The Consumer Financial Protection Bureau is seeking input on potential regulations for consumer access to electronic financial records through an advance notice of proposed rulemaking (ANPR). Banks and fintech firms are closely watching, as the rulemaking process presents some tension between the interests of these two key industry groups.
The regulations come under Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act and public comments on the CFPB’s advanced notice of proposed rulemaking (ANPR) are due Feb. 4, 2021, with a proposed rule likely to follow several months later.
Fintech Supports ‘Screen Scraping’
Currently, most fintech companies access consumer data through banks’ online portals using credentials shared by consumers in a process known as “screen scraping.” The fintech application logs in to an online banking portal as the customer on an automated basis, copies financial data, and stores it on an external database, which is often managed by another third party, a data aggregator.
In lieu of screen scraping, some banks and other financial institutions recommend that access to this information be achieved through “tokenized” access or so-called application programming interfaces (APIs) that do not require the consumer to share login credentials.
Fintech firms are generally in favor of a broad data right for consumers in order to pave the way for an “open banking” regime in the U.S. Furthermore, fintech firms argue that screen scraping is a non-negotiable ingredient of an innovative fintech ecosystem.
According to FDATA, the fintech industry association, a regime based entirely on privately negotiated APIs would create an uneven playing field for consumers “in which access to vital third-party tools is determined by where a customer banks and the terms of the agreements that bank has signed with aggregators.”
Banks Worry About Security Risks
Data holders such as banks, however, have concerns about the security risks of screen scraping, precisely because the practice involves sharing a consumer’s login credentials and financial data not only with fintech firms, but also the third-party data aggregators with which these firms contract.
Data aggregators generally store account login credentials and scraped customer data, creating highly attractive targets for hackers and malicious insiders.
Moreover, some aggregators do not use data security protocols or fraud monitoring systems comparable to those used by regulated financial institutions, rendering the aggregators vulnerable to cyberattacks. Instead, data holders tout the benefits of APIs, which obviate the need for aggregators to store customers’ login credentials altogether.
CFBP Looking at Successes Abroad
The CFPB’s ANPR indicates an interest in establishing a clearer U.S. regulatory framework for open banking. By comparison, in recent years the EU, Australia, the U.K., and Canada have taken steps toward an open finance framework. For example, in 2016, the U.K. government set up the Open Banking Implementation Entity (OBIE) that has since developed highly specific standards for the APIs used between banks and third-party data aggregators, creating uniform standards across customers and banks.
Similarly, in the EU, fintech firms can universally access standardized bank APIs by formally registering in their jurisdiction as Account Information Service Providers (AISPs) pursuant to the EU’s second Payment Services Directive (PSD2). The ANPR invites commenters to make suggestions based on experience with open banking outcomes abroad.
Biden Administration Predictions
While the consensus is that a CFPB led by a Biden appointee will fight aggressively for consumer rights and will be less sanguine about industry’s capacity for self-regulation, how exactly a new administration will regulate consumer financial data access under Section 1033 is an open question.
Regulating consumer access to financial records involves trade-offs for consumers that do not follow clear political categorization. A vigorous consumer protection stance is not necessarily in tension with the goals of innovation and access to fintech products, on the one hand, and cybersecurity on the other.
A Biden CFPB is likely to adopt disclosure requirements for fintech applications, in which consumers must be informed about the ways in which those applications are using or selling their data to third parties. And, unless the U.S. bucks the European trend toward APIs, the use of APIs is likely to continue to gain ground.
Indeed, U.S. innovation could be harmed if the CFPB does not keep up with the efforts toward open banking that are being pursued in the EU and U.K., including standardization around APIs, though data holders would prefer to adopt flexible industry standards instead of government-prescribed requirements.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Courtney M. Dankworth is a litigation partner at Debevoise & Plimpton LLP who focuses her practice on internal investigations and regulatory defense, including banking enforcement actions and disputes related to financial services and consumer finance.
David L. Portilla is a corporate partner and a member of the firm’s Financial Institutions Group and Banking Group. His practice focuses on advising international and domestic banking organizations and other financial institutions on transactional, regulatory, supervisory and governance matters.
Anna R. Gressel is a senior commercial litigation associate and a member of the firm’s Technology, Media & Telecommunications and Data Privacy & Cybersecurity groups. She advises clients on the legal and regulatory implications of artificial intelligence and other emerging technologies.
Christian J. Clark is an associate in the Litigation Department.