Interest is growing quickly - no doubt accompanied by some deep-seated indigestion as well - as US financial institutions, fintechs, and related service providers await the expected release of a key new US rule on Open Banking (Section
1033).
While most agree it will bring positive advances for consumer data control and protection to the customer banking experience as a whole, many industry experts are throwing up caution flags to 1033’s proponent agency, the
Consumer Financial Protection Bureau (CPFB), about growing operational and compliance concerns they have with the pending regulation’s complexity and timing.
As the American Bankers Association said to preface a
letter posted as a formal comment on behalf of its members to the proposed rule, “While some components may be functional, others may appear reasonable in the abstract but will break down in practical application.”
Others around the industry are also sharing questions or objections they’re hearing regarding the new regulation. They recognise that legitimate process and authority enhancement – primarily in data handling and banking relationship portability - are coming,
and in fact many welcome the business expansion opportunities that being out front of their competitors on this landmark consumer-empowering rule might bring. Yet they’re still concerned about the short period of time allocated for them to do a great deal
of preparation, in light of the CFPB’s proposal for an unusually aggressive implementation timeline.
Laurent Van Huffel is CEO of Washington, DC-based
OpenFinity, an organisation he co-founded with its president and well known API guru Laura Heritage to be a central resource – a community - dedicated to helping the financial industry navigate the 1033/open finance landscape. A pioneer in open banking
and a business and payments software veteran as well, Van Huffel believes the biggest challenges – and least understood aspects – of the soon-to-be-released 1033 rule surround consent management and consumer data privacy.
1033 compliance: Not a quick and easy conversion project
Coordinating these new requirements and processes can be complex, Van Huffel cautions, and this will likely be the case no matter what framework is used to govern 1033’s adoption. He also predicts that it will take most impacted companies - especially smaller
ones - a lot of time to adapt to 1033’s requirements.
“The intricacies of [current industry standard] consent flows and enhanced data rights add further complexities, making compliance a significant challenge within an already heavily regulated industry. For many banks and credit unions, particularly smaller
ones, the technical infrastructure needed to meet these requirements is daunting and often out of reach […] These institutions will rely heavily on their core banking processors to meet compliance requirements.”
Exact start date still unsure, but standards in place soon
Nobody yet knows for sure what will be in Section 1033’s final wording, though it's been almost ten months since it was first outlined and the public comment period was initiated by the CFPB.
The CFPB issued a final rule just over two months ago regarding the type of “standard-setting body” it
envisioned to establish guidelines for the rule’s implementation, and that’s widely expected to be the highly-regarded nonprofit
Financial Data Exchange (FDX). Still, there is no firm guidance at present regarding 1033’s baseline security protocols; though financial grade API, or
FAPI profiles, to provide an additional layer above currently accepted online banking authorisation procedures will likely be part of, or complement, FDX standards for all open banking participants by around 2027, Van Huffel says.
Compliance requirements, typical operating procedures, and other complicated questions are fueling the mounting trepidation and speculation on the part of many FIs and fintechs as the industry awaits this fall’s final iteration of the “Personal
Financial Data Rights” rule – and companies of all sizes consider whether they will be ready when it’s time to comply.
CFPB announcement in fall of 2023 started it all
Last November, I wrote about the
future of Open Banking in the US and abroad, including an interview with management from Plaid, to describe the open banking landscape and draw useful comparisons between the differing marketplace and product rollout realities – and future expansion possibilities
- in North America and Europe.
At the time, Plaid representatives and several other established industry players spoke favorably of the proposed enactment of open banking data usage and sharing standards and practices. They felt doing so would stabilise the industry and level the playing
field for all providers as well as better serve customers – improvements they said were long overdue in the US market.
That story followed a major announcement the previous month – including public overview presentations at two leading financial industry conferences - by Rohit Chopra, director of the CFSB. Chopra outlined why and how the watchdog agency had initiated an
official revival of a long dormant portion – Section 1033 - of the US Consumer Financial Protection Act, aka, the
Dodd-Frank financial reform law, which was passed and signed in 2010 after the 2008-09 financial crisis.
The CFPB head also announced a 60-day comment period, allowing supporters or opponents to submit their opinions on the proposed new rule before the end of 2023, with the final rule to be announced in the ‘fall’ of 2024. That timeline is now almost complete.
Goal: Give consumers more control over financial ‘lives’
Section 1033’s implementation, according to the CFPB, “would accelerate a shift toward Open Banking to give consumers more control over data concerning their financial ‘lives’ and provide new protections against companies misusing their data.”
The bureau’s vision of the new Personal Financial Data Rights rule “would jumpstart competition by forbidding financial institutions from hoarding a person’s data and by requiring companies to share data at the person’s direction with other companies offering
better products. The proposed rule would allow people to ‘break up’ with banks that provide bad service and would forbid companies that receive data from misusing or wrongfully monetising the sensitive personal financial data.”
Finally, one of 1033’s aims, in accordance with a key priority of the Biden Administration, is to help eliminate “junk fees” in the industry – defined as extra or hidden charges often levied against consumers during certain financial transactions or without
their direct consent or understanding.
Open banking differences fading – regulators step in across globe
Many of Finextra’s readers are well versed in open banking benefits, best practices, and ever-evolving new use cases as service offerings have expanded on either side of the Atlantic Ocean, and to a lesser extent in Asia, Africa, and other markets. That
said, the differences by specific geography between what constitutes open banking in its numerous iterations have until recently been major and varied.
But the gap between various countries’ open banking practices and products is closing, with more commonality in offerings beginning to emerge across the globe.
That’s also the case for associated regulatory efforts, which in most jurisdictions are attempting to address what authorities perceive to be risks and gaps in procedures for consumer access to and control of financial data and a lack of portability of financial
relationships.
Specific responsibilities for data usage and protection, and guidelines governing the exchange of sensitive customer information among financial and non-financial providers, have been codified in the
EU, UK,
Canada, and a growing number of countries and regions around the world. Now that list could soon include the USA.
Financial regulators and consumer rights groups have increasingly advocated for greater customer “power” when it comes to banking relationship control and flexibility. They have also called for explicit customer rights to understand, manage, share, and in
some cases, remove their data from use or prevent its sharing by or among their financial services or fintech company providers.
New regulations, already implemented in some jurisdictions or under active consideration in others, also extend these responsibilities to authorised third party partners or service providers for those companies.
Once Section 1033 is in effect, what comes next?
Depending on the size of the specific company impacted, it might need to be ‘ready to roll’ under the new Section 1033 rules within six months of their expected official publication, or possibly by June of 2025 or even earlier. That’s the shortest
compliance timeframe identified in the previously published draft CFPB guidelines.
This most rapid transition to 1033’s new data-handling rules is proposed for institutions larger than $500 billion in assets, or for fintechs or other non-financial institutions collecting more than $10 billion in annual revenue.
Medium-sized institutions and companies (as categorised by the CFPB in its draft rule) will have more time to get their procedures and practices in line, with FIs over $50 billion in assets and non-FIs earning up to $10 billion a year expected to be in compliance
twelve months from the time the final rule is published in the US Federal Register.
Two more categories encompass the smallest financial institutions, with depository institutions holding at least $850 million in assets having 30 months to comply, and all smaller FIs facing a four-year deadline to implement the new standard.
OpenFinity’s Van Huffel reiterated that it will be a tall order for all financial institutions and fintechs to get on board quickly with Section 1033’s complex requirements. He’s not ruling out that that the CFPB might be convinced to delay the new rule’s
effective dates beyond mid-2025 given the pushback received from within the industry.
That said, he believes that the larger banks in the country will be ready regardless, and in fact some already are. However, while the smallest companies that make up the last two categories outlined in the CFPB’s proposed rule likely feel they can wait
and watch, with compliance almost three or even four years away following the rule’s publication, it might not be very easy for those in the second category to be ready within a year. He also recommends smaller industry players get started on implementation
now.
“Most of them are not doing anything [to prepare for the looming 1033 requirements] because they are thinking that they have a lot of time. But then the people in the banks in the category above will comply before them – and will take advantage [of open
banking flexibility and portability options] to target their customers or members.
Van Huffel strongly advises smaller companies to avoid such thinking about Section 1033’s challenges, and to consider its significant upsides as well. For competitive as well as technical reasons, he says:
“It’s not a good idea to wait until the last minute to do it.” Open banking standardisation, he believes, is, despite its complexities, an exciting opportunity for providers of all sizes, as well as consumers.
“It’s going to be super interesting, and I think that [the rollout of Section 1033] is going to create a lot of healthy competition and innovation in the financial services industry.”