The shape of retail banking in the U.S. will be sharply impacted by the development of long-delayed data sharing regulations now being fast-tracked.
Competing interests and concerns — those of the consumers’ whose financial data is involved, banking institutions, fintech players, third-party data companies, software providers who facilitate data sharing— will all have a stake in the rules’ evolution. All of this will play out against the backdrop of the economic and regulatory viewpoints of Rohit Chopra, Director of the Consumer Financial Protection Bureau, who has set an ambitious agenda for getting the regulations implemented.
The starting point for the coming regulations is the Dodd-Frank Act’s Section 1033, which provides consumers with a right of access to their financial information. The act requires they have access to that data in electronic form in a usable format on request. Some incumbent financial providers fear that this will make it easier for people to move their accounts.
That is precisely what CFBP has in mind, much the way consumers can easily change phone service providers thanks to phone number portability rules.
CFPB’s Chopra Wants to Put Consumer in Data Driver’s Seat
In a landmark speech during the 2022 edition of Money 2020, CFPB’s Chopra detailed his belief in consumers’ data rights and set out an ambitious schedule for devising regulations with an eye toward an effective date in early 2024.
“While not explicitly an open banking or open finance rule,” said Chopra, “the rule will move us closer to it by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.”
“We expect that the public will gain more bargaining leverage once data- holding companies must share authorized consumer data with authorized third parties.”
— Rohit Chopra, CFPB
The timeline that Chopra spoke of is very fast for Washington, even with all the advance work over years.
“This suggests that the bureau is trying to get this buttoned up before the 2024 Presidential election,” wrote fintech blogger Alex Johnson.
Banks and credit unions shouldn’t just leave this matter with their compliance and legal functions, says John Pitts, Head of Policy at Plaid. Pitts thinks strategic planners, marketers, product developers and others should be looking at CFPB’s efforts.
“You’ve heard the expression ‘voting with their feet’,” says Pitts. “I think consumers are voting with their thumbs, on their smartphones for what they want their financial future to look like.” Institutions can’t afford to treat this solely as a compliance issue.
What CFPB Has In Mind for 1033 Regulations
Much of Chopra’s rhetoric took a “new sheriff in town” tone, insisting that the bureau will emphasize consumer rights and a mission to “create catalysts for more competition.” In the past, he said, financial regulators have produced “complicated rules to fit existing models. Much of it involves financial institutions handing consumers a lot of fine print that they may not even read, like those privacy notices companies send.”
Experts suggest the Federal Communications Commission’s rules enabling portability of phone numbers will likely be an influence on how the 1033 rule develops as a way of facilitating movement of financial relationships.
The preliminary CFPB data rule documentation released thus far is incredibly detailed. However, in the speech Chopra gave three points that the work will address.
1. Institutions offering deposits, credit cards, digital wallets, prepaid cards and related transaction accounts will be required to set up secure data sharing methods, like APIs.
2. The bureau is working on multiple ways to stop incumbent providers from making it difficult for consumers to seek control of their data and to share it with other providers. On the flip side, the bureau wants to prevent consumer data from being used for purposes beyond the reason they wanted to share it in the first place.
3. A concern is that data sharing could be dominated by a handful of firms. The bureau wants its rules to encourage decentralization of controls over data use.
- Strong Growth in Bank Digital Marketing Comes Under a CFPB Cloud
- CFPB to Unleash BNPL Rules that Would Also Impact Data Mining
- CFPB’s New Director is No Fan of Banks
Staying Ahead of a Regulatory Juggernaut
Bankers and credit union executives will need to watch the development of these rules as they will affect competition not only with fintechs and neobanks but with each other.
“This is going to be a full-blown regulation,” and not a quasi-rule delivered through a blog post or other informal channel, according to Alan Kaplinsky, Senior Counsel at Ballard Spahr LLP. Beyond the competitive effects of the new regulation, he says, banking institutions are going to find this a costly rule to comply with and to implement in a way to minimize cybersecurity dangers.
Early reaction to Chopra’s game plan saw banking associations calling for a level playing field with fintechs and neobanks, with the trade groups citing the long history of regulation of their own members’ use of consumer data and privacy issues.
“It is essential that consumers’ data is protected regardless of what type of entity has access to that information, and better protection means requiring Big Tech and other nonbanks to adhere to the same obligations, expectations and direct oversight applied to banks,” stated the Bank Policy Institute.
There was also support for one of the bureau’s goals, promoting the use of secure APIs and outlawing the use of screen scraping technology.
On the other hand, groups such as the Financial Technology Association have called for acceleration of 1033 rulemaking to bring about more disruption of the traditional financial services business. “Fueled by open finance, competition from fintech companies is driving innovation that makes financial services more accessible and affordable for everyday consumers and investors,” the group stated.
Regulations Could Go Both Ways
Plaid’s John Pitts, a former CFPB senior staffer, notes that Chopra has made it clear that he is concerned about community banks and credit unions being treated fairly under the final regulations.
Pitts says Plaid, which is a major player in API-based data sharing, is pleased that CFPB appears to favor this technology. It reflects the growing reliance on APIs in the market, and the market’s own move away from screen scraping methods.
Pitts says the experience with open banking driven by regulation in Europe and the U.K. suggests that CFPB needs to work to make its regulations broad enough to fit modern financial services as it continues to evolve in the U.S.
He explains that in Europe and the U.K. the regulations were tightly written and tended to look only at the flow of information from banks to newcomers. A more omnidirectional viewpoint would acknowledge the way financial services is moving, according to Pitts. This includes looking beyond the array of services CFPB says it will regulate initially.
“As consumers use more fintech apps,” says Pitts, “I think the banks quite rightly are saying, ‘Hey, wait. Why can’t the consumer share their financial data from a fintech app back to the bank? If it’s their data, they should be able to move it wherever they want’.”