Whether you know it as open banking, Section 1033 or personal financial data rights (if you're not into the whole brevity thing), the Consumer Financial Protection Bureau is about to shake up the way consumers access their financial information.
Stakeholders scrambled the jets to provide their feedback on the bureau's 299-page behemoth of a proposed rule before the Scrooge-esque deadline of Dec. 29. Even the CFPB's sister agency, the Small Business Administration, asked more than once for additional time for small-business owners to comment.
The rush job was unfortunate; not only because the 12 days of Christmas turned into the 12 days of writing comment letters, but also because it detracted from a foundational exercise in creating a new regulatory regime. The proposal was far from perfect and the CFPB still has a lot to do to make sure consumers are protected and market participants aren't set up to fail.
There's the lingering question of what API specs to build around, how to balance access to information with fighting fraud and even something as basic as which account types are in scope, for instance.
While a handful of nonbanks might be subject to some form of scrutiny by the bureau, the vast majority are fintechs that fly under the radar. The Federal Trade Commission has retrospective enforcement powers, but this is unable to catch and prevent ongoing consumer harm.
All the lofty principles in the bureau's rule count for little if they are only enforced selectively. Consumers deserve to be protected consistently, regardless of whether the entity is a bank or a nonbank.
While we wait for the CFPB's next moves, we can start to think ahead about what the regulation might mean for banks. One of the most interesting concepts of the data sharing ecosystem is that entities can play different roles depending on the situation. In other words, they can wear many hats. It's very easy to fall into the trap of thinking that a bank is always going to be a data provider, and they do generate nonpublic personal financial information in the course of their business operations.
Therefore, it is true that they will have to send out financial data to third parties based on their customers' consent. However, banks can just as easily obtain the consumer consent necessary to bring in data.
There is a steep learning curve for 1033 — developer interfaces, qualified industry standards, authorization/authentication/revocation — it's a lot to take in. But it's important to remember that as significant as the compliance costs will be for the personal financial data rights rule, it also presents potential opportunities.
In short, banks can use consumer-permissioned data to develop the kinds of innovative products and services their customers (existing and prospective) want. Common use cases include novel types of lending products to reach new markets, personal financial management to find ways to improve financial awareness and health, market-tailored platforms (such as restaurants) to reflect preferences and many more.
It's not known how the specifics of the proposed rule will land when the final rule is released. What is clear is that third parties as a class will be expected to have formalized workstreams in place when accessing a consumer's financial information. This is familiar territory for banks; if they identify viable use cases for receiving consumer-permissioned data, they are well equipped to operationalize it in a compliant manner. And, what's more, banks will be held to account as part of the rigorous supervisory process they undergo. Alas, the same cannot be said for many third parties operating in the ecosystem.
Banks should take a broad view of the open banking landscape. While they are thinking through ways of operationalizing the data provider provisions, banks should begin to ponder how functioning as a data recipient could fit into their strategy. It might be time to try on that new hat.
