The Consumer Financial Protection Bureau’s (CFPB) open banking proposal cemented the first regulatory step in the US — but experts believe there is still a long way to go.
In October, the US regulator put forward a rule for sharing consumers’ financial data with third parties, presenting opportunities for regulated open banking in the country.
This came in the shape of the "Personal Financial Data Rights" proposal, which lays down rules for third-party data sharing and strengthens protections against the misuse of consumer data.
“This is a basic proposal that lays a foundation for future work,” said Andrew Gómez, director at Lipis Advisors.
Gómez continued that this doesn’t go nearly as far as PSD2 or the proposed PSD3, but does extend beyond laws in other jurisdictions, such as Mexico.
“US regulation is behind other markets and this helps close the gap — but does not go all the way,” he said.
The rules would implement Section 1033 of the Dodd-Frank Act, which gives consumers the right to share their personal financial data with third parties.
The 2010 law also tasks the CFPB with implementing data-sharing standards and protections.
The 300-page proposal is open for comment now until December 29 and a final rule is expected to be issued by next autumn.
Strengthening data sharing
According to Lauren Jones, director of market development at the Open Banking Exchange, the new draft rule is “an exciting development”.
“However, let us not forget that the US has a long history of data sharing in the banking industry, albeit in a market-driven way,” she pointed out. “Plaid and others have been in the market for at least a decade.”
As with the EU, this was initially based on screen scraping, but Jones pointed out that the larger banks in the US have already been moving towards API-based data sharing for some time.
“The CFPB draft rule largely enshrines what is currently happening in the market today for the larger players,” she said. “However, the longer tail of smaller institutions will now be brought in scope. The staggered implementation timeline addresses these challenges.”
Although the right to share financial data was given to consumers more than 13 years ago, in the absence of regulatory action, the US market has developed a market-driven approach to open banking that largely relies on bilateral information-sharing agreements.
As a result, access to financial data is often inconsistent among financial institutions and the terms of the sharing vary greatly.
"In some ways, this proposal is definitely needed, and it brings the US in line with other innovative countries,” commented Zarik Khan, founder of Finsolute Audit & Compliance Advisors.
“It has the regulator and the industry thinking about data from a consumer perspective but also a smart regulation perspective. There has been a lack of sophistication when thinking of these elements of banking and payments and a lack of willingness to regulate.”
“This will now mean that consumers have more data portability,” he told Vixio.
Core questions remain unanswered
Despite the positivity that has resulted from the US regulator unveiling its proposal, stakeholders pointed out that there is still plenty of room for improvement.
“There are some provisions that I question,” said Gómez.
“For example, the part about fair industry standard-setting and moving away from screen scraping,” he noted. “This can be very difficult to enforce, and what happens when fintech A argues that bank B isn’t offering proper access because its API is not good and therefore reverts to screen scraping?”
Gómez argued that standards are needed. Otherwise, a market as large as the US is likely to end up with a “spaghetti bowl” interoperability. “This will be very difficult.”
Khan continued that the downside of the proposal is that it is not comprehensive.
“At the outset, it directly acknowledges that this will only be applicable for deposits and credit cards, leaving stuff like insurance, auto loans and home loans off of the table,” he said.
“This is unfortunate and I am unsure how it can be streamlined.”
Further, the fintech expert warned that “there is a surprisingly minor amount of standardisation that is put forward, with the heavy majority of the content in it deferring to comment”.
According to Khan, some of the areas in which the CFPB seeks comment are concerning, in that it seems to indicate it may not have the technical understanding of some of these areas.
“This is particularly as it concerns data infrastructure and cybersecurity, and thus may end up creating unintended headaches if the final rule becomes a patchwork of perspectives from the industry,” he said.
Jones agreed that there is still a lot of ambiguity in the draft order, such as the data scope.
“Current open banking offerings have a significantly wider data scope, so the path is not clear for these solutions to continue,” she said. “There is still significant work to do, but this a great, sensible first step in codifying open banking for the specifics of the US market.”
Khan echoed this, stating “hopefully there is a lot more learning on all sides as things move forward."