Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

August 16, 2021

Consumer Banking and Dental Woes

I have been unhappy with my personal banking relationship for some time. Most of my dissatisfaction stems from the fact that my debit card doesn't work outside the state where I live due to what I view as onerous risk controls the institution has implemented, such as requiring customers to provide advanced notice of interstate travel. But I've resisted changing banks because—let's face it—establishing a new banking relationship is about as unpleasant as having to undergo a root canal. I'd have to change direct deposits, electronic debits, and online bill pay; get a new online banking app; and, broadly, establish a new history and customer relationship. An executive orderOff-site link issued on July 9 aims to make this process a lot less painful for consumers.

The Executive Order on Promoting Competition in the American Economy contains several dozen proposed initiatives across numerous federal agencies, but the intended outcome that stood out to me most was:

Make it easier and cheaper to switch banks by requiring banks to allow customers to take their financial transaction data with them to a competitor.

At the heart of this initiative is the concept of open banking, defined by the Boston Fed report Modernizing US Financial Services with Open Banking and APIsOff-site link as "a system that offers businesses and customers a range of products and services based on open flows of data." In October 2020, the Consumer Financial Protection Bureau issued an advance notice of proposed rulemakingOff-site link to standardize how consumers access their financial data or obtain a record of consumer-authorized third parties with access to their financial data. The July 9 executive order seeks to build on this consumer access "to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions."

The United States lags behind the UK and the European Union (EU), who both legislated consumers' right to data portability in 2018 under their respective General Data Protection Regulation. In the United States, only California, with its Consumer Privacy Act, has legislated consumer data portability.

In the UK, data portability is supported by a set of software standards, employed by participating organizations, that includes specifications for common secure APIs (application programming interfaces) as part of the country's overall Open Banking Standards. The EU's Revised Directive on Payment Services, known as the PSD2, established in 2019 an open banking framework that allows authorized third-party providers to access a consumer's account information using APIs that are provided upon request by the sending financial institution. US standards are a necessary, but as yet undefined, component to achieving data portability, whether through industry cooperation and collaboration or through regulatory mandates.

Recently, my colleague Doug King blogged about upcoming suggested regulatory guidance in the United States on third-party risks. What are the potential cybersecurity risks for organizations if their open banking APIs were to somehow be compromised? What might this mean for other organizations that use the same APIs? Does open banking create additional risks to consumers' data and privacy?

Given the time needed to enact new consumer regulations, I will likely have to endure my personal banking woes for a while longer until I can easily and painlessly change banks. Meanwhile, it's time for a trip to the dentist.