On Dec. 3, 2021, BPI and The Clearing House hosted a symposium exploring the future of consumer financial data access in the United States in anticipation of the CFPB’s proposed rulemaking under Section 1033 of the Dodd-Frank Act. During the event, leading policy and technical experts from the regulatory agencies, financial institutions, data aggregators, FinTechs and think tanks shared their views on a range of topics, including how Section 1033 may be implemented in the United States, enhancing security around consumer data, increasing consumer awareness of how their data is used, and possible ways to ensure that consumer consent is informed.
The first panel, What is “Open Banking” and What’s Ahead for the U.S. Under Section 1033?, discussed the benefits that innovation in the financial services marketplace and the enhanced control by consumers over their data can have for consumers and for competition in the financial services marketplace. However, as with any innovation, new risks are presented, including around data protection and consumer awareness and authorization around where, when, by whom, and for what purpose consumer data is collected and used by other entities. Some stakeholders have suggested that while there are industry efforts to address these questions, CFPB intervention may be needed to ensure uniform protections are implemented.
The panel discussed what “open banking” means in different jurisdictions and how that concept is continuing to evolve to encompass open finance and open data. The panel discussed the U.K./E.U. “top-down,” government-imposed approach to implementing open banking, generally recognizing that one jurisdiction’s regime cannot simply be imported into another jurisdiction with the same results – for example, the “top down” approach would likely not work in the United States, where so much innovation and progress has already been driven by the industry and market participants. One panelist observed that the U.K./E.U. designed a relatively simplistic framework for fostering open banking, essentially based on a two-party relationship in which an app would request data from a bank. However, in the U.S. market, the ecosystem is much more complex, involving four or even five parties in any particular relationship, and many consumers have multiple apps and multiple financial institutions. Thus, a U.S. regulation must reflect this greater level of complexity in the U.S. ecosystem, including as it may relate to consumer consent, which is much more complicated given the greater number of entities involved.
In addition, in the U.K./E.U., the open banking initiative was designed to foster a one-way flow of data: from banks to FinTechs. However, FinTechs are becoming holders of data in addition to being users of data, which may drive further developments in the ecosystem and should be considered by regulators. In addition, the panel discussed the fact that the purported statutory mandate for “open banking” in the U.S. (i.e., Section 1033 of the Dodd-Frank Act) was written over 11 years ago, before the sophisticated ecosystem of information sharing between banks and FinTechs had emerged, and that the CFPB and other regulators should keep this in mind when implementing rules under Section 1033. In addition, the scope of what Section 1033 requires or authorizes is subject to different interpretations, leading some to question whether it authorizes the CFPB to impose U.K./E.U.-style “open banking” in the U.S.
The agencies on the panel represented that they are in close coordination regarding banks’ relationships with tech companies and that the agencies are pro-innovation, but that they are also focused on ensuring the security of consumer data, consumer protection and the safety and soundness of banks and the financial system. Further, the panel discussed the fact that many banking services are being provided outside of the regulatory perimeter by tech companies that are not subject to consolidated supervision. However, such consolidated oversight of entities providing banking services is important and will be a focus of the regulators, particularly the OCC, as Acting Comptroller Hsu has highlighted in several speeches recently.
The panel also explored the complex issue of liability for a data breach in this ecosystem in which multiple entities have access to a consumer’s data. In the physical world, liability may seem clearer than in the digital world. Regulators recognize the question of liability is an important one and consider liability-related questions from the customer perspective: whose customer is the consumer and which entity has the capacity to make the customer whole. However, others take a different view, and some panelists supported the notion that liability should follow the data and that once data passes out of the bank’s control to an aggregator or other data user, the bank should not be liable for something that has gone wrong at the aggregator or other entity. This approach also would incentivize all market participants to ensure they have appropriate security controls and safeguards in place to protect consumer data.
The second panel, Data Migration – Transition from Screen Scraping to APIs, explored ways to potentially accelerate the transition from screen scraping to Application Programming Interfaces (APIs). The panel discussed some of the key questions and challenges that arise in migrating to APIs, including the scope of data that is accessible via APIs, the assignment of liability and the deletion of consumer credentials, with some panelists expressing the view that informed consumer consent should be a precondition to sharing in any manner. The panelists discussed banning screen scraping, with some panelists expressing the view that there was a lack of incentive to fully move away from screen scraping in the market and that parties would prioritize migration based on the amount of time they were given to do so. Others noted that some consideration should be given to the fact that migrating may be more challenging for smaller banks, suggesting the possibility of a staged migration mandate based on bank size.
The consumer should have effective control over the type of information that is shared, how much information they are sharing, for what purpose, and for how long, all of which can be accomplished with APIs rather than screen scraping. Potential steps to enhance the protection of consumer data include implementing universal data security standards, supervision by the CFPB over the largest data aggregators and enhanced consumer consent and control over their data. For smaller banks and core providers, the question is one of speed of the transition to APIs. Some of the challenges to moving to APIs include general resistance to change by some in the ecosystem and aligning incentives to switch to APIs. If entities are used to getting data through screen scraping, there may not be the right incentives to move to APIs. Further, agreements to move to APIs between a bank and an aggregator can take a very long time to finalize, which can serve as a deterrent to transitioning to APIs. One panelist noted that regulators should act where the incentives to move to APIs are not present in the marketplace currently.
The final panel, Informed Consumer Consent, focused on a number of issues around ensuring consumer consent in sharing financial data, including how to ensure consent is informed and where responsibility lies for obtaining consumer consent. Topics addressed included the specific processes for opting in or out of data sharing, the duration of consent (e.g., some posit that consent lives in perpetuity, even after the customer acts to deletes the relevant app from their phone), whether and how to require reauthorization, and whether consumers should be able to modify or revoke access or request that their data be deleted. The panel also discussed the concept of an “agent” as set forth in Section 1033 and what that may imply for requiring strong consumer consent on the part of entities acting as a consumer’s agent with respect to their financial data, such as data aggregators.
The panel also discussed the fact that research consistently shows that consumers have very little understanding of whether or when third parties are involved when consumers share their financial data. The panelists also explored what issues consent should address and how to ensure that consent is informed and meaningful and not simply a request that consumers “click if you have read the terms and conditions.”
One panelist noted that their research globally had indicated that consumers want informed granular consent around seven elements:
- who holds the data,
- what specific data fields are being accessed,
- what time period is the data held for,
- how long is that permission being granted,
- how frequently will data be used,
- who the requester is, and
- for what purpose will the data be used.
The panel also discussed that increasing the level of consumer digital literacy may be important in achieving informed consumer consent. In addition, the panelists noted that while transitioning to APIs can enhance data protection and many other problems presented by screen scraping, such as by giving consumers more transparency and control over their data, the user experience still has to be positive, and APIs do not always achieve that goal, at least not currently. The relationship between the consumer and the app also is not covered by APIs. One panelist noted that data recipients should be registered with the government, and the government should define the liability and obligations of recipients, as well as the minimum data security requirements for those data recipients as has been done in other jurisdictions, such as Australia and Canada.