The Problems With The CFPB’s New Open Banking Rule

OBSERVATIONS FROM THE FINTECH SNARK TANK

The Consumer Financial Protection Bureau (CFPB) issued a final rule to implement Section 1033 of the Consumer Financial Protection Act of 2010. Hailed by many in the banking industry as bringing “open banking” to the US, the rule mandates that financial institutions provide consumers with access to their personal financial data upon request. The data must be shared securely and reliably with consumers or authorized third parties. Key provisions of the rule include:

1. Data accessibility. Banks and credit unions are required to make financial transaction histories and account information available to consumers or their authorized third parties in a standardized electronic format.
2. Third-party obligations. Entities accessing consumer data must adhere to specific privacy and security standards, ensuring data is used appropriately and protected against unauthorized access.
3. Standardization and interoperability. The rule promotes the development and use of standardized formats for data sharing, facilitating interoperability among financial institutions and third-party providers.
4. Consumer rights. Consumers are empowered to control their financial data, including the right to access, share, and revoke access to their information as they see fit.

Why Rule 1033 Will Fall Short Of Its Goal

The CFPB’s 1033 rule aims to empower consumers by granting them access to and control over their financial data. But that assumes that we have the knowledge, resources, and capacity to manage such complex responsibilities. This assumption is problematic for a number of reasons:

1) Education gap. Managing financial data involves understanding things like data security, third-party provider credentials, and consent agreements. But, as so many people here like to point out, we have a financial literacy (or illiteracy) problem in the US. Many consumers lack formal education in financial literacy or cybersecurity, making them vulnerable to exploitation or mismanagement of their data.

2) Volume of data and providers. Many consumers—particularly younger ones—interact with upward of a hundred financial providers. Constantly monitoring, authorizing, and renewing consent for multiple providers will create an unsustainable load for the average consumer. Revoking data access requires knowledge of the process and vigilance to ensure that 3rd parties no longer have the data. Many consumers simply won’t spend the time to track these activities.

3) Vulnerability to data privacy risks. Many consumers are unaware of how their data may be used once shared. PII isn’t even needed anymore for marketers to accurately individual consumers. Providers could use data for purposes like targeted advertising or profiling, potentially violating consumer expectations.

4) Inability to address data breaches. While there are some good tools available today, most consumers lack the resources to track and resolve data breach issues. Financial recovery, identity restoration, and credit monitoring require expertise and time that many consumers do not have.

Addressing 1033’s Shortcomings

To address these challenges, the industry needs:

• Standardized certifications. While the 1033 rule requires the secure handling and sharing of consumer data, it doesn’t include a formal certification process or licensing requirement.
• Enhanced default protections. Instead of placing the responsibility on consumers, banks should implement security measures like automatic consent expiration and granular access settings.
• Simplified consent processes. While the rule emphasizes explicit consumer consent and robust security measures, it leaves the implementation and verification of these requirements up to financial institutions and data recipients. Consent frameworks should be designed to be easily understood, using visual aids where needed.

The Unintended Consequences of Open Banking

While Section 1033 aspires to give consumers control, it places an excessive burden on individuals to manage complex data-related responsibilities.

Without additional safeguards and educational measures, the rule risks empowering only the most informed and resourced consumers, leaving others—i.e., those 1033 was designed to help the most—more, not less, vulnerable.

To support that assertion, one academic study, titled “Open data and API adoption of US Banks,” found that:

“Open banking and bank data portability might result in unintended consequences for bank and fintech competition and borrower welfare. Allowing voluntary data porting by consumers can lead to possible unraveling (i.e., customers are compelled to share data as non-disclosure will be perceived negatively by providers) and negative data externality for customers who don’t share data. The loss of customer information due to fintech competition can disrupt information spillover within banks (e.g., by using payment data to learn about consumers’ credit quality).”

Proponents of open banking never seem to address these unintended consequences.