Business
USA | Dec 8, 2022

Open banking coming to US

/ Our Today

administrator
Reading Time: 3 minutes

New regulatory framework developed to govern the trade

America’s Consumer Financial Protection Bureau (CFPB) has announced a new regulatory framework governing personal financial data rights, better called “open banking”.

Conceptually, open banking mandates that financial service providers have open access to consumer financial data held by other financial institutions through the use of application programming interfaces (APIs).

The CFPB’s primary aim is to promote consumer “shopping” of financial products and services by ensuring that consumers (1) “won’t have to start from scratch” if they switch financial institutions and (2) will “have the leverage to walk away because they will have access to more tailored products and services”.

If adopted by the CFPB, the framework would reduce the current friction encumbering the flow of consumer data and may encourage reticent consumers to seek products or services from fintech providers.

The framework extends a worldwide trend in financial regulation emphasising open data flows, with the US soon to join the European Union (which adopted the payment services directive in 2015) in mandating data transparency.

Increasing competition between financial institutions and FinTechs

The CFPB aims to increase competition between traditional financial institutions and FinTechs, which it hopes will increase services and decrease prices. However, the mixed European experience shows the limits of the change open banking regulations may foster.

As proposed, the framework would apply to covered data providers and information they collect while providing certain specified services. Covered data providers would include “financial institutions” and the information they collect in providing “asset accounts” would be subject to the framework. Covered data providers would also include “card issuers” and the information they collect in providing “credit card accounts” would be subject to the Framework.

The framework would require covered data providers to make available six specified categories of information:

  • 1.    Periodic statement information for settled transactions and deposits;
  • 2.    Information regarding prior transactions and deposits that have not yet settled;
  • 3.    Other information about prior transactions not typically shown on periodic statements or portals;
  • 4.    Information concerning online banking transactions that the consumer has set up but that have not yet occurred;
  • 5.    Account identity information; and
  • 6.    Certain other information.

Expressly excluded from the requirement to make information available is any confidential commercial information, including algorithms used to derive credit scores or other risk scores.

Third party obligations

The CFPB’s framework also laid out certain obligations third parties seeking consumer information must satisfy. Under the framework third parties would only be permitted to collect, use, and retain information reasonably necessary to provide the product or service which a consumer has requested.

The third party would also be required to make available to the consumer a simple method for revoking their authorisation to access the consumer’s information at any point. A third party’s use of consumer-authorised information beyond what is reasonably necessary to provide the product or service that the consumer has requested would also be limited under the framework.

Furthermore, once a third party no longer reasonably needs the information to provide the product or service to the consumer, they would be required to delete it. The third-party obligations would also require that authorised third parties implement certain policies and procedures, including data security standards to prevent harm to the consumer arising from inadequate data security.

These obligations include policies and procedures to ensure the accuracy of consumer information collected and policies for making periodic disclosures to consumers, explaining how they may revoke their authorisation to access their information and request details about the extent of the third parties’ access to their information.

Rulemaking process

The framework is not a notice of proposed rulemaking (NPRM), nor is it an advance notice of proposed rulemaking. The CFPB must put forward any new contemplated regulation for a review process under the Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 administered by the Small Business Administration.

In order to avoid being seen as ignoring the concerns of small businesses raised through the SBREFA process, the CFPB does not submit a full NPRM for review. But the contours of the CFPB’s thinking are easily gleaned from its SBREFA submission. The CFPB has stated that it expects to issue an NPRM sometime in 2023 with an anticipated adoption date in 2024.

To hedge against a resolution of disapproval under the Congressional Review Act by a potential Republican administration in January 2025 with the expectation that any final rule to be adopted must be done no later than the end of the third quarter of 2025.

Comments

What To Read Next