I have been unhappy with my personal banking relationship for some time. Most of my dissatisfaction stems from the fact that my debit card doesn't work outside the state where I live due to what I view as onerous risk controls the institution has implemented, such as requiring customers to provide advanced notice of interstate travel. But I've resisted changing banks because—let's face it—establishing a new banking relationship is about as unpleasant as having to undergo a root canal. I'd have to change direct deposits, electronic debits, and online bill pay; get a new online banking app; and, broadly, establish a new history and customer relationship. An executive orderOff-site link issued on July 9 aims to make this process a lot less painful for consumers.

The Executive Order on Promoting Competition in the American Economy contains several dozen proposed initiatives across numerous federal agencies, but the intended outcome that stood out to me most was:

Make it easier and cheaper to switch banks by requiring banks to allow customers to take their financial transaction data with them to a competitor.

At the heart of this initiative is the concept of open banking, defined by the Boston Fed report Modernizing US Financial Services with Open Banking and APIsOff-site link as "a system that offers businesses and customers a range of products and services based on open flows of data." In October 2020, the Consumer Financial Protection Bureau issued an advance notice of proposed rulemakingOff-site link to standardize how consumers access their financial data or obtain a record of consumer-authorized third parties with access to their financial data. The July 9 executive order seeks to build on this consumer access "to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions."

The United States lags behind the UK and the European Union (EU), who both legislated consumers' right to data portability in 2018 under their respective General Data Protection Regulation. In the United States, only California, with its Consumer Privacy Act, has legislated consumer data portability.

In the UK, data portability is supported by a set of software standards, employed by participating organizations, that includes specifications for common secure APIs (application programming interfaces) as part of the country's overall Open Banking Standards. The EU's Revised Directive on Payment Services, known as the PSD2, established in 2019 an open banking framework that allows authorized third-party providers to access a consumer's account information using APIs that are provided upon request by the sending financial institution. US standards are a necessary, but as yet undefined, component to achieving data portability, whether through industry cooperation and collaboration or through regulatory mandates.

Recently, my colleague Doug King blogged about upcoming suggested regulatory guidance in the United States on third-party risks. What are the potential cybersecurity risks for organizations if their open banking APIs were to somehow be compromised? What might this mean for other organizations that use the same APIs? Does open banking create additional risks to consumers' data and privacy?

Given the time needed to enact new consumer regulations, I will likely have to endure my personal banking woes for a while longer until I can easily and painlessly change banks. Meanwhile, it's time for a trip to the dentist.