Interview

New CFPB rule on consumer data: Open Banking in the US

Tuesday 29 October 2024 15:08 CET | Editor: Vlad Macovei | Interview

Steve Boms, Founder and President of Allon Advocacy, shares key insights on the CFPB's new rule, which strengthens data privacy, expands Open Banking, and reshapes bank-fintech ties.

 

The CFPB announced a new rule to address privacy concerns surrounding consumer financial data. How does the new rule improve privacy and what specific protections does it provide to prevent misuse by third-party entities?

The final rule prioritises privacy protections by requiring third parties to provide consumers with an authorisation disclosure. This disclosure specifies who will access the data, for what purpose, and for how long, and includes clear instructions on how consumers can opt out of data retention or usage at any time. 

The rule restricts data usage strictly to the purpose the consumer has consented to, allowing no other secondary uses, except for improving the product or service covered by the initial consent. Additionally, the rule sets a maximum authorisation period of 12 months. If consumers don’t renew their consent, third parties must stop collecting and delete any previously authorised data.

 

Could you explain the significance of enabling consumers to transfer their financial data between providers without fees? How might this impact consumer loyalty and competition in the financial industry?

It's a game-changer. While the US has already seen market-driven Open Banking, this rule levels the playing field so all consumers benefit, regardless of their bank. For instance, in payments, it can greatly expand access to Pay-by-Bank options, which offer lower transaction fees than credit or debit cards – savings that ultimately benefit consumers. It also broadens access to affordable credit by enabling cash flow-based underwriting. 

Beyond third-party services, this competitive shift may prompt traditional financial institutions to lower fees and offer similar services at reduced costs. Increased competition will also encourage providers, whether banks or third parties, to work harder to earn customer loyalty – a positive outcome for consumers.

 

The rule prohibits 'bait-and-switch' data harvesting and sets requirements for data deletion upon consumer request. How do these measures align with current consumer data protection standards in other sectors or globally?

In some areas, the CFPB rule aligns fully with existing consumer data protection laws, but in others, it goes further. For example, its broad ban on secondary data usage extends beyond what’s seen in most jurisdictions. 

Academic research, for instance, is not an allowed use case, unless consumers give explicit consent for it as the primary purpose, ensuring their data cannot be shared for research that might have unforeseen consequences. Similarly, data cannot be used to develop new products or services, nor for enhancing cash flow or credit models. While preventing 'bait and switch' practices is widely supported, this rule may be somewhat more restrictive than similar regulations elsewhere.

 

This rule is said to bring the US closer to an Open Banking system. How does it compare with Open Banking models in other countries, and what benefits could US consumers potentially gain from this shift?

Overall, it compares quite favourably. However, it's important to clarify that this rule focuses solely on Open Banking – not Open Finance. The CFPB has limited its scope to checking, savings, credit card, and digital wallet accounts for now, unlike other markets that have moved faster to include broader account types like mortgages, auto loans, and small business accounts. This is an initial step, but one that aligns well with international frameworks. The resulting benefits are clear: more competition, lower fees, and increased innovation. Notably, the CFPB has emphasised that this rule is just the start, with more rules expected in the coming years, moving gradually toward a fully Open Finance model.

 

How do traditional banks react to the new rule and what will the bank-fintech relationship look like in the future?

A major banking trade association quickly sued the CFPB, claiming this rule exceeded its statutory authority. This reaction is disappointing, especially since banks have long urged the CFPB to eliminate screen scraping and transition to APIs, which this rule accomplishes for covered accounts. It’s surprising how rapidly the banks were able to review the 600-page rule and file a lawsuit within 12 hours of its finalisation. 

The future of bank-fintech relationships is complex; data sharing under Section 1033 is only one aspect. US prudential regulators have requested information on broader bank-fintech arrangements beyond data sharing. Ideally, regulators will clarify that data sharing under Section 1033 isn’t a traditional bank-fintech relationship but simply reflects consumers’ directive to share their data. This will, however, require further guidance from prudential regulators, which I hope to see.

 

The compliance timeline for financial institutions extends up to 2030 for smaller entities. What challenges do you foresee in implementing these requirements across different sizes of institutions, and how might this phased approach affect consumer access and competition?

I believe the CFPB's approach to timelines is quite reasonable. This aspect marks one of the most significant changes from last year's proposal to the finalised version. Smaller institutions will need time to implement APIs, and they will depend on their core providers for support. However, as we approach 2024, these institutions effectively have five and a half years to achieve compliance. During this period, the CFPB will recognise one or more standard-setting bodies, so banks won’t have to develop their own APIs; they can utilise the industry-approved technical standards with assistance from their core providers. 

Moreover, I see small banks as key beneficiaries of this rule because Open Banking allows them to reach customers outside their traditional geographical areas. In an environment where smaller banks have been increasingly acquired by larger ones, this rule presents an opportunity for them to act not only as data providers but also as data recipients. Rather than viewing this as a challenge, I see it as a chance for small banks to explore innovative ways to enhance their competitiveness.

About Steve Boms

Steve Boms is the Founder and President of Allon Advocacy, LLC, a fintech and policy consulting firm based in Washington DC. Steve is also the Executive Director of the Financial Data and Technology Association of North America, which represents fintech companies and aggregation platforms. Steve has also been a contributor to the Open Banking/Open Finance Report 2022.

 

About Allon Advocacy

Allon Advocacy, LLC is a financial technology public policy consulting firm based in Washington DC.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Open Banking, data privacy, data sharing, fintech, banks, regulation
Categories: Banking & Fintech
Companies: Allon Advocacy
Countries: United States
This article is part of category

Banking & Fintech

Allon Advocacy

|
Discover all the Company news on Allon Advocacy and other articles related to Allon Advocacy in The Paypers News, Reports, and insights on the payments and fintech industry:





Industry Events