improve consumer outcomes.”

*** RECEIVE GLOBAL GOVERNMENT FINTECH’S FREE EDITORIAL NEWSLETTER ***

BPI announces legal challenge

The Bank Policy Institute (BPI), a Washington DC-based trade association chaired by JP Morgan Chase chief executive Jamie Dimon, published two press releases on the day of the CFPB final rule’s publication.

“On initial review, it appears the CFPB’s final rule retains many of the deficiencies and omissions that plagued the proposed rule,” the association’s president and chief executive Greg Baer said in the first press release. “Banks have worked for years to establish secure ways to share customer data whenever the customer asks. The CFPB’s rule disrupts this established process, requiring banks to share financial data with any third party without adequate safeguards to ensure the data is protected from fraud, misuse and abuse.”

The second press release announced that the BPI and Kentucky Bankers Association had filed a lawsuit (56-page complaint) against the CFPB ‘challenging aspects of the agency’s rulemaking’. Filed in US District Court in the Kentucky city of Lexington on 22 October, they assert that the CFPB had overstepped its statutory authority and finalised a rule that ‘jeopardises consumers’ privacy, financial data and account security’.

“BPI supports a competitive marketplace where consumers control how their personal financial data is used and with whom it is shared, so long as their data remains protected. Unfortunately, the CFPB delivered a rule that treats sensitive financial data with as little care as a consumer’s web browsing history,” said Baer in this second press release. “If left unchallenged, technology companies subject to little to no oversight will have access to very sensitive information, like how much is in your account and where you spend your money. Banks have a responsibility to protect customers and their data, and this rule compromises these responsibilities, putting bank customers at risk.”

“The CFPB’s 1033 rulemaking jeopardises the safety and soundness of our banking system and fails to protect consumer data,” said Kentucky Bankers Association President and chief executive Ballard W Cassady Jr in the same press release. “We are challenging the CFPB to ensure that banks can continue to protect their consumers and the integrity of the financial system in a safe and sound manner.”

link

Leave a Reply

Your email address will not be published. Required fields are marked *