BPI, SIFMA and ABA Comment on NIST Open Banking Report

Ladies and Gentlemen:

The undersigned trade associations1 (together “the associations”) appreciate the opportunity to comment on the National Institute of Standards and Technology’s (NIST) internal report on Cybersecurity Considerations for Open Banking Technology and Emerging Standards (hereinafter “report”).2 The associations commend NIST for identifying the importance of cybersecurity and privacy safeguards in the consumer financial data sharing ecosystem. The report, however, does not adequately address these important considerations or acknowledge the evolution in data sharing that has occurred in the United States in recent years and that continues apace.

In the United States, shifts in consumer demand for more digital and interactive financial products and services have dramatically changed the marketplace, which now includes an increasing number of fintechs and other companies not subject to the same comprehensive regulatory oversight as banks, but increasingly facilitating access to sensitive consumer data to provide such products and services.

This surge in adoption of digital products and services has accelerated banks’ efforts to leverage market-developed technological solutions to help meet customer demand while ensuring consumers’ sensitive financial data is kept private and secure. Unlike other jurisdictions in which consumer financial data sharing has been mandated by government action, this expansion of consumer data access in the United States has developed via innovation in the marketplace. Under an industry-driven approach, participants can innovate and adapt more quickly to market changes and develop safer solutions.

The associations support innovation and welcome competition in payments and other financial products and services when this innovation is conducted responsibly and in a way that ensures customers are protected through consistent regulation and oversight. In this regard, the associations support the ability of bank customers to securely connect their bank accounts to the third-party apps of their choice, which in some cases may involve the interposition of a data aggregator to collect the customer’s information from a financial institution and provide it to the app. It is critical, however, that consumers’ personal and financial information remains secure when it is shared between financial institutions and third parties. Ensuring the security of customer data is, and will remain, a top priority for the banking industry.3

We have concerns that the report does not sufficiently address all of the complexities and risks that an open banking regime may introduce, nor does it provide recommendations for cybersecurity or privacy standards, contrary to both the title and purported purpose of the report.

In addition, the report generally endorses open banking without providing a complete discussion of the potential benefits and risks of increased data sharing and recommending appropriate privacy and cybersecurity measures to address those risks, consistent with the thoughtful approaches employed by NIST in development of the Cybersecurity and Privacy frameworks, respectively. Nor does the report reflect consultation with key stakeholders in the data sharing ecosystem such as banking organizations, fintechs, or the Financial Data Exchange (FDX), an industry standard-setting body that was established for the sole purpose of developing security protocols for Application Programming Interfaces (“APIs”) to facilitate a more secure connected banking ecosystem.

Finally, section 1033 of the Dodd-Frank Act provides the CFPB with authority to promulgate rules regarding consumer access to financial records. The CFPB has taken several steps to gather information about the consumer data sharing ecosystem but has not yet issued proposed rules to implement section 1033.4 For these and other reasons described herein, we recommend that NIST delay further action on this report until after the CFPB has proposed a rule under section 1033. Such a proposal should provide NIST with a more concrete basis on which to provide recommendations relevant to the U.S. consumer data sharing ecosystem. We also recommend that any further action on this report should proceed only after NIST engages in further information gathering and discussion on the current state of the financial data sharing ecosystem in the United States, including consulting with key market participants and stakeholders, and revise the report to address the full range of significant risks and benefits that would have to be addressed in an open banking regime to ensure the security and privacy of consumers’ data.

To read the full comment letter, please click here.

1 Please see Annex A for a description of the associations.

2 Voas, et al., “Cybersecurity Considerations for Open Banking Technology and Emerging Standards,” National Institute of Standards and Technology draft report 8389 (Jan. 3, 2022) (available at: https://doi.org/10.6028/NIST.IR.8389-draft).

3 SIFMA notes that the concerns expressed in this letter generally are the same for all of its members, including those that are not banks or bank affiliates.

4 See, e.g., CFPB, Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (October 18, 2017), available at cfpb_consumer-protection-principles_data-aggregation.pdf (consumerfinance.gov); Advance Notice of Proposed Rulemaking issued by the Consumer Financial Protection Bureau seeking input on consumers access to financial records pursuant to Section 1033 of the Dodd-Frank Act. 85 Fed. Reg. 71003 (Nov. 6, 2020).