The director of the Consumer Financial Protection Bureau unveiled a timetable for writing a regulation that will likely force banks to give third-party apps and other financial institutions access to consumer financial data at consumers' behest.
The upcoming rule from the bureau, announced in
"While not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition," Chopra said in the speech.
Chopra said in the speech that the CFPB would propose the open-banking regulation in 2023 and that he hopes to finalize it in 2024. The process will kick off this week, when he said the CFPB will release a discussion guide for small businesses to consider as they provide the bureau some of the first formal comments on the matter.
The Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010 required the CFPB to create a rule that requires financial institutions to give consumers access to their account data, but it took until 2020 for the CFPB to address the matter with a
One key change the new rule will bring, Chopra said, is that it will make it harder for large institutions that share personal data with consumers through application programming interfaces to "play games on availability, latency and critical data points, like price."
Although Chopra did not name them, such institutions likely include Plaid and Stripe, which share consumer financial data between financial institutions and financial applications, as well as some of the financial institutions themselves, such as JPMorgan and Bank of America, according to Peter Dugas, an executive director at the financial services consulting firm Capco.
The CFPB, the financial institutions affected by the new rule and the third-party applications that would gain access to consumer data as a result of the rule have a number of considerations to make over the coming years, Dugas said.
The Consumer Financial Protection Bureau is more than a year away from issuing a proposal on consumers’ right to control the flow of their data between banks and third parties such as fintechs, according to people familiar with the bureau’s thinking. Many previously expected a plan to arrive this spring.
One, he said, is cybersecurity — ensuring that, with greater access to financial data, such information does not end up in the wrong hands. Others include how the new rule would affect the use and sale of consumer financial data and the degree of access applications and third parties will have to data.
"We've seen third parties, or fintechs, complaining that financial institutions are mitigating the way that they can get access to their customer accounts through something called latency," Dugas said. "Latency refers to certain restrictions or slowdowns being put on those API calls. It's about how quickly and effectively these third parties and fintech companies get access to that data."
The most important considerations the new regulation will concern are liability for data breaches and third- party data-access licensing, Dugas said. As data sharing becomes more common, so too may data breaches, which raises the question of who will be at fault when data shared through an open-finance API ends up in the hands of criminals.
Additionally, to mitigate such breaches and ensure the fintechs accessing consumer financial data have sound practices for handling it, Dugas said, the CFPB could consider establishing a licensing regime that would authorize companies to share and process financial data on consumers' behalf, though the details of such a system are not fleshed out.
The open finance rulemaking process coincides with two other rulemaking processes, one by the CFPB and the other by the prudential financial institution regulators. The other CFPB rule in development concerns Section 1071 of Dodd-Frank, which requires banks to provide equal credit opportunities to women-owned businesses, minority-owned businesses and small businesses. The rule by the other financial regulators concerns the Community Reinvestment Act.
Dugas said all three rules will require financial institutions to collect and process a significant amount of data to assess how they are and will comply with those rules.
"Without coordinated organizational focus around those three rules, banks are going to have a significant challenge trying to comply given all three rulemaking processes require significant amounts of data and a significant amount of change to their core platforms, the products and services being offered, policies and procedures, and all the controls," Dugas said. "So, it's a pretty big lift for many financial institutions, given that all three are potentially hitting next year."
