The proliferation of digital solutions for delivering financial products and services – through mobile applications, online platforms, and other tools – has in recent years fundamentally changed the consumer finance marketplace for banking, payments, lending, and investment advice. With demand continuing to grow for integrated and intuitive services, technology companies are now key participants in what was once the exclusive domain of a small number of highly-regulated organizations – banks, broker-dealers and investment advisers.
An important regulatory underpinning for these developments – rules and standards enabling companies in the fintech ecosystem to access and share consumers’ personal financial data – is variously called “open banking” or “open finance.” For years, the United States has lagged behind the EU, UK, and Asian jurisdictions in developing a clear framework for open banking/finance. In light of a recent proposed rule by the Consumer Financial Protection Bureau (CFPB), however, the US looks poised to catch up.
In this blog post, we summarize the CFPB proposal and take a cross-border look at how open banking/finance regimes have been implemented elsewhere. We then discuss lessons from other jurisdictions that might help to inform the CFPB’s approach.
What Are “Open Banking” and “Open Finance”?
Although there are no authoritative definitions, the terms “open banking” and “open finance” are used (sometimes interchangeably) to describe the rules, standards, agreements, and practices enabling third parties to access and use consumers’ banking and transactional data from “data holders” – banks and other financial services providers. Such access and sharing usually occurs via Application Programming Interfaces (APIs) that allow different software applications to exchange data.
In an open banking regime, consumers may grant consent to third-party providers (generally, “data users”), allowing them to access, for example, account and transaction data from their financial institution(s) and use it for a range of purposes, from budget management to payments to retirement planning. The aim of open banking is broadly to increase competition and encourage innovation, which, in turn, may provide additional choice to consumers, increase the availability and improve the quality of financial products and services, and foster greater financial inclusion in underserved communities.
Proponents of open banking contend that empowering consumers to authorize data sharing, and removing the legal and regulatory barriers to such sharing, carries widespread benefits: making it easier for consumers to choose the financial service providers that best suit their needs and to move or transfer accounts without having to sacrifice important data (e.g., automated bill payment arrangements and historical transactional records). Open banking also arguably creates incentives for a broader range of firms to enter the market for consumer financial services, potentially offering consumers greater choice and autonomy.
Toward Open Banking in the US
As noted, the US lags behind other jurisdictions in adopting an open banking framework, even though the Dodd-Frank Act of 2010 (the DFA) directed the CFPB to implement rules creating one.
Specifically, Section 1033 of the DFA gives consumers the right to access effectively any information concerning their accounts held by “covered persons” (e.g., banks, credit unions, and other financial institutions) and requires the data to be made available in “an electronic form usable by consumers.” Although the statute requires the CFPB to issue rules implementing these requirements, more than 13 years elapsed before such a rule appeared.
On October 19, 2023, the CFPB issued this long-anticipated proposal to give effect to Section 1033 and introduce a coherent open banking framework to the US. The Personal Financial Data Rights Rule (the Proposed Rule), if implemented in its current form, would among other things:
- Require covered financial institutions to provide consumers and their authorized third parties with access to specified financial data in their possession or control through electronic interfaces (i.e., APIs) in standard, machine readable format and at no fee. Such interfaces must satisfy applicable privacy and data security laws. Subject to exceptions, financial data covered by the Proposed Rule includes transaction information and history, account balance, payment-initiation information, terms and conditions, upcoming bill information, and information necessary to conduct account verification.
- Permit authorized third parties and so-called “data aggregators” to use consumer financial data received from a financial institution only in accordance with applicable law and only for purposes “reasonably necessary to provide the consumer’s requested product or service.” The Proposed Rule applies a one-year duration limit to the consumer’s authorization for data sharing, renewable annually, and prohibits a third party from using or retaining data beyond the period expressly authorized.
- Require third parties receiving consumer financial information to adopt and maintain: (i.) an information security program that complies with rules issued pursuant to the Gramm-Leach-Bliley Act, irrespective of whether the receiving party is otherwise subject to that statute; and (ii.)written policies and procedures to ensure compliance with the Proposed Rule. Insofar as a third party uses a data aggregator or other agent in connection with authorized data sharing, the Proposed Rule requires disclosure of the arrangement and a compliance certification by the aggregator or agent to the consumer. To remove any doubt, the Proposed Rule states explicitly that the third party will be responsible for ensuring the compliance of its downstream aggregators and agents.
- Authorize industry standard-setting bodies to establish security standards and performance specifications, subject to minimum requirements, and apply for CFPB recognition as an “issuer of qualified industry standards.” Upon such recognition, covered financial institutions may adopt the body’s standards for its APIs.
- Establish a phased implementation schedule, through which covered financial institutions would become subject to a final rule based on their asset size – with the largest institutions required to become compliant first. For example, depository institutions having $500 billion or more in total assets and covered non-depository financial institutions having at least $10 billion in annual revenue would be required to comply within six months of publication of a final rule, while depository institutions with less than $850 million in assets would have four years before the rule applies.
Comments to the Proposed Rule are due December 29, 2023, and we expect robust debate. Initial reactions from the financial industry highlighted concerns about liability for data breaches and/or fraud as well as costs associated with implementing and maintaining the required compliance infrastructure.
A Cross-Border View: Open Banking in the UK, EU, and Asia
In the UK, open banking rules have been in effect since 2018, with numerous developments in the years following their initial launch; the UK framework is therefore relatively advanced as compared to open banking in other jurisdictions. Open banking in the UK, as elsewhere, evolved in response to concerns about competition and innovation, especially following conclusions reached by the UK’s Competition and Markets Authority (CMA) that the market for retail banking was not sufficiently competitive and was dominated by large banks. The UK financial regulator (the Financial Conduct Authority or “FCA”) is now working with other stakeholders to consider the approach to expanding open banking in the UK to move to a broader open finance offering.
One important factor in the UK’s success as a leader in open banking is its approach of requiring all account servicing payment service providers (ASPSPs) to give regulated third-party providers access to payment account data and enforcing a single open banking standard for the largest ASPSPs through an implementation entity overseen by the CMA. In 2022 alone, the number of open banking payments in the UK more than doubled to 68 million payments, compared with 25 million in 2021. In order to progress to a sustainable long-term regulatory framework, the UK government proposes to make the FCA responsible for regulating firms in relation to the provision of open banking services, including payment initiation and data sharing requirements, while the Payment Systems Regulator (PSR) will regulate the open banking services that relate to payment systems and their participants. The government has also introduced the Data Protection and Digital Information (No. 2) Bill, which is currently making its way through Parliament and would, among other things, enable the creation of a regulatory framework for data sharing in open banking.
Open banking in the EU is in a less developed state than in the UK (although still ahead of the US). The European Commission has recently released its long-awaited proposal for a comprehensive framework for financial data access. The proposal will be a game-changer for accessing, sharing and processing financial data, as it proposes a framework for access to individual and customer data across a wide range of financial services, beyond payment account data (which is the subject of open banking introduced by the second Payment Services Directive in 2018). The proposal aims to address the possibility but also the concerns associated with making a broad range of data in financial services more accessible. Possibilities of open finance that the European Commission has identified include efficiencies in the provision of banking and financial services, the opportunity for consumers to make more informed decisions around their personal finances and the ability of financial institutions to better assess risks.
Efforts to create an open banking regime are underway in various Asian jurisdictions as well.
In Hong Kong, open banking has been implemented in a four-phased open API framework that is a leading open banking framework in Asia. Following the introduction of the Hong Kong Monetary Authority’s open API framework in 2018 and the subsequent implementation of open APIs by the banking sector since 2019, more than 20 participating banks have launched over 800 open APIs covering a diverse range of banking products and services. Taiwan has also adopted a phased approach to create a digital ecosystem of financial services through open API.
The Monetary Authority of Singapore has developed playbooks and guidance on implementation of APIs in financial institutions and organisations, whilst Japan has revised the Banking Act in 2018 to require banks to develop systems for the introduction of open APIs. In India and Korea, the government-backed APIs allow seamless access to online infrastructures among financial institutions. In China, whilst no official regulation or guideline on open banking has been issued yet, major banks have already begun to develop tech capabilities around the idea of open banking and the use of APIs. In Indonesia, major banks have also started developing an open banking initiative through an open API standardization set-up.
Lessons for the US?
Based on experiences implementing open banking frameworks in Asia, the UK, and the EU, policymakers in the US can expect substantial questions and concerns regarding how to ensure the privacy and security of the data shared and protect it from misuse. Perhaps not surprisingly, initial discussion in the US has centered on these very issues.
The UK and EU regulator-driven approach of setting standards which are enforced and imposed on banks and financial institutions from day one may assist with alleviating these concerns. Dovetailing data protection legislation with open banking standards and embedding a commitment to the monitoring of the use of data and market compliance puts regulators in a better position to predict and regulate new types of cyber crime and harmful trends, which can then be minimised and addressed in advance wherever possible. Still, data published by the European Commission has shown that by 2021 less than five percent of consumers in the EU were using open banking, demonstrating that concerns around trusts have not yet been overcome.
Apart from evaluating the data protection capabilities of banks and financial institutions, it is important not to overlook the data management capabilities and strategies and information security management frameworks of third-party providers. For example, Hong Kong has issued a common baseline that consolidates the business and management considerations when assessing a collaboration provider to assist financial institutions to evaluate the nature and risk levels of collaborating with a third-party provider, as well as provide guidance for ongoing monitoring of such a collaboration.
Another concern that often is discussed in the context of open banking is around financial institutions being resistant to open banking, in an effort to protect the data that they hold. As noted above, in the UK, nine of the UK’s largest banks were required to adopt open banking, which meant that open banking was available to consumers and did not rely solely on voluntary uptake. Those banks have themselves taken advantage of open banking to develop their own products, and numerous institutions have followed in their steps.
Source : Technology