In October 2023, the Consumer Financial Protection Bureau (CFPB) proposed a new rule intended to encourage “open banking”. “Open banking” is a practice of sharing, with consent, consumers’ banking and financial data (account balances, transaction history, payment due dates, routing numbers, and the like) with third-party vendors who in turn use the data to offer a variety of services, from financial portfolio management, bill paying, and investment advice, to facilitating financial transactions, lender shopping, and even aggregating data for marketing or research, among other uses.
The proposed rule, called the “Personal Financial Data Rights” rule, would require any entity that controls or possesses consumer financial data (a “data provider”), such as a financial institution, to share that data with third-party vendors at a consumer’s request, “in an electronic form usable by consumers and authorized by third parties,” at no charge. The rule would also limit a data provider’s ability to keep and use the data.
As explained in the CFPB’s notice of proposed rulemaking, open banking emerged in the early 2000s and has led to a more fluid and variable financial system. The Bureau estimates there may be as many as ten thousand third-party providers using, and hoping to use, financial data generated by the thousands of banks, credit unions, and non-depository financial institutions in the United States.
The CFPB’s Director Chopra justified the new rule by stating that “a handful of very large banks and financial firms control much of the market” and that it was needed to “jumpstart competition.” In a press release, the CFPB is promoting the new rule as a way to “allow people to break up with banks that provide bad service.” Entities such as the Electronic Transactions Association, an advocacy and trade association for the payments industry, have reacted positively to the proposed rule and the possibility of increasing convenience and reliability in the exchange of financial data that about promoting competition. At the same time, the rule could increase the risk of potential misuse of customer data by third-party vendors. Misuse, whether intentional or negligent, could violate privacy rights, alienate customers, and expose the financial institutions to liability for a third party vendor’s error. The Credit Union National Association, a trade association representing America’s credit unions, criticized the new rule for “only requiring the baseline level of identity information without any oversight or supervision for compliance with the rule of these third-party actors.”
In its notice, the CFPB does recognize at least one security risk associated with open banking: “screen scraping,” the process of using a consumer’s voluntarily divulged credentials to gather data. As explained in the notice, early efforts at open banking largely relied on screen scraping, accompanied by the problems and risks inherent in a system reliant on disclosed passwords. Although the ensuing decades saw the development of software called developer interfaces or application programming interfaces (API’s), which allow platforms to communicate without completely integrating and thereby avoid the risks of divulged passwords, screen scraping is still, according to the CFPB’s notice, “prevalent in the market today.” The CFPB “estimates that about half of third party data access currently occurs through APIs; scraping comprises the bulk of the balance.” To urge an open banking infrastructure less dependent on scraping, the new rule would mandate that data providers, “establish and maintain” a developer interface or API (proposed 12 CFR 1033.301), and yet prohibit the data providers from allowing a third party to access that interface with any credentials that a consumer uses (proposed 12 CFR 1033.311(d)(1)). In this way the CFPB anticipates that, though screen scraping would still be allowed, its use in the industry will wane.
Comments on the proposed rule must be received by the CFPB on or before December 29, 2023.