CFPB Open Banking Rule – Examining Privacy and Security

The development of the Consumer Finance Protection Bureau’s (CFPB) “Open Banking Rule” is causing concerns in the world of financial services. The CFPB’s new focus on open banking is part of the efforts to expand consumer data sharing, a move designed to allow consumers more flexibility in picking services, as well as breaking down barriers to switching from one institution to another.

However, as the name suggests, the openness inherent in the new rule has many worried about its impact on data privacy and security. These concerns are top of mind for many in the industry, so it’s important to break down exactly what the rule is expected to do and the steps financial institutions can take to best protect consumer privacy and ensure security.

What is it?

Open banking was first mandated by Congress as part of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act. While this gave the CFPB the responsibility to develop rules around consumer data, the agency did not put forth an open banking rule until the Biden Administration urged them to do so through a July 2021 executive order. Now the agency is working on a final proposal for an open banking rule that would allow consumers to take greater control of their financial data.

Once approved and implemented, the open banking rule is intended to enable consumers to own, access and share their financial data however and with whomever they choose. This includes giving third-party providers permission to access and use their data for payments and financial data – two features that banks have traditionally restricted.

As stated by the CFPB, there are three stated goals of the rule:

• Improve competition and consumer choice
• Strengthen consumer privacy and control
• Expand financial inclusion
  
  

While these aims are certainly laudable, for many fintech companies and financial institutions they present significant concerns when it comes to the security and privacy of consumer data. Since there is no one U.S. law that governs the privacy and security of all types of consumer data, financial institutions, as custodians of their customer data, have to comply with all applicable regulation. When third parties are included in the mix to facilitate the core premise of open banking, the task of keeping the data safe and secure gets much more complicated.

To mitigate these concerns, many organizations are adopting APIs to more easily interface and protect sensitive information, but there continues to be issues with data governance and security. While open banking APIs provide access to consumers’ transactional data, it will likely be hard for the average consumer to keep track of who has access to their personal data. Additionally, Gartner pegged APIs as 2022’s primary attack vector, while Salt Security found a 681% increase in API attacks in 2021.

Further, without an agreed upon open banking data standard or requirement, practices such as data copying and screen scraping could make it even more difficult to restrict how companies can use this information. Given the frequency of identity-based attacks – as well as the lack of data exchange standards – many are concerned that looser frameworks around data guidance could lead to increased threats and security breaches that could prove damaging to consumers and financial institutions alike.

What should we do?

Consumer education is a critical piece of adopting any new innovation, especially in the financial services sector. Despite concerted efforts to spread consumer awareness, banks and financial institutions’ customers still fall victim to scammers, particularly as criminals continually evolve their tactics to evade detection. In 2021, consumers lost almost $52 billion to traditional identity fraud and identity fraud scams, with nearly $7 billion attributed to new account fraud.

With this in mind, many fear that open banking could become a dangerous avenue for criminals to deceive unsuspecting consumers to give up confidential information that ultimately provides unauthorized access to their personal data. While Reuters reports that most banks do not oppose the new rules, they are pushing to limit its scope, arguing that it could put consumers' data at risk because third-party providers may not have the same rigorous cybersecurity and privacy standards as traditional firms.

As such, it’s paramount that all financial institutions use the best tools at their disposal – including behavioral biometrics and other real-time threat detection technologies – to curb attacks before they can occur. Technology now exists that can flag irregular behavior and lock all sensitive account information, processes and transactions before any practical damage can be done. The best defense is targeted prevention, and with contemporary protections, banks can defend their customers without putting in place prohibitive controls. These will prove essential in preventing the expected influx of identity-based attacks open banking is likely to lead to.

What’s next?

It’s a bit early to understand exactly what shape open banking rules will ultimately take in the United States. The next step in the CFPB’s rulemaking process is a small business panel review, which is expected to be conducted before the end of the year. It’s important to note that open banking rules have been in place for some time in the UK and can therefore serve as a framework that U.S. regulators and financial institutions can follow in regards to safety and data privacy.

It is expected that the CFPB will consider all angles thoroughly before announcing the timeline of this groundbreaking change and its official rollout. However, regardless of its final form, the open banking rule promises to benefit the average consumer while at the same time expanding risks around data security, consumer data privacy and financial damage. Given this reality, savvy financial institutions should not only thoroughly review the proposed rule now but also put in place the structures and protocols to protect their users now and in the future.