Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Potential Change Could Affect US Consumers' Financial Data
Adoption of open banking in the United States has been slow to move forward but that may all be about to change. In open banking, a consumer authorizes a financial services company with which they have a relationship to allow designated third parties to access their financial data. The United Kingdom began implementing open banking regulations in 2018, and the UK government believes that 60 percent of banking consumers will be using open banking by September 2023.
American consumers currently have a limited form of open banking with a technology known as "screen scraping." Screen scraping requires a consumer to give a third party their account sign-on credentials so that third party can electronically access the consumer's account to retrieve—"scrape"—the account information. While the process does have the benefit of allowing consumers to consolidate their financial information, it carries considerable risk in that the third party holds the account access credentials, which makes the consumer's information that much more vulnerable to a data breach. And it's possible the third party might use the data in ways unknown to the consumer.
Over the last several years, a number of major banks have blocked third parties from screen scraping. The US banking industry has instead favored the use of application programming interfaces (API) because they allow customers to use third parties without giving up their logon credentials. API use is also the mandated process in the United Kingdom.
Congress mandated open banking through section 1033 of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, giving the Consumer Financial Protection Bureau (CFPB) the responsibility of developing rules around sharing consumer financial data. In October 2020, the CFPB issued a notice of proposed rulemaking regarding consumer access to financial records. The CFPB, however, cannot act alone—it is required to consult with the federal regulatory agencies (Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Federal Trade Commission) to ensure that its rules do not favor any particular technology.
Last August, my colleague Nancy Donahue authored a post about an executive order (EO) designed to promote competition in a variety of industries, including financial services. The EO is intended in part to encourage the Consumer Financial Protection Bureau (CFPB) "to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products." The expectation of such a policy would be to allow nonbank fintechs to compete with traditional financial institutions, which would lead to lower service costs to the consumer.
The CFPB has been moving forward on this EO very deliberately due to the significant and complex issues tied to the implementation of open banking, three of which are critical:
- Data security: What requirements will be imposed on third parties to ensure that consumer financial data is held and used securely? Will the data aggregators be held to the same consumer data protection standards that banks are held to under the Gramm-Leach-Bliley Act? What regulatory agency will be responsible for the supervision of the nonbank data aggregator fintechs?
- Privacy: What limitations will be placed on the data collected? What happens to the data previously collected when the customer closes an account? What disclosures will be required initially and on a periodic basis as to how data will be used?
- Technology: Will screen scraping be prohibited as the United Kingdom is considering as it continues its open banking transition to include more financial services such as insurance and investments? How will small financial institutions be able to remain competitive with this service given their limited resources?
As a final checkpoint, the Small Business Regulatory Enforcement Fairness Act requires the CFPB to get feedback from a panel of small business owners about how the proposed rule will affect them. It is likely that the formation of this panel and their final report will not be made before the end of 2022. The Retail Payments Risk Forum team will continue to follow developments on open banking coming to the United States.