Open banking — relatively well-entrenched in Europe, nascent here in the United States — is taking shape largely by directive, through regulations and standards that give a roadmap to how financial data is permissioned by consumers and shared with financial services providers.
At the center of it all in the U.S. is a proposed rule offered up last year by the Consumer Financial Protection Bureau (CFPB). And though the rule is known, variously as “Rule 1033” or as “Section 1033,” the scope and ultimate aims of the rule-making might be a bit murky, so it all requires a deep dive.
Simply put, financial institutions (FIs) must offer the technological interfaces for third parties to access consumers’ data, and by extension enhance the competitive playing field as providers seek to keep customers on board while broadening their reach.
The CFPB rule traces its beginnings to the aftermath of the financial crisis and the Great Recession, and the Dodd-Frank Act that sought to reform Wall Street and financial services regulation. That act created the CFPB and it also contained language tied to Section 1033, which at a high level dictates that, per the CFPB, “consumer financial services provider[s] must make available to a consumer information in the control or possession of the provider concerning the consumer financial product or service that the consumer obtained from the provider.” The data that can be permissioned, and made available span everything from credit cards to deposits to transaction level data.
The digital age — and the rise of FinTechs in partnership with FIs — is creating financial ecosystems powered by mobile devices and data. The standardization of data sharing becomes easier with the mandate that banks allow end users to share their data with third parties (including the FinTechs) via application programming interfaces (APIs). Along the way, we’re likely to see an upsurge in direct-to-account payments, and personalized financial products and services.
On the providers side of the equation, data sharing typically has occurred through one-to-one agreements or screen scraping — which has been less than ideal in terms of data security. The direct connectivity with APIs helps streamline data sharing.
For the consumer, the end goal would be data portability and the ability to “switch” allegiances by taking their data to the providers of their choice. The data is to be issued and consumed in a standardized format and providers must have consent from end users.
There are some safety measures in place, too, to cement the ecosystems that are taking shape, as third parties must demonstrate compliance with the rules, with data collection and data security best practices.
PYMNTS Intelligence data has estimated the appeal, and thus far limited reach of, open banking in the United States. The data show that 46% of consumers are “highly willing” to use open banking payments for at least one product or service. The same survey showed that only 11% had done so.
The CFPB has said that the process on standard settings should be “open to all interested parties, including public interest groups, app developers, and a broad range of financial firms with a stake in open banking.” The pool of interested parties also can, and will, include consumers, and the CFPB can revoke the recognition of standard setters with a maximum tenure of five years.
There are as of yet no compliance deadlines for the third parties or the providers. The commentary period is over and the once timelines are established, as noted here in the Financial Register, the largest FIs will have to comply with the new rule within six months after final publication. Smaller FIs, depending on asset size, will have one to two years to comply. The smallest FIs, with less than $850 million in assets, would have as long as four years.
The work is cut out for the banks. As separate PYMNTS Intelligence research has found, while 60% of Americans view open banking favorably, significant concerns persist about data storage and collection practices. Only 57% of Americans trust financial institutions to protect their personal information, underscoring the need for improved trust and transparency.