By: Teena Angale, Giuseppe Racanelli and Royston Menezes
Published: August 20, 2024 | Updated: August 20, 2024
Read time: 13 minutes
Introduction
From a purely regulatory perspective, the US deliberately took its time with open banking.
The proposed “personal financial data rights” rule to implement section 1033 of the Dodd-Frank Act will officially regulate open banking in the US when finalized in 2024 — seven years after the UK pioneered its Open Banking implementation entity.
But from a market and consumer adoption perspective, the US has quickly embraced open banking.
At least 100 million US consumers have authorized a third party to access their account data, according to an estimate by the Consumer Financial Protection Bureau (CFPB) in their preamble to the proposed rule. The preamble also notes that third-party access or attempted access to US consumer financial accounts in 2022 “vastly exceed the comparable public figures from some other jurisdictions’ open banking systems.”
The CFPB’s proposed rule is a timely response to this burgeoning consumer demand for open banking. It offers consistency around what personal financial data is covered and required to be made available by data providers, and it clarifies how authorized third parties may access that data on a consumer’s behalf. From this perspective, the rule should be influential without being overly disruptive to business as usual.
Yet, the rule’s introduction into an already primed market poses a somewhat novel question. How will data providers, third-party data recipients and data aggregators work together under these new regulations to ensure that consumer demand is met with increasingly innovative and competitive financial products and services?
In the past, financial institutions controlled access to consumer financial data and typically owned consumers’ entire financial relationships. Open banking has shifted these relationships. Financial institutions are now exploring how to better serve consumers by enabling them to use and understand the data they hold in multiple financial accounts across multiple financial institutions.
For some financial institutions, jostling to stand out is nothing new. Yet, while increased data sharing should boost the competitiveness of many medium-sized and community financial institutions, the opportunities for large incumbent institutions turn out to be equally compelling. Two complementary lenses provide perspective:
- The data provider obligation
- The data recipient opportunity
- Additional resources
The data provider obligation
The thrust of the proposed rule is common to open banking regulation in other markets: consumers own their data, banks and other data providers must make this data available to consumers and to consumer-authorized third parties, and authorized third parties must be transparent with consumers about how their data is used while offering them the ability to edit or revoke access to their data.
But the target of the proposed rule is somewhat unique. Some countries, such as the UK, focused on their largest banks. Others, such as Brazil and South Korea expanded the focus to neobanks and other fintech companies. The US focus is broader still: any financial institution with a consumer interface, any card issuer, and any other entity controlling or possessing consumer financial information that is covered by the proposed rule.
The breadth might seem surprising in a country where no neobank has yet reached the profitability of Brazil’s and South Korea’s top performers. But the US banking industry is already relatively fragmented and looks set to stay so. As such, the proposed rule is both reflective of the current market and predictive of where it is headed competitively.
So, as data providers, US financial institutions have three main interconnected obligations:
1. Develop and maintain interfaces to receive and respond to data requests
The preamble to the proposed rule notes that most current data access attempts rely on screen scraping, which generally uses consumer credentials, or on other credential-based access.
Screen scraping is not officially prohibited in the proposed rule, but data providers can limit screen scraping by providing access through application programming interfaces (APIs) instead. By the end of the compliance period, the expectation is that these regulations will have led to a wholescale shift to the use of APIs for covered data.
For some financial institutions, using APIs could be viewed solely as a compliance issue. But that view ignores the proposed rule’s additional requirements to meet minimum API performance thresholds, consumer expectations for smooth user experiences, and any determinations about how to make non-covered data available. As such, a financial institution’s API strategy is less about regulatory compliance and more about basic competitiveness and serving consumer needs.
45% of customers of US national banks profess to already use or be interested in the concept of open banking. But that percentage ranges from 15% to 37% in smaller banks
One caveat is that promoting API usage instead of screen scraping for covered data does not automatically imply security. API breaches more than doubled between early 2023 and 2024 worldwide, according to Salt Security. API gateways, which manage and route API calls, and web application firewalls struggle to keep up with the dynamic nature of APIs. A lack of any long-term context for data can leave traditional cybersecurity floundering. Generative AI can help by creating fabricated yet realistic “synthetic data“ along the lines of how payment networks are adopting such approaches to tackle payment transaction fraud.
The largest financial institutions currently account for the bulk of the shift to APIs for data sharing. Providing the cybersecurity is in place, they are in good stead. But other financial institutions may struggle with the shift despite the extra time for compliance offered in the proposal.
Consumer demand may add to financial institutions’ considerations associated with the shift. Nearly half (45%) of customers of US national banks profess to already use or be interested in the concept of open banking, according to a Mastercard survey in the fourth quarter of 2023. But that percentage ranges from 15% to 37% in smaller banks such as regional banks, credit unions and community institutions.
These differences will likely diminish as open banking grows across the board, but the situation will be challenging for many institutions in the short term. Instead of building and hosting APIs in house, other institutions can rely on third-party data aggregators, data processors or technical service providers to host APIs on their behalf. A new target operating model, based on long-term operational efficiency and compliance, can help with decisions on whether to outsource and what it may mean for third-party risk management.
In addition to securing data, financial institutions need to be sure that their APIs can talk to each other. Some market frameworks, such as those found in Australia or the UK, mandate a single API standard. Other markets in Europe have left API standards to individual entities or standard-setting bodies, such as the Berlin Group.
The CFPB proposes recognizing standard-setting organizations that meet specific attributes and then requiring use of the standards to comply with the regulations. API standardization is relatively mature in the US. As of March 2024, the Financial Data Exchange (FDX) reports that 76 million consumer accounts use its FDX API standard.
While standardized APIs help create uniformity in the ecosystem, each financial institution is different. Many data providers already use or will continue to use data aggregators for API connectivity to simplify connections and minimize upfront and continued investment costs. Given the popularity of payments use cases and the opportunity for data providers to be authorized third parties themselves, a financial institution’s chosen data aggregator will ideally have the reach and reliability of a payment network.
2. Make “covered” data available upon request
Effective data sharing requires more than just solid interfaces.
First, the proposed rule requires the data to be in a standardized machine-readable format, such as the FDX API. Second, even just a single transaction “checking” account comes with several categories of data: account balance, transaction details, upcoming bill payments, account verification information, terms and conditions, and accounting and routing numbers.
Data aggregators can help financial institutions meet the requirements by providing data cleansing to remove duplicates and inconsistencies, data categorization to sort information for use, and sometimes even data enrichment to improve value with additional data sources to provide better services for consumers. But the ultimate onus is on financial institutions to assemble and share the formatted data
The data “covered” by the proposed rule also extends beyond checking accounts into savings and credit card accounts, which come with their own internal categories. Other financial data and accounts, such as mortgage, automobile and student loan accounts are expected to be covered in “supplemental rulemaking” by the CFPB. The CFPB and other financial regulators may also work together in the future to cover data in investment, insurance, tax, payroll and other financial accounts.
As financial institutions invest in compliance measures to make their covered data available, they will want to proactively consider the same approach for all their data.
3. Authenticate third parties
With APIs and data availability in place, providers then need to confirm where the data is going.
Many open banking regulations worldwide include requirements for authorized third-party data recipients to be officially registered or accredited. The CFPB proposal contains no such requirement or governing body to oversee accreditation. While the lack of a clear accreditation framework could offer some flexibility to authorized third parties, the proposal sets forth clear obligations that must be met to access consumer data.
A financial institution’s third-party vendors and service providers, which it evaluates for third-party risk, are fundamentally different from consumer-authorized third parties
Specifically, authorized third parties must provide clear and conspicuous disclosures to consumers about how their data is used, show evidence of data security and data accuracy, obtain express consent, limit collection use and retention of data to one year unless reauthorized by the consumer, abide by data use restrictions, offer consumers easy access deletion and revocation options, and not sell data or use it for targeted advertising or cross-selling.
In addition, data providers will need to determine how to manage and evaluate authorized third parties since the proposed rule gives data providers the ability to block access based on specific security risks.
Financial institutions are already familiar with third-party risk management and handling third-party contracts. But the familiarity usually only extends to established partnerships rather than data sharing requests potentially coming from anywhere in the financial sector . A financial institution’s third-party vendors and service providers, which it evaluates for third-party risk, are also fundamentally different from consumer-authorized third parties.
Industry standards, such as OpenID Connect (OIDC) to obtain third-party profile information and verify identities as part of the financial-grade API (FAPI) standards referenced by bodies like FDX, can help. As with API connectivity, data aggregators can simplify approaches by ensuring that shared data only reaches recipients that meet all requirements.
The security that can be provided by data aggregators is paramount in the face of API attacks. The split between authenticated and unauthenticated actors behind attacks is 39% versus 61%, according to Salt Security. Both are concerning: authenticated actors deceived the security; unauthenticated actors simply bypassed it.
The data recipient opportunity
Technically, the proposed rule only obliges financial institutions to act as data providers. In practice, all financial institutions will want to develop a strategy to also be authorized third parties so they can take up opportunities to acquire and serve customers in new ways.
Still, there are compliance obligations associated with opting to act as an authorized third-party data recipient. They can broadly be grouped under one main consideration:
Manage consumer consent
As an authorized third party, financial institutions will need to follow data protection and privacy laws to adhere to limitations on collection, use and retention of consumer data. These obligations include obtaining informed consent from consumers on data use and putting mechanisms in place to allow consumers to have their data deleted after revoking their consent for third-party access.
At a minimum, a financial institution’s standardized permissions interface should let consumers easily view, modify, add and revoke consent. The interface should be intuitive while using plain language to highlight consumer rights and potential consequences of choices.
The backend of a permissions interface will also need to show traceable and transparent links between all parties: providers, recipients and consumers. Open Authorization (OAuth) access tokens, which replace usernames and passwords, can allow consumers to securely grant access.
With consumer consent in place, authorized third-party data recipients have the opportunity to provide more compelling products and services to consumers. Data aggregators, which already support data providers with data connectivity and availability along with third-party authentication, can support them as authorized third-party data recipients by providing suites of connected products and services for various use cases:
1. Account opening
In 2021, 59% of US adults opened a new bank account, according to a study by PYMNTS with Mastercard. Focus just on generation Z, millennials and bridge millennials, and the percentage increases to 82%, 80% and 76%. More than three quarters of the accounts were opened digitally.
Open banking smooths account opening by allowing financial institutions to use consumer-permissioned data to verify account owner identities, account details and account balances for faster set up, onboarding and funding. Quick funding particularly matters for demand deposit accounts because account opening naturally encompasses account switching as consumers eagerly accept a sign-up perk only to move on to another account.
2. Personal financial management (PFM)
As consumers open multiple checking, saving and loan accounts, the ability to see consolidated views of them all in one place becomes essential for effective financial management. A budget & savings app for financial management and an associated PFM app for a consolidated view of all accounts rank second and third in popularity across eight open banking apps, according to a Mastercard survey of US consumer interest in 2023. In practice, both apps are often combined as one PFM tool.
One area for market differentiation is the counterintuitive importance of including accounts held by competitors in a PFM tool. Brand trust and loyalty come from reliability rather than insularity, and consumers’ primary accounts will gravitate toward financial institutions that offer the most comprehensive solutions.
3. Subscription management
A tool to help automatically identify, track, cancel or renew subscriptions interests 73% of US consumers, according to a Mastercard survey in 2021. A smart subscriptions app uses open banking to provide insights into a consumer’s existing subscriptions, payment history, upcoming bills, spending patterns, and spending across categories and retailers.
The app comes fourth in popularity, right after a budget & savings app and a PFM app, in the Mastercard 2023 US consumer interest survey. The clumping together of the three apps makes sense. Advanced PFM apps go beyond simple consolidation to include subscriptions and budgeting & saving. Some even extend into liquidity management through lending recommendations, such as debt consolidation.
4. Lending
Over half (55%) of US consumers, just behind Australian consumers at 59%, are willing to share access to their bank account if it means possibly getting a better loan or interest rate, according to a Mastercard survey across seven countries in August 2023. Open banking supports lending by allowing fast, accurate and less risky credit decisioning through consumer-permissioned insights across assets, income, employment and cash flow.
55% of US consumers are willing to share access to their bank account if it means possibly getting a better loan or interest rate
One goal of open banking is financial inclusion, and lending via alternative credit scoring can create credit access for borrowers with thin credit files or no credit files. The opportunity is ample: 76% of US consumers aged 15 or over borrowed money in 2021, according to the World Bank’s Findex, but only 66% borrowed from a formal financial institution. And, as with account opening solutions, the ease of transferring funds matters for good consumer experiences.
5. Payments
A bill pay app is the most popular of the eight apps in the Mastercard 2023 US consumer interest survey. That desire for bill pay solutions is also reflected in European countries, such as France and Switzerland, although US open banking payments do not for now involve the real-time push payments associated with open banking as a payments directive in Europe.
Instead, the US approach is to share a consumer’s account number, which is ideally tokenized, and routing number so the data recipient can make an ACH pull payment. In the process, open banking eliminates manual data inputs, instantly validates accounts to meet “WEB debit” ACH requirements, and provides smart decisioning to confirm balances and recent transactions to avoid any non-sufficient funds (NSF) declines. The payment may still be an ACH transfer, but the consumer experience is transformed.
Conclusion: Product versus process when building trust
More Americans are using open banking than realize it, according to a Mastercard survey in 2022. That finding chimes with the CFPB’s estimate that at least 100 million US consumers have granted access to their account data to a third party.
Yet despite consumer demand, there is still a need to build consumer trust. A preference to keep financial information confidential is the most common reason for consumers not to use open banking, according to the Mastercard 2023 US consumer interest survey.
Proper process to keep data secure, particularly in terms of the novel challenges associated with APIs, should help allay concerns if coupled with appropriate consumer education. But to truly monetize open banking through partnerships with data aggregators, financial institutions will want to focus consumer education less on the overarching concept of open banking and more on the product benefits that result.
After all, the “open” part of the name will only persist until open banking wins consumer trust and becomes pervasive. Then, it will just be banking as usual once again.
Learn how Mastercard’s combined role as a consultancy, data aggregator and provider of products and services helps financial institutions of all sizes empower their consumers through open banking.