On July 24, 2020, the Consumer Financial Protection Bureau (CFPB) announced plans to issue an advance notice of proposed rulemaking (ANPR) regarding consumer-authorized third party access to financial records. The announcement is the latest step in a process that began in 2016, when the CFPB began studying issues surrounding consumer data aggregation and the prospect of giving fintechs access to consumer data held by banks and other traditional financial services companies at the request of the consumer. In 2017, the Bureau issued non-binding principles aimed at giving consumers greater insight and control with respect to their financial data. The Bureau also held a symposium in February of this year, a summary of which was published with the ANPR announcement.
Until recently, US laws governing data collection and use focused almost exclusively on protecting consumers from harm arising from unauthorized access and inappropriate uses of their data. Globally, the regulatory emphasis has shifted to both give consumers a shield to protect their data and also hand them a sword -- the ability to use their data proactively to further their financial goals.
Before consumers can use their financial data in new ways, however, it has to be aggregated, manipulated, or interpreted in some way. Fintech firms excel at this, but they need nearly real-time access to consumer account data, much of which still resides with banks. Fintechs can, and have, obtained this data without banks’ involvement, through credential-based access or screen scraping. The consensus is, however, that these methods are inferior to direct access to the data through API integrations in terms of security, reliability, and consumer control.
There are some longstanding disincentives for banks to provide data access to third parties. The consumer financial data that banks control represents a valuable asset and competitive advantage, and they generally are the party primarily responsible to consumers and regulators for protecting it. However, these disincentives are increasingly outweighed by consumer push for innovative financial products. Although not yet under regulatory mandate to develop open APIs like those in place in the UK and Europe, US Banks have already started partnering with fintechs and participating in working groups focused on developing standard API protocols to allow data exchanges with multiple third parties.
To date, these US efforts have largely proceeded in an environment of regulatory uncertainty and one-off agreements between banks and fintechs, driven solely by consumer demand. Unlike their international counterparts, US banks do not have concrete regulatory guidance on how to address fundamental issues such as informed consumer consent, the appropriate scope and duration of data access, and allocation of liability for data loss. A final CFPB rule on data access could provide this guidance as well as the regulatory push that has been an important driver of open banking efforts globally but has been lacking in the US
The CFPB derives its rulemaking authority in the data access area from the Dodd-Frank Act, which contains the first US statute giving consumers a general right to their electronic financial data. Section 1033 of the Act requires covered providers of consumer financial services to make consumers’ data available to them in a usable electronic format and empowers the CFPB to issue implementing rules.1 The Dodd-Frank Act defines “consumer” to mean not only an individual but also a representative acting on an individual’s behalf.2 If the CFPB interprets Section 1033 as requiring banks to give electronic access rights to financial services providers acting with the consumer’s consent, it could provide a legal basis for a US analogue to the UK’s Open Banking Standard, which required the largest UK banks to use open API standards to make consumer financial data available to non-bank fintech providers.
Mandated third-party access with appropriate guardrails has the potential to accelerate the development of a consumer-centric market in account information services, lowering barriers to entry and increasing the rate of innovation among start-ups and incumbents. Depending on the scope of the CFPB rule and how successfully it is implemented, providers of account information services could see new opportunities to aggregate data across adjacent sectors, such as insurance, asset management, and retirement plan providers, as we have seen in other jurisdictions.