Has CFPB Started a War Over Open Banking — or Created New Opportunities for Banks?

The same day that the Consumer Financial Protection Bureau unveiled its final personal financial data rule, the banking industry sued to stop the bureau's controversial take on open banking. Then Donald Trump regained the White House. Should institutions wait to see what happens after the smoke clears? Or should they exploit opportunities that may benefit early adopters?

The banking industry and the Consumer Financial Protection Bureau have two very different viewpoints about “open banking.”

The industry and the CFPB have been circling and skirmishing for a couple of years over rulemaking. Now a major battle is looming over the result, even as some think it’s time for banks to simply acquiesce and figure out how to profit from an inevitability.

Given the changeover in the White House — and note that a federal court decided during the first Trump administration that the CFPB director serves at the pleasure of the President — the future of the rule could change. Certain late-stage regulatory moves in the Trump years were paused and killed when President Biden took office, so it’s not inconceivable.

The new rule arises, 14 years later, from the Dodd-Frank Act of 2010, though banks have maintained that the bureau overreached the letter of the law. As it is written, the CFPB open banking rule could have far-reaching effects, including a major boost to pay-by-bank payment models through fintech apps.

To CFPB, Open Banking Is All About Financial Portability for Consumers

In late October, CFPB issued the final version of its personal financial data rights rule. The rule requires banks with more than $850 million in assets to make certain data available via digital channels to consumers and to third parties they designate, without charge. (The rule also applies to certain nonbanks, including credit card issuers. See the table accompanying this article for applicability and staggered effective dates.)

The information banks must make available to authorized third parties — notably fintech apps — includes historical transaction information, account balances, upcoming bill payment information, basic account verification information, and account terms and conditions. Significantly, banks must also make available information needed to initiate payments to or from accounts covered by Regulation E.

The goal? In CFPB’s own words: “To unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free. Consumers will be able to more easily switch to providers with superior rates and services. By fueling competition and consumer choice, the rule will help lower prices on loans and improve customer service across payments, credit and banking markets.”

In a speech, given prior to the national elections, Rohit Chopra, CFPB director, portrayed the effort as striking a blow for the little guy.

“Incumbents don’t want to lose their captive customer base,” said Chopra. “Just like other sectors of the economy, big companies have little incentive to make it easy for you to port and share your data. We’ve seen how they can concoct a slew of reasons to block consumers from these benefits.” He said the rule would help consumers “walk away from mediocre products or services” and better rates, free access to paychecks before payday, and more.

Compliance Dates for CFPB’s Open Banking Rule

Source: Consumer Financial Protection Bureau

Chopra has long compared the bureau’s concept of open banking to wireless phone services. Switching to a new wireless carrier used to require obtaining a new phone number. Then the Federal Communications Commission mandated phone number portability from one carrier to another, encouraging more competition.

“To make our banking and payments market more competitive, it needs to be open and decentralized using a common set of data standards, free of powerful gatekeepers and middlemen that can impose private regulations and extract fees,” Chopra said.

In other words, Chopra’s CFPB sees open banking, made mandatory for many banks, as a means of enabling consumers to rapidly move their business to new providers from their original providers.Accomplishing this shift would require institutions to provide access to the data, preferably via applied programming interfaces (APIs).

“Unfortunately, what began two administrations ago as a collaborative exercise in securing consumers’ personal financial data has devolved into a press-release driven, political exercise based on the false premise that consumers lack choices and a misunderstanding of whether Dodd-Frank grants CFPB the authority to radically reshape the financial services marketplace,” ABA said when the final rule was released.

The rule, and a related rule issued in June, entail the use of private-sector bodies to set standards for the exchange of data between providers like banks and consumers and the third parties that they authorize to access their information. So far two organizations — Financial Data Exchange and Digital Governance Standards —have applied for consideration.

Read more: CFPB Proposal Would Set Up Federal Exams for Nonbank Consumer Digital Payment Players

Could CFPB’s Rule Backfire? Or Does It Clarify Things?

Some have questioned if the goals of the CFPB effort will materialize, even if the rule stands.

“Defending the new open-banking rule, Mr. Chopra said that he was willing to accept even a good deal more fraud risk for consumers because his rule humbles incumbent financial-services companies,” wrote veteran bank regulatory analyst Karen Petrou in a blog. “This is like saying that one is fine with a few more dangerous drugs since that’s what it takes to loosen Big Pharma’s strangle-hold.”

Added Petrou, managing partner at Federal Financial Analytics: “In short, it is right to expose me to greater risk of identify theft or authorized fraud because account portability might earn me an extra quarter-point of interest on the deposit account thieves are about to pillage.” She also worries that the compliance costs of the new rule will drive more institutions to increase their emphasis on wealth management services and de-emphasize mainstream retail banking.

Despite all this, the new rule represents a bit more certainty in some ways.

“Financial institutions and fintech apps have lived in, basically, a cold war,” says Chad Killingsworth, head of engineering at Jack Henry. “The fintech apps screenscraped without [banks’] permission and without any relationship and just took the data, which is not great.” The CFPB rule puts some guardrails on the process and pushes things towards use of APIs. Consumers gain more specific controls over what data third parties can gain access to.

On the other hand, now financial institutions have a potential due-diligence relationship with every third party that comes over the transom. That’s a burden CFPB thrust into their hands, Killingsworth says.

“That’s where the regulation gets really sticky,” says Killingsworth.

There’s also competitive impact, as nonbanks gain greater access, potentially, to consumers — key among Chopra’s aims.

Open banking “means [incumbent banks] could face new competitors in the shape of agile fintechs and neobanks … as well as non-financial institutions such as supermarkets and telecom companies looking to deliver banking and adjacent services, from current [checking] accounts to insurance and mortgages,” writes Jamie Merritt, a veteran of open banking adoption in Europe, the U.K. and elsewhere, in a whitepaper. He is currently European head of regulatory and compliance at consultancy SRM. Open banking was put in motion in the U.K. to address the government’s belief that banking services needed more competition.

Read more: Supreme Court Rulings May Shake Up Banking Entry Decisions in Fintechs’ Favor

To Banks, Market-Driven Open Banking Is a Very Different Affair

On Oct. 22, the same day CFPB released its rule and Chopra spoke on it, the banking industry sued.

The Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank, a Lexington, Ky. Institution with $1.6 billion in assets, sued in the U.S. District Court for the Eastern District of Kentucky to set aside the CFPB’s rule.

“In the United States,” they said in their joint complaint, “the developing open banking system has achieved substantial progress through private-sector efforts. Banks, including Plaintiffs and their members, have embraced this opportunity for innovation because it allows them to develop secure and attractive products for their customers. In other words, open banking is already flourishing through a private, market-based ‘consumer data sharing ecosystem’ in which industry members have been actively participating.” [Emphasis added.]

The complaint cites 2023 research by Visa that indicates that 87% of Americans already use some type of open-banking service. This could be as simple as services from fintechs that offer a unified view of their finances. It can also include such common services as person-to-person payment apps.

The document goes on to say that CFPB “seeks to jettison the developing, industry-driven system [of open banking] and replace it with a complicated, costly, and fundamentally insecure mandatory data-sharing framework.”

In a comment letter filed last year on CFPB’s proposed version of the rule, JPMorgan Chase noted that the bank supports “secure data sharing for millions of JPMC customers, whether for budgeting, loan applications or other use cases that improve our customers’ access to insights and diverse competitive offerings.” The letter said that the bank supports over a billion API calls — messages sent to servers asking an API to provide a service or information — every month. A company dashboard permits customers to control which third parties can access their data from the bank.

Banks: Must We Pay to Help Our Competition?

Among the complaint’s points is that the cost for compliance must be borne completely by the bank providing the data. The bank cannot charge neither the consumer nor the third-party seeking credentials through which to obtain data. It’s also thought that many third parties will wind up obtaining the data through data aggregation companies, and those firms are allowed to charge fees to the third parties. However, they aren’t required to share any of that money with the banks via fees or otherwise.

It’s important to understand this isn’t a one-time transfer of information, but an ongoing obligation involving each third party and each customer, as they desire.

In its comment letter, JPMorgan Chase objected to banks’ having to pick up all the costs, especially because they are wrapped up in keeping the underlying services functioning and processed in up-to-date ways.

”A data provider cannot be expected to build and maintain services to enable third-party access to customer data without accounting for the foundational investments upon which those services rely or the cumulative impact on the overall economics of providing banking services,” Chase wrote.

“Demanding that the financial institutions to which I entrust my data also transmit it to third parties without charge despite all the authorization cost and liability risk this entails for the financial institution is like asking that a pet sitter take care of my dog for free because I own it,” said analyst Karen Petrou.

Another key point, among many in the suit, is that the bureau, having established the rule, has thrust all responsibility for the standards outside of its own organization. Security standards will be set by the external authorities. The complaint also says that CFPB “deputized” banks to the job of verifying the security practices and compliance by the third parties.

Should Your Bank Wait or Plunge Ahead?

As soon as the rule was announced, many vendors began announcing their readiness, or plans for readiness, to help banking data providers to get ready for the CFPB’s rule. If the Bank Policy Institute lawsuit goes the industry’s way, those efforts would be moot.

Jack Henry’s Chad Killingsworth points out that the largest banks only have until April 1, 2026, to be ready to comply and supply the data to third parties — not a huge amount of time. As for those institutions in groups with a longer timeline, he suspects some will choose to wait to see how the suit, or political change, affects the rule.

“Others are just going to go ahead and proceed regardless,” says Killingsworth. “I think we’ll see institutions in both camps.”

Officially, those covered by the rule “can’t say no and they can’t charge for it,” says Killingsworth. “CFPB made it a cost of doing business.”

Community banking institutions will be in a particularly challenging spot. Officially, banks under $850 million in assets aren’t covered by the rule. But Killingsworth says that matters aren’t quite so simple. All banks play on the same field nowadays.

That includes serving the needs and wants of younger generations of bank customers, those that want their bank accounts to be connected to fintech and related apps. Meeting this expectation means that the small banks will likely have to comply anyway, making the threshold theoretical rather than genuine.

“I think the smaller institutions are going to have to do this too,” says Killingsworth. “The good news is that they can work through a partner or a platform to do so. Hopefully, they’ll find one that built into their online banking platform that won’t entail extra costs. However, there are also solutions out there that come at a cost as well.”

Read more: Hoodies and Suits: Can Banks and Fintechs Learn to Speak the Same Language?

Will Early Entrants Snap Up Opportunities Latecomers Will Miss?

SRM’s Jamie Merritt has doubts about the wisdom of waiting on the legal fate of the CFPB rule, and even institutions with far-off deadlines should consider getting going earlier than they are obligated to, he believes. He thinks those that are quickest to the game may have the best opportunities to make more of CFPB’s approach to open banking than merely an exercise in compliance.

Merritt says much of the early thinking about European and U.K. adoption of open banking revolved around technology and compliance. Many players ignored the opportunities for customer services. He says U.S. banks are at a point where they have time to jump in sooner than they must, and do so in partnerships with fintechs and other players, rather than being passive providers of data and payments.

The pattern internationally has often been that institutions “are being forced to do this, kicking and screaming,” says Merritt. He says U.S. institutions should be looking at which customers they want to acquire from other players — they can request open banking credentials with other institutions, after all — and which they want to retain in spite of CFPB’s concept of portability.

Simply telling consumers about open banking won’t mean anything, he says. He argues that most U.K. consumers wouldn’t even recognize the term. Presenting consumers with use cases that the bank can provide with outside partners will be more meaningful. The U.K.’s Open Banking Ltd., set up to orchestrate the transition to open banking there, offers more than a dozen case studies on its website that provide fodder for product design.

“You’ve got an opportunity now, in the U.S., to learn from the U.K., Europe and other markets,” says the London-based Merritt. “Focus on what the customer journey is, what’s in it for the customer — because you’re going to be forced to do it anyway.”

This article was originally published on . All content © 2024 by The Financial Brand and may not be reproduced by any means without permission.