Open Banking: Is the US Regulation Ready?

We live in the age of data and there are rumblings of a war brewing. Why?

Because there is a lack of clear ownership of data. Data and tech giants like Amazon and Facebook have laid claim to all the personal data they can get their hands on, using it to generate billions in revenue. Even smaller companies that offer “freemium” services are mining, collecting, sifting through, and selling personal information for a hefty price tag. Let’s not forget the massive amounts of data that government institutions have on individuals.

Meanwhile, the people to whom the data is tied are rendered helpless (for the most part, except for those folks in California- thanks, CCPA) against how that data is collected, used, and sold. They’re also helpless against protecting that data and having a say in how it is secured and ported. The implications are significant when we look at how this plays out with financial institutions and fintechs. Abroad, this problem is starting to be unfurled by the Open Banking movement, which aims to provide broader and more transparent data options for consumers while spurring innovation in a sector that desperately needs it.

In a recent episode of the Tech on Reg podcast, I spoke with Brian Costello, Vice President of Data Strategy & Strategic Solutions at Envestnet | Yodlee, to uncover some of the factors that have hindered open banking from fully taking hold in the U.S. Brian’s experience at Yodlee allowed him to provide us with unique insights on the industry and consumer privacy and permissioning. Yodlee is a global market leader in consumer permissioned aggregation services. For the past 20 years — before current open banking initiatives — Yodlee provided the plumbing for the commercial market that allows consumers to access their data at financial institutions and permission third parties to receive goods and services.

What is Open Banking?

Brian defined “open banking’’ (small “o”, small “b”) early on as the right and ability of a consumer or a small business to access data that their financial institution has on them. It also means the financial institutions holding that data should have some requirements around safeguarding the data.

Some background: open banking is really one implementation of an Open Data principle, which started with the government. The subtext is that we, as citizens, should be able to know and access all the data that our governmental institutions have about us and use it…correct it. The onus lies with the institution to protect it. Open banking is applying that principle to financial services. Sounds simple enough, right?

The U.K. seems to think so. Abroad, regulations exist that require banks to cooperate with authorized third parties. Those third parties can then use open APIs to build out applications or other services around the data within the financial institution. While Open Banking abroad is inclusive of third parties, in the U.S., there’s no legal requirement that a financial institution must make a customer’s financial data available to a third party, even if the consumer provides affirmative consent. Once more for the cheap seats in back: even if the consumer provides affirmative consent.

If that sounds backward, it’s because it is. On the podcast, Brian was quick to point out that there’s even some regulatory friction around sharing data with consumer consent. He solidified this point by walking us through a hypothetical scenario. Think about the last time you opened a bank account. You had to sign disclosures and answer some questions. You essentially consented to the bank that they could use your data to deliver financial services and you also consented that they can use your data to meet certain regulatory requirements, including anti-money laundering (AML) and fraud detection and the Bank Secrecy Act. The bank also asks whether or not they can share your data with affiliated third parties who would like to offer you goods and services. More likely than not, you answered no because you hate being sold to. Fair enough.

Fast forward to several weeks later, though, when your coworker tells you about a “fantastic” financial management app that you just “have to try.” You’re intrigued, so you download the app or visit the website and go through the entire online process, linking your bank accounts and entrusting your credentials to this organization in the process. That service provider then takes the permission you’ve granted to your bank and basically says “We’re here on behalf of John Smith and he provided his credentials. Please give us this data.”

This is a problem. The bank faces a conundrum. When you signed up with the bank, you told them “no” to allowing third-party providers access. Now they’re being asked to provide that access anyways. What’s a bank to do? In most cases, they err on the side of good customer service and they tolerate access by this third party. They tolerate rather than allow because they know that if something bad happens, they’re on the hook. This problem is a direct result of a fragmented ecosystem — a fragmented ecosystem that open banking is trying to address.

Brian also highlighted the important difference between our situation in the U.S. versus our friends across the pond. In the U.K., Open Banking (capital “O”, capital “B”) is a regulatory-backed regime that facilitates a connected ecosystem. Open Banking enables a central authority to build traceability and protection into a liability framework that governs the ecosystem. That way, if (when) bad things happen, customers are protected and they’re made whole by the party responsible for the harm. Ultimately, that is the goal of open banking in the U.S., but we’re facing strong headwinds that may be difficult to push through.

What Open Banking Fixes

Open Banking addresses a lot of the concerns that come from a fragmented ecosystem. We’re also at a point of inflection right now. Regulatory support is building around the globe, enabling harmony among regulations and putting strong consumer protections in place. Computing power is readily available along with algorithms that can seamlessly analyze consumer data. It’s the perfect time to make the leap.

Brian and I agreed the results would be endlessly beneficial. It would give financial service providers the ability to provide very personalized advice and quick decisions. All these elements combined equate to bespoke financial services for individuals — whether it is advice or products or product recommendations — all based on each consumer’s individual database. Think about it: our individual data is incredibly robust. It includes not just financial data and financial behaviors, but data that can be mapped across life stages and life goals. The advice we receive can then be tailored in meaningful ways, depending on whether we’re millennials or Gen X, or if we find games appealing or if we respond well to digital nudges. One of the biggest questions is “why aren’t we already doing this?” especially when these are things that consumers have been loudly and clearly advocating.

Consumers Leery of Centralized Regulatory Powers

While U.S. consumers are vocal about wanting more personalized financial tools, they are also suspicious of center-driven regulation. Regulation from the center tends to make people antsy, even though the end result is that it often drives bigger and better markets. In nearly all open banking initiatives abroad, the key drivers were to encourage innovation, avoid monopolies, and enhance consumer protections.

The bottom line is that the U.S. framework for financial services boils down to the state versus federal regulatory regime, which impacts many financial issues beyond open banking. You can see this in the California Consumer Privacy Act (CCPA), which is underpinned by the notion that consumers have a right to their data…and what happens to it.

The problem lies in how some of these privacy regulations are publicized to the masses. In most cases, the headlines focus on the “protection” element, while the portability element remains a buried lede. Brian emphasized that, for consumer privacy regulations to thrive and promote open banking, “portability has to be on par with protection.” Without portability, it becomes extremely difficult to allow qualified, authorized, properly-permission third parties to access data.

What’s the Holdup?

Section 1033 of the Dodd-Frank Act legislates U.S. citizens should have access to their financial data. It’s even been argued that this is the part of the law (and documents and positions) that have come from the Consumer Financial Protection Bureau (CFPB), where open banking is being encouraged. But the CFPB is treading carefully.

What we know (and what the CFPB has tried to state) is that consumers have a right to access their information. But the guidance issued by the bureau is qualified by saying “subject to rules prescribed by the bureau.” Bottom line — the bureau has not yet exercised its rule-making authority to really define how consumers can access their information.

As Brian points out, the lack of a rule means that other rules and laws that are already in place have to take priority. Reg E, which makes banks accountable for losses, is what’s coloring the innovation and the access to tools and services that depend on consumer data.

Why the CFPB is Playin’ it Cool

It’s a complex issue. There are passionate stakeholders on all sides of it. And the conversations to be had are difficult. Brian provided a clear example of how this tends to unfold. Let’s assume a law comes into play that says that consumers can access their data at the bank and the bank has to make this information available in an electronic format. Pretty straightforward, right?

It is — right up until someone asks the next most obvious question: which electronic format? Now we’re looking at a non-standardized situation. If the government tries to prescribe an industry standard, nearly every industry player is going to throw up their hands in frustration. Where’s the innovation in that? Incumbents will cry foul because they have to consider return to shareholders alongside the reality that they are competing in a market that is being flooded with unregulated or less-regulated competitors.

That’s just the beginning of the onslaught of opinions flooding Washington anytime the CFPB considers making a rule. Then there are considerations about putting bigger authorization schemes in place. There’s also fuss about how the federal banking regulators can also examine large-scale technical service providers in the market under the Bank Services Company Act. Long story short: everyone freaks out.

So it makes sense that the CFPB is trying to calm the already-choppy waters of a fragmented market by playing it cool when it comes to setting rules. Instead, they’re trying to leverage their influence to try and get all stakeholders to play nice in the sandbox together — or at least to not throw sand.

I get it, but I also know that rulemaking is necessary. The CFPB can only play it cool for so long. Eventually, they’re going to need to get everyone on the same page — and at the necessary comfort level — so that rules can be made. No one’s going to be 100% comfortable, but we can get “close enough” to move things along and avoid lawsuits and stays and injunctions (not that those have ever stopped a federal regulator from issuing a set of rules and regs).

One part of getting to this point is having an industry consortial model, much like the FinancialDataExchange (FDX), which includes many big banks like JP Morgan Chase, Bank of America, and Wells Fargo along with other data aggregators, permission parties and fintechs. The goal with FDX is to create a royalty-free interoperability standard for the safe exchange of consumer permission data. The goal is to develop a set of data exchange protocols (APIs) so that financial institutions of all sizes can make the data available to the third parties and those third parties could be aggregators and service smaller clients, like fintechs.

The other element is creating an authorization scheme that doesn’t require the end-user to entrust their online banking credentials to a third party. Both of these initiatives lead to a more reliable exchange of data where consumers don’t have to worry about entrusting their online banking credentials to multiple parties. They also go a long way to helping policymakers and regulators feel better about putting rules in the system. You have to have both: a level playing field for competition and innovation and wholesale consumer protection. The latter requires a liability framework based on excellent traceability and prescriptive standards.

Is Data the New Oil?

Many industry leaders have commented that data is the new oil. In a piece in Forbes, Ron Shevlin noted, is oil “a resource easily and freely shared between those who have it and those who want it? Of course not. So why should we and would we have data be easily and freely shared in this context?”

According to Brian, a more apt comparison could be that data is the new air. Consumers generate data about themselves and their behaviors with everything that they do. Being able to use that data for their own purposes — to share that data with the third parties that we’ve decided are best-suited to help us achieve positive outcomes — is absolutely essential.

In the short term, we’re likely to hear more parties within the ecosystem begin to frame discussions in this way. We’ll hear terms like “constitutional right to privacy” and “data as a human right.” At the end of the day, we need to establish a clear cut way to enable people to control their data and to hold third parties accountable to the requirements to use that data — and to respect our rights over that data.