U.S. banks of all sizes will soon be required to share customer financial data, upon consent, with other banks and trusted third parties. In preparing to comply with this new mandate, each bank first must decide what role it wants to play in the new open-banking market.
The catalyst is that the Consumer Financial Protection Bureau recently commenced the rulemaking process for the sharing of consumer financial data, also known as “open finance.” The transition to open banking is prescribed under Section 1033(a) of the 2010 Dodd-Frank Act.
Here’s what Section 1033(a) says: “A covered person [must] make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account, including costs, charges, and usage data.”
It is up to the CFPB to figure out what this will mean in practice, and the details are yet to be determined. A “covered person” is generally any entity that offers or provides a consumer financial service. However, the CFPB is considering a somewhat narrower definition that would include financial institutions, as defined by its Regulation E, and payment card issuers, under its Reg. Z. Banks will undoubtedly be subject to compliance with the final rule.
In late October, the CFPB released a discussion paper regarding consumer financial data with dozens of questions and issues on which it seeks input. Based on the information it receives, the bureau plans to issue a report in the first quarter of 2023, propose rules later in the year and finalize the regulations in 2024. It’s unclear when the CFPB will mandate compliance with the rules, and questions in the discussion paper indicate the bureau is flexible. As required by the law, the CFPB is focused on hearing from “small” banks and data providers, though it does not limit those that can reply.
In short, now is the chance to act, and it won’t last long.
The CFBP Wants You (to Comment):
Financial institutions have an important opportunity to help shape the rules around the sharing of consumer financial data. But the timeline to do so is tight.
In the U.K. and Brazil, the government established technical protocols and rules for financial data exchange. In contrast, the CFPB appears likely to adopt a market-led approach or at least significant elements of one. Financial Data Exchange, or FDX, a nonprofit consortium of more than 200 North American banks, data providers and enablers, has been iterating the most widely used solution for the past few years.
As of October 2022, FDX estimates that 42 million consumer accounts are enabled for secure data-sharing and consent management via the free FDX application programming interface specification, now at version 5.2. This API currently fields an estimated 3.4 billion monthly data requests, known as “calls.” Further, the FDX API specification eliminates the need for users to share login credentials, a requirement that is typical of the predominant data-sharing method known as screen scraping.
What Open-Banking Strategies Are Banks Using Today?
To provide new services and better customer experiences, API-driven collaboration among a variety of companies (banks, fintechs, retailers and others) has been rising in recent years. These partnerships are built around the same architecture as open banking, so if done correctly, being ready for one also means being ready for the other.
The largest U.S. banks have created APIs enabling clients to access applications and embed services into their workflows. For example, a bank’s commercial customers could embed payment processing into their payment workflow with suppliers.
On the other end of the size spectrum, many small banks have embraced a business model known as banking-as-a-service, or BaaS. The model has various permutations, but the basic idea is to generate fee revenue by offering nonbanks an operating platform and use of a bank regulatory license for a specific service, such as a deposit account, which the nonbank would offer its digital customers. Indeed, some banks have pivoted to focus on this model exclusively, but this is a risky endeavor, as banks that have partnered with crypto firms likely would attest.
At Opposite Extremes:
Some financial institutions have adopted BaaS as their entire business model — which can be risky. But most are on the opposite end of the spectrum and don't even have an open-banking strategy yet.
That leaves the fast middle ground consisting of thousands of banks and credit unions in need of an open-banking strategy, first to comply with coming regulations and then to leverage that updated compliance infrastructure to create value-added services (along with new revenue streams). So, where should a bank start?
Three Steps on the Road to Open Banking
1. Define the bank’s strategy
A bank must decide whether to play offense or defense.
A defensive open-banking strategy would be simply complying with regulations and sharing data with third parties upon customer consent. That’s an acceptable choice, but the bank will remain unaware of what its customers are doing with other financial providers. We call this “ecosystem ignorance.” (See lower-left quadrant of the figure below.)
However, banks that gather customer data from other sources can make better product recommendations and help customers manage their finances more effectively. In short, customer-data gathering allows banks to be smarter, so we call this “ecosystem intelligence.” (See upper-left quadrant of the figure below.) The most common example is personal financial management applications that consolidate a customer’s investment accounts across providers into a single view.
With customer consent and the most rigorous security standards, banks are playing offense by allowing third parties — including enterprise resource planning, accounting and invoicing platforms — to initiate transactions from their front-end applications. This is known as BaaS and embedded finance, and we call these and similar services “ecosystem infrastructure.” (See lower-right quadrant in the figure below.) This business model enables banks to acquire new customers, and because the customers discovered and accessed the service via a third-party platform, the acquisition cost is much lower, if not zero.
Our fourth and final model (upper–right in the figure below) combines features of “ecosystem intelligence” and “ecosystem infrastructure,” positioning the bank at the center of a multisided platform. This creates the opportunity for business models such as marketplaces and super apps.
It is a model we call “ecosystem orchestration,” and it positions a bank as a one-stop shop for financial services, regardless of who provides those services behind the curtain. Though this is typically a role filled by fintechs, many banks have successfully deployed this strategy outside North America.
An embrace of open banking demands not only a shift in mindset — going from the typical walled-off relationship between a bank and its customer to an open ecosystem of interconnected participants — but also a commitment at all levels of management.
It’s critical to start with a high-level objective or problem statement that an open-banking or BaaS offering could solve. For example, what’s the opportunity to embed a payments-processing application into the workflows of commercial clients? How much fee revenue might that service generate on its own? Would the service generate incremental loan growth? Embedded finance solutions offer the opportunity to deepen customer relationships, reduce attrition and boost share of wallet.
2. Decide on the best way to enable the strategy
Choosing the right technology platform is always challenging, particularly for a more recent capability like open-banking APIs or BaaS.
Banks are faced with the typical “build, buy or partner” decision when implementing an open-banking infrastructure. Given the time and expense involved in building and owning this technology, many find it best to utilize a third-party solution to manage their open-banking API system. Banks can also use a data-sharing network, such as Plaid or MX, to gain access to a critical mass of data-sharing entities.
Before choosing technologies, bank leaders must understand the limitations of their financial institution’s legacy infrastructure. In addition, the implementation of open-banking APIs must fit within the bank’s technology roadmap, considering how it will impact core system upgrades and any plans for cloud migration.
The good news for banks is that open-banking APIs have been deployed successfully in other markets, so proven reference architectures are available to demonstrate how the new layers would interact with the existing technology stack. Accelerators are also available to guide the journey and shorten the time to market.
In addition to the essential functions of data-sharing consent, data recipient registration and data security, a robust open-banking API solution should offer a developer platform and a sandbox to encourage innovation within the bank’s open-banking ecosystem.
3. Set the team up for success
Adopting agile and lean methodologies for solution design and implementation can help banks achieve their open-banking objectives faster and more efficiently. The goal is to improve the team’s ability to deliver results, not just add another project to the list.
Specifically, banks must determine the right mix of internal and external resources to implement their open-banking strategy based on the skills and experience that exist in-house. Interdisciplinary teams, made up of internal and external participants, can also speed up the time to market. For example, one bank told us recently about an open-banking project that was well on its way, only to be delayed by a compliance issue.
There are many issues to be resolved with secure data-sharing over the next few years, but one thing is for sure. The ability to connect banks, other financial institutions, and third parties safely and efficiently, with well-proven control mechanisms, is an exciting opportunity to create differentiated products and business models. Moreover, it’s exciting not only for the companies that make up the ecosystem (both traditional and new entrants) but also for their retail and corporate customers.
About The Sponsor:
David Ritter is the director of financial services strategy at CI&T, which focuses on digital transformation.