There’s a notion around that the U.S. banking industry collectively has been lagging in moving toward an open banking framework because it didn’t have a regulatory structure like that in some other countries. That’s absolutely a “false narrative,” proclaims Don Cardinal, Managing Director of the Financial Data Exchange (FDX). The U.S. financial institutions, fintechs, third-party data aggregators, bank technology companies and others that are the consortium’s members are all moving to abandon the flawed and unsecure “screen scraping” method of sharing consumer financial data between institutions in favor of application programming interface (API)-based connections.
The shift away from screen scraping is far more than a technical issue. It has major implications for financial marketers. Recall that in late 2019 PNC Bank and Venmo, the popular person-to-person payment app, got into a very public spat when PNC began requiring customers that used Venmo to reenter their bank credentials directly with Venmo, bypassing data aggregator Plaid to avoid screen scraping. Other banks, including Chase and Capital One, had taken similar steps earlier. All these institutions were accused of blocking consumers’ access to new fintech apps. The banks each stated that the moves were intended to protect customers’ data.
“One of the big misunderstandings about open banking is that everyone assumes, ‘Oh, we need a regulator to pick a tech stack and define participants and be a gate keeper’.”
— Don Cardinal at FDX
The data-sharing squabble is important not just to avoid nasty headlines and tweets. It’s really about rapidly growing consumer demand for using digital apps with useful and user-friendly features. That trend was well under way before the COVID-19 pandemic arrived, but the crisis forced many people who hadn’t used digital into the digital space, as Cardinal notes. Shifting consumer preferences and demand for easy access to their financial data underpins everything that’s happening in the broad category of open banking, whether it be third-party fintech or in-house fintech within financial institutions, states Tom Carpenter, Director of Public Affairs and Marketing for FDX.
“The data is already being shared today,” Cardinal tells The Financial Brand. “When you ask the folks who are [managing] authentication or online banking, ‘How many of your customers have given up their credentials or passwords to third parties?’, they’ll tell you around a third of their customer base has given up credentials to one or more apps for a variety of reasons.”
The size of the institution doesn’t matter, Cardinal adds, “it’s eerily consistent.”
Financial institutions want to serve their customers, but are concerned about the security of customer data. “That’s really what brought everybody to the table at FDX,” says Cardinal. “They’re working toward a solution that makes data sharing as seamless, secure and convenient for the consumer as is possible.”
The primary initial component of the project — a set of data-sharing standards called FDX API 3.0 — is already in use facilitating direct API links between financial institutions and data aggregators, or in some cases, with a fintech or other company directly. As of early October, 2020, the non-profit organization — founded in 2018 by 21 companies — had 149 members. 48 have been added since April 2020, speaking to the impact of the pandemic on digital banking.
Almost a third of FDX members are financial institutions, while “pure-play” fintechs comprise about a quarter. In addition, data aggregators including Plaid (part of Visa) and Envestnet Yodlee are members, as are payment companies including Visa and PayPal, along with various other firms — title companies and tax software companies among them. The organization —a subsidiary of FS-ISAC (Financial Services Information Sharing and Analysis Center, a consortium focused on cyber risk) — expanded to Canada in the second quarter of 2020.
One of the FDX lynchpins is that “the consumer, not the institution, owns the data.” Even at the time of the organization’s founding, not all financial institutions were in agreement on that point, but Carpenter believes it’s a fairly settled issue now. However, he says there’s still plenty of discussion around data-sharing details including what types of data can be shared and how to ensure a level regulatory playing field.
Why the U.S. Now Leads in Open Banking
In Europe, the U.K., India, Singapore and elsewhere, the concept of “consumers owning their data” led to the codification of “open banking” rules — which typically require financial institutions to grant access to third-party providers when consumers and businesses request such access.
In the U.S., regulators have not followed suit. As Carpenter explains, the situation in the U.S. is much more complex. “We’re not the U.K. with five or six major banks that control 85% to 90% of the traffic,” he explains. “We have 14,000 financial institutions, and we have a host of fintechs. There’s no easy path to a regulatory solution.”
“One of the big misunderstandings about open banking is that everyone assumes, ‘Oh, we need a regulator to pick a tech stack and define participants and be a gate keeper and control things end to end’,” Cardinal maintains. But FDX is an industry-driven organization and within its member base it already has more than 12 million U.S. consumers covered by the standard.
The interesting thing is that on its website and in its papers FDX doesn’t talk much about open banking, even though that is what it is enabling.
“We feel like we’re pretty far down the road for the concept of open banking in the U.S., even if the infrastructure of it looks different.”
— Tom Carpenter, FDX
“It’s about more than just banking,” Cardinal insists. He says “open finance” is closer to the mark as it includes investment data, retirement and pension fund data and insurance data. Companies representing all three of those areas are FDX members. “Eventually we’ll get to ‘open data’,” he believes, “because quite honestly these [data standard] rails are so robust that they can be reused in other industries.”
Carpenter adds that “open banking as a term brings with it so much baggage, so much assumption that it automatically must be accompanied by a large regulatory overlay and that is not the case in the U.S. We feel like we’re pretty far down the road for the concept of open banking even if the infrastructure of it looks different.”
Open banking in Europe has not yet led to the expected surge of third parties seeking data from financial institutions. As Celent Senior Banking Analyst Kieran Hines explained in an earlier article, it’s one thing for a regulation to require APIs to be available, but it is quite another thing to have all the standards in place and to have the developer and consumer experiences be optimal. The FDX standards have moved the U.S. closer to that goal.
Requiem for Screen Scraping
The practice of screen scraping has existed for years, but in a banking context was popularized by Yodlee and other early data aggregators. Absent a practical data-sharing standard, it was the only way for early fintech apps to gain access to the banking data needed to offer their particular service.
As depicted in the first chart, below, a consumer (“Janet”) signing up for a new financial app is asked to supply her user ID and password so that the app can then log in to her account at a bank or credit union, as if it were her.
This approach works and is still in widespread use. However, it presents several risks, as FDX and others have observed. One concern is that a consumer’s credentials and account data now exist in an entity separate from the financial institution, creating another place where they can be stolen. Another risk is that the scraping entity has access to all of a person’s accounts, not just the ones applicable to the functioning of a particular app.
APIs are a means for fintechs — or, more likely, aggregators — to set up permissioned and secure API agreements with financial institutions. APIs are not uniform, however, so there was a need to implement standards to make them “interoperable,” in tech parlance. That is what FDX API 3.0 does.
Encryption takes API technology a step further, creating tokens (randomly generated strings of characters). These tokens are what is exchanged between the financial institution and the aggregator or third-party app. The token can only be read by the bank and the receiving app. It contains no personally identifying information. The FDX standard incorporates tokenization.
Benefits to Financial Institutions
The profit potential for traditional institutions from use of open banking has been widely discussed. Accenture, for example, sees two primary ways to leverage it: 1. By embracing and building a platform of services incorporating offerings of third parties, and 2. by connecting third party players to a traditional banking systems and data under a Banking-as-a-Service arrangement. With both models revenue can be generated either by fees or indirectly through expansion of the customer base.
Coming at it from a different angle, Celent states that the way third-party consent is managed presents banks and credit unions with an opportunity to maintain customer loyalty and to build their position of trust.
Where does FDX stand? As a non-for-profit consortium of often-competing entities, the organization steers clear of the monetization question. “We have very strict anti–trust, anti-competitive rules so we really can’t get into the business practices of any member,” Cardinal explains.
Carpenter goes further, stating: “The concept of a consumer owning their data and having open and free access to it and being able to leverage that data is really one of the foundational principles that brought all of these entities together at FDX. A pay-for-play arrangement or an access fee really goes against that,” he maintains.
Cardinal points out, however, that banks and credit unions are also consumers of data in addition to being data sources, which can impact their use of artificial intelligence software.
To the extent that the other companies (or other financial institutions) from which a bank or credit union pulls data can provide unified, consistent, hygienic data allows the receiving institution to make much better and faster decisions, Cardinal explains. “All this AI and machine learning has to have a quality diet,” he says. “If not, it gets sick.”
In addition, a common interoperable data-sharing standard, being free to be used by any institution, helps level the playing field between industry giants and community financial institutions. Cardinal notes that several bank technology providers including Fiserv and CSI are members of FDX.