On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) released its proposed rule, Required Rulemaking on Personal Financial Data Rights, better known as “open banking.”
The premise behind the CFPB’s open banking rule is that consumers need additional power over their financial information and that the consumers are victimized by an inability to switch financial services providers without incurring errors to their finances, fees, and damage to their credit rating.
This proposed open banking rule can be read as part of the CFPB’s larger goal of eliminating so-called “junk fees” in part by fostering competition through the decentralization of the United States financial system.
What does open banking require?
The primary obligation of financial institutions under the open banking rule is to comply with a consumer’s request to send the consumer’s financial information to an authorized third-party financial services provider. That information must be in a usable, electronic form.
In addition, the information provided must be the most recently updated information and would include authorized but not yet settled debit card transactions. Financial institutions cannot impose fees on a consumer or the authorized third party as a result of the consumer’s request. All depository institutions regardless of asset size are expected to comply with the open banking rule within four years. Larger institutions will have considerably less time under the current proposal.
In theory, open banking could be a boon to the credit union industry by incentivizing consumers to leave big banks in favor of better, more personal treatment from a credit union. However, the CFPB’s initial plan has significant problems which will harm credit union members.
The CFPB has largely ignored input from the Small Business Regulatory Enforcement Fairness Act Panel (SBREFA), and the CFPB seems intent on applying a “one size fits all” approach to open banking. This rule will harm members of credit unions due to the financial burden imposed for compliance, causing a reduction in dividends, an overall loss in the number of institutions, and a heightened risk of compromising the security of members’ non-public information.
Below are some of the key concerns with the CFPB’s open banking proposals.
The burden of vetting third parties
The proposed regulation in its current form will place an unfunded burden on credit unions and core data processors to perform up-front and ongoing due diligence of the third parties receiving data on behalf of the member.
The CFPB recognizes this burden but seems to seriously underestimate the effort of this due diligence. The CFPB has mentioned a potential accreditation process to alleviate the burden, but this process does not exist currently.
Roughly 1600 credit unions in the United States are under $25 million in total assets, with an average employee size of three people. The resources to perform up-front due diligence on each third party and then ongoing due diligence is simply not feasible without hiring additional bodies or a third party to perform this function.
The burden of creating portals and APIs
The proposed open banking regulation also creates an unfunded burden requiring credit unions to build portals that store the required data for each third party to which the consumer authorizes access.
The CFPB has taken the position that such costs will be negligible. Unfortunately, the CFPB has not taken into consideration that the financial institution must pay for the storage, maintenance, programming to create the data, cost of securing the data, or investment in the data itself.
In essence, the CFPB is lowering the cost of third parties by not requiring them to create and maintain the data and passing that onto financial institutions.
Lack of standards for data exchange
The CFPB has not determined whether qualified industry standards for data formats presently exist. The proposed rule would seek to accommodate the potential absence of such standards by stating that, in their absence, a data provider could rely on a format used by other similarly situated data providers.
The lack of clear standards will create a development burden because there is no qualified industry standard. Data providers will be forced to create multiple formats until a standard can be created.
Security and member privacy concerns
The proposed open banking regulation does require credit unions to secure and protect information. By granting access to third parties, liability and fraud losses are likely to increase for every financial institution.
Unaccounted for in the regulation is the likelihood that insurance costs will increase due to this additional liability. Litigation is also likely where multiple parties have access to member data, and it is unclear where the data breach occurred or who was responsible.
Disclosure of identity information and contact information
The CFPB proposes to require a credit union to disclose its developer interface, in a public and readily identifiable manner, documentation, including metadata describing all covered data and their corresponding data fields, and other information sufficient for a third party to access and use the interface.
Exposing this information to the public would increase the ability of bad actors to access the data by giving them insider knowledge about what data is available, making data providers a target for hacking.
Good in theory, not in practicality
While the open banking concept in theory allows small institutions to compete with the larger players in the financial sector, the CFPB did not fully consider the financial burden and numerous other areas of concern the proposed rule would place on the industry, security, and cyber security related events, or grasp of the effort to design and monitor custom portals to share customer information.
The issues of cost, security of customer data, lack of standards, increase in liability, lack of oversight of third parties, and harm to both industry stakeholders and consumers were brought to the attention of the CFPB, yet clearly were not taken into consideration in this proposal.
Credit unions should pressure the CFPB to table this proposal and continue to work with industry stakeholders to achieve a better solution that is affordable to all data providers, without putting them out of existence, while meeting the intention of the regulation.
The CFPB is silent on the monitoring aspects of the regulation, including response rates, reviewing required public disclosures of developer interfaces, third-party adherence to GLBA requirements, determination of data formats, monitoring for downtime, and third-party adherence to customer request and revocation procedures and documentation, to name just a few.
Prior to proposing regulations of this magnitude, the CFPB needs to form a committee of stakeholders much broader than was used for this proposal, including prudential regulators.