Around the world and here at home, financial services are slowly moving toward open banking and open finance. A more decentralized and neutral consumer financial market structure has the potential to reshape how companies compete in the sphere.
This week, the CFPB will launch the process to activate a dormant authority under Section 1033 of the Consumer Financial Protection Act that I expect will accelerate this shift.
The provisions provide for personal financial data rights for Americans, but would only have teeth after the CFPB defined the specifics through rules.
While not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.
If successful, it will also reduce the ability for incumbents to build moats and for middlemen to serve as gatekeepers. It will provide big advantages to those who provide the best products, service quality, and rates.
Today, I want to start off by talking a bit about the CFPB’s new approach to regulation. Then, I will describe what some of the features of a more open and competitive market would look like, along with where individual consumers and new firms will have more leverage and opportunities. I’ll then outline some details about where we are headed, as well as what we are hoping to avoid. I’ll close by discussing the timeline and next steps to get this done.
A few words about our approach to market regulation. Regulation of the financial services industry has a bad name, and rightfully so.
Financial regulators have largely complied with what dominant incumbents desire by writing complicated rules to fit existing business models. Much of it involves financial institutions handing consumers a lot of fine print that they may not even read, like those financial privacy notices companies send. It’s a lot of busy work and paperwork.
At the CFPB, we are shifting away from this approach, and instead, we are looking to create catalysts for more competition.
There are many forms of procompetitive regulation, such as rules that reduce switching costs or barriers to entry, rules that promote price transparency and shopping, rules that reduce conflicts of interest, and rules that place limits on business activity in order to ensure that firms don’t exploit their control over critical networks. Ideally, these rules are bright lines that require a minimal number of lawyers who bill by the hour.
Telecommunications in the U.S. has several noteworthy examples. The Federal Communications Commission’s number portability rules reduced switching costs by allowing customers to move their phone number to a new carrier. This jumpstarted more competition in the market. Decades before, the so-called Carterfone rules ensured that new devices could be interoperable with AT&T’s network, through standardized jacks and plugs, even if produced by third parties.
These and other successful examples of regulation that decentralize market power are guiding our financial data rights rulemaking. With this in mind, here is what we think a more open and competitive market could look like.
A New Competitive Market
First, individuals and nascent firms would have more bargaining leverage. In today’s market, consumers can often permit access to their financial information through data brokers, sometimes referred to as data “aggregators.” But the broader overall regime is broken because consumer access is based on a set of unstable and inconsistent norms across market participants.
For example, even when large institutions that share personal data with their customers use APIs, there is no guarantee those institutions don’t play games on availability, latency, and critical data points, like price.
We expect that these games will become much more difficult for incumbents to play.
Specifically, we expect that the public will gain more bargaining leverage once data holding companies must share authorized consumer data with authorized third parties. And, this will lead to more shopping by consumers both because they have the leverage to walk away and because they will have access to more tailored products and services.
For instance, individuals who want to switch providers will be able to transfer their account history to a new company, so they don’t have to start over if they are unsatisfied with the service provided by an incumbent firm.
Likewise, nascent firms would be able to use data permissioned by consumers to improve upon and customize, to provide greater access, and to develop products and services. Under the current regime, nascent firms often find themselves in the position of needing to curry favor with big market players.
Second, there would be better security of personal financial data. One reason that the current ecosystem is unstable is that many companies currently access consumer data through activities like screen scraping. However, such methods are not secure, and they are likely not sustainable, especially as data security standards potentially evolve to a point that such activities may become blocked.
If a firm is required to make a person’s financial information available to them, or to a third party acting on the consumer’s behalf, via a secure method, we will be able to mitigate some of the problems that exist today.
For example, consumers who want to link their accounts with an app that helps them budget, make payments, or find a route to affordable credit would be able to do so without having to provide login credentials to third parties that are used in screen scraping.
People would feel secure knowing that both the data holder and the data receiver follow secure practices. For Americans to be confident that they have the consumer financial product that is right for them and their specific needs, they should be able to share their data readily, but safely.
Third, there would be more switching and incentives for better service. In an open and competitive market, it is easy for individuals to fire, or walk away from, their financial provider for whatever reason. For example, for most consumers, changing a bank account is a huge pain. Direct deposits need to be reset, as do scheduled payments linked by ACH or debit card. And consumers need to take these actions, while managing day-to-day liquidity issues. Our rule will facilitate third party companies that offer services to make switching recurring payments easier.
Importantly, a more open market will also make sure consumers won’t have to start from scratch. For example, Americans often use their deposit account history as a life ledger – it is a written record that keeps track of payments and deposits, which can be helpful for taxes, for disputes with merchants, or insurers, and for other purposes. By allowing consumers to transfer their ledger to a new institution, the rule could make switching institutions easier – you won’t need to maintain a relationship with your bank to maintain your written record.
A competitive market would also lead to unbundling where companies compete on individual products, rather than relying on captive customers or cross-selling scams. When markets aren’t competitive, we feel that we need to buy additional services from a provider we already worked with. But with more seamless integration, this will give us all more choice.
Fourth, more switching would lead to greater efforts by firms to maintain or win customer loyalty.
And, as for companies looking to draw in new customers – when consumers authorize transfers of their personal financial data, new providers will be able to treat them as if they have been long-time customers. Because of the authorized data, companies will immediately know the products and services that could best fit their new customers’ needs.
Large incumbents will find their customers to be less “sticky” and easier to “poach.” They’ll also find it harder to impose junk fees and harvest personal financial data for their exclusive use.
Finally, financial companies can find new ways to underwrite and score with less bias. Today, many companies are now exploring new underwriting models that return to core principles – assessing ability to repay without attempting to use outside information to model a consumer’s presumed ability to repay.
Transaction data will be especially useful for these purposes, and help bring an end to the current reliance on the three-digit social credit scores derived from credit reports that are cloaked in secrecy and rife with inaccuracies.
Rather than rely on black-box models that people can’t make sense of, lending can move back to real-world data about someone’s ability to pay back a loan. This will eliminate bias and reliance on credit scores and other proxies.
CFPB Financial Data Rights Rulemaking
With this new competitive landscape in mind, here is where we are headed. First, we expect to propose requiring financial institutions offering deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods, like APIs, for data sharing.
While we expect to cover more products over time, we are starting with these ones. Through these transaction accounts, the rule will be able to facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.
Starting here will also mean that our jumping-off point is where industry infrastructure for consumer-authorized financial data sharing has already begun to take shape.
Second, we will be looking at a number of ways to stop incumbent institutions from improperly restricting access when consumers seek to control and share their data.
We will be developing requirements to limit misuse and abuse of personal financial data, as well as frauds and scams. A common point of concern across jurisdictions around the world is how unscrupulous actors will look to harvest and hoard consumer financial data as it increases in scale.
Data can be monetized in nefarious ways or even used by state and non-state actors. While Americans are becoming numb to routine data breaches, including massive ones like the Equifax failure, we know that more needs to be done to stop this underworld from intercepting even more highly sensitive personal data.
We are exploring ways to ensure that when consumers share their data for a specific use, that is the only use it will be used for. We know this will be a challenge, given how difficult it is to enforce restrictions, like purpose limitations and data deletion requirements.
I’ve asked that our staff look at alternatives to the so-called notice-and-opt out regime that has been the standard for financial data privacy. For example, the longstanding Gramm-Leach-Bliley Act privacy rules don’t give consumers meaningful control over how their data is being used.
When a consumer permits their private data to be used by a company for a specific purpose, it is not a free pass for a firm to exploit the data for other uses, no matter what the legal mouse-print may say.
Third, we are exploring safeguards to prevent excessive control or monopolization by one, or even a handful of, firms. A decentralized, open ecosystem will yield the most benefits for creators and consumers alike. At the same time, there will be strong incentives for gatekeepers and intermediaries to emerge, extract rents, and self-preference. In consumer financial services, we have a number of highly concentrated submarkets: the credit reporting conglomerates, the card networks, the core processors, and more. It’s critical that no one “owns” critical infrastructure.
For example, in telecommunications, the open internet, powered by protocols, like the hypertext transfer protocol, helped to create a new worldwide web. No one “owned” this internet. Of course, many actors have sought to obtain, and in some cases successfully grabbed, more control. Threats to openness have come from browsers, operating systems, app stores, infrastructure providers, and others that already have scale or provide a must-have component.
There will undoubtedly be similar efforts when it comes to open banking and finance, potentially from Big Tech firms or a consortium of incumbents. We’re thinking through how standard setting could be rigged in favor of some players over others, where an intermediary or other platform could undermine an open and neutral ecosystem.
Process and Timeline
In terms of process, here is what you can expect. The CFPB is subject to a rulemaking step that is unique among financial regulators. Before issuing a proposed rule, the CFPB must convene a panel of small businesses that represent their markets to provide input on our proposals. This week, we will be publicly releasing a discussion guide that small firms can weigh in on.
Through that process, we’ll hear from small banks and financial companies who will be providers of data, as well as the small banks and financial companies who will ingest the data. We will also gather input from the “fourth parties,” the intermediary data brokers that facilitate data transfers.
In the first quarter of 2023, we will publish a report about the input we received through that process. This will inform a proposed rule that we are planning to issue later in 2023. We then hope to finalize the rule in 2024 and move to implementation.
There will be many opportunities to provide input to inform the public record throughout the process.
In closing, it is important to remind ourselves about why the United States has historically been a bastion of discovery and progress. We are at our best when our laws and rules facilitate seamless switching, reduce barriers to entry, eliminate conflicts of interest, and prevent infrastructure providers from denying access to critical networks.
Financial services are an essential part of our economic plumbing, and we will be working to let the market expand and develop new ways to help Americans live their lives to the fullest.
A more open ecosystem that is broadly inclusive of both consumers and businesses holds great promise. Our rulemaking will not turn on a switch, but I hope it will move us in that direction.