Recent regulatory proposals have kick-started the open banking sprint.[1] As both banks and fintechs adopt open banking innovations, however, new all-encompassing digital interfaces, paired with artificial intelligence (“AI”), will raise critical questions about data protection, consent, and current disclosure frameworks. Entities must dedicate sufficient resources to design, test, and protect AI and protect privacy as they enter the new, exciting open banking landscape.
The Future of Open Banking
In the not-so-distant future, we will find ourselves in a brave new world of consumers sharing deposit, credit card, loan, and mortgage data across enterprises, to display and interact with their full financial profile in one dynamic interface. In that world—known as “open banking”—privacy implications and potential AI applications loom large.
This future has been accelerated by the proposed rule on open banking announced by the Consumer Financial Protection Bureau (“CFPB”) on October 19, 2023. The proposed rule mandates that financial institutions, card issuers, and payment providers make consumer data—including transaction data—readily available to consumers and authorized third parties. In addition, the proposed rule institutes consumer protection obligations on collection and use of that data and prohibits data providers from imposing fees for establishing and maintaining these new-age interfaces.
Further dissection of the CFPB’s proposed rule on personal financial data rights illustrates an expectation that digital interfaces will play a primary role in the banking ecosystem, as well as a staunch desire to prevent potential exploitation through limitations and protections on the use of personal financial data. Key considerations will include implementation of robust encryption mechanisms, transparent data governance practices, and protection against inadvertent disclosure of sensitive financial information.
The Proposed Section 1033 Rule: Overview
Section 1033 of the Dodd-Frank Act provides consumers the right to obtain their information relating to a consumer financial product or service in an electronic form from a covered person subject to CFPB rulemaking to implement this statutory provision. The CFPB has described its proposed rulemaking as accelerating the shift to open banking, which is the idea that financial information will flow among various parties in the financial services ecosystems, including banks, fintechs, data aggregators, and consumers. However, the proposed section 1033 rules currently are limited to regulating the flow of consumer financial data from data providers to consumers and third parties authorized to access that data by the consumer. The comment period on the proposed rule closed on December 29, 2023.
The rule represents one of CFPB Director Rohit Chopra’s signature priorities because it addresses his desire both to regulate what he refers to as the monetization of consumer data and to promote competition in consumer financial services. Competition in the marketplace arguably is bolstered by consumers having the ability to “vote with their feet” and more easily move their financial data from one entity to another. Because of the rule’s importance to Chopra’s agenda, a final rule is likely to be issued by late spring to avoid potential Congressional Review Act invalidation. The compressed time frame from proposed to final rule suggests that there will not be significant change in scope between the proposed and final rules.
Elements of the Proposed Rule
The proposed rule establishes pertinent terminology: data providers, covered data, and authorized third parties. In the initial iteration of the rule, data providers are limited to financial institutions as defined by Regulation E and credit card issuers as defined by Regulation Z.[2] (The CFPB has intimated that expanding the applicability of this data access right to other markets will likely be the subject of future rulemakings.)
This first round of rulemaking applies to covered data relating to Regulation E accounts and Regulation Z credit cards.[3] Authorized third parties are those that are permitted to request covered data from a data provider.[4] They will have to comply with certain authorization procedures that require express consent by the consumer that is limited in duration.[5] Moreover, they will be subject to a limitation on use and retention of covered data and will be required to condition further disclosure of consumer data to other third parties upon that third party’s agreement by contract to comply with the section 1033 authorization requirements.[6] These restrictions on the flow and use of data by third parties and other players in the payments ecosystem will undoubtedly have implications for consumers’ privacy and use cases for AI as open banking develops and evolves in the United States.
The proposed rule seeks to impose a framework in which data transfers are accomplished via application programming interface (“API”) calls rather than by existing methods such as screen scraping or credential sharing. Data providers will be required to maintain a consumer interface and establish and maintain a developer interface, both of which must meet certain performance specifications, to receive and respond to data access requests.[7] Data providers generally will not be allowed to restrict the frequency of access requests, nor will they be permitted to deny access requests except in limited circumstances to address risk management concerns.[8]
Notable Gaps in the Proposed Rule
Banking industry trade groups, whose members are subject to the proposed rule, have sharply critiqued the proposed rule for failing to be sufficiently prescriptive on issues relating to data accessibility and for being nearly silent on issues relating to liability for mishandling data.[9]
Indeed, many of the standards by which the CFPB proposes to make data accessible and available to consumers and authorized third parties appear to be delegated to standard-setting organizations (“SSOs”) that have yet to be recognized by the CFPB. The Financial Data Exchange, widely regarded by industry groups as the leading contender to qualify as a standard-setting organization, does not yet function in the form that the proposed rule contemplates. And there is no industry-wide agreement on whether any CFPB-recognized SSO should enjoy enforcement power or otherwise be able to mandate adoption of the standards it promulgates. Nor does the proposed rule contemplate that a data provider’s compliance with any standards promulgated by a recognized SSO will provide a safe harbor from any regulatory action. The lack of certainty around the role that an SSO will play under the final rule and the implementation of appropriate governance that an SSO will need to achieve recognition leaves many in the banking industry viewing the short compliance time frames in the proposed rule (which are staggered according to asset thresholds, with the first time frame to take effect six months after publication of the final rule in the Federal Register) as unworkable.
The proposed rule fails to resolve questions of liability for any potential misuse, misappropriation, or breach of a consumer’s financial data. That silence is a notable asymmetry to the obligations (and corresponding liability) that Regulation E and Regulation Z impose on financial institutions and credit card issuers to investigate disputes. The proposed rule’s failure to allocate liability is likely to disadvantage financial institutions relative to nonbanks: because consumers are more likely to complain to their banks in the first instance about potential unauthorized payments transfers, even if an authorized third party or a player even further downstream was the one that mishandled the data resulting in the alleged payment, banks will likely need to invest greater resources than nonbanks to comply with their Regulation E obligations. Any investment to meet increased compliance demands may result in either an increase in the price of banking products or services or reduced offerings of such products and services, or both, none of which would benefit consumers.
Instead, the proposed rule contemplates that liability will be handled by private contract among data providers and authorized third parties. Banking trade groups have appropriately raised concerns that larger market players—such as data aggregators and other nonbank institutions—will be able to leverage their bargaining power to minimize their liability. Leaving liability to private contract also raises the specter of inconsistent treatment of data and remedies for consumers in the event of a breach or misuse of data.
The Proposed Rule’s Potential to Blunt the Promotion of Open Banking
The promise of open banking that the proposed rule seeks to advance may be undone by two of its key aspects.
First, under the proposed rule, data providers are not permitted to charge fees in connection with developing and maintaining the data access interfaces. The costs of developing and maintaining these interfaces will be significant, with various trade groups estimating development costs of approximately “the high tens of millions of dollars”[10] and ongoing maintenance costs ranging anywhere from “millions of dollars each year”[11] to “approximately $15 million beyond what is currently spent to provide consumers and third parties with covered data through existing APIs.”[12] There is also significant cost incurred by a data provider in ensuring the security of that data when it is transferred in response to an access request. Larger institutions may be able to better leverage the work they’ve already put in to facilitate data transfers in the market as it exists today, but smaller financial institutions will not necessarily have done this work. Industry groups have argued that smaller financial institutions in particular may decrease their product offerings to consumers without a way to recoup any of the costs of their technology investments.
Further, the proposed rule imposes limitations on third parties’ use of consumer data obtained from data providers. The proposed rule provides that third parties must limit their use, retention, and collection of covered data to what is “reasonably necessary to provide a consumer’s requested product or service.”[13] The rule prohibits, as not “reasonably necessary,” use of covered data to provide targeted advertising, to cross-sell other products or services, or to sell the data itself.[14] While such limitations may be laudable from a consumer privacy perspective, they may nonetheless inhibit the achievement of open banking without greater regulatory clarity about what is “reasonably necessary” to provide a consumer’s requested product or service. It is less than clear, for example, whether a third party may collect and use consumer data to train algorithms that may in turn improve the quality of the requested product or service. Nor is it certain whether a third party may use consumer data to forecast trends that may improve credit underwriting or inform new product development.
Privacy and AI Implications
The interplay between open banking and data rights raises critical issues across state privacy regimes and federal financial services requirements—including the Gramm-Leach-Bliley Act’s safeguarding mandates. Handing users financial data-sharing control across digital services, platforms, and sectors will now drive industry obligations. However, this control sans safeguards will not only create a minefield for privacy overexposure but also open floodgates for bad actors.
When “forced” to share data, financial institutions will need to ensure secure transfer to prevent breach and compromise of consumers’ data. This will include salting, hashing, and/or tokenizing numbers to eliminate security risk, and identifying compromised points—while limiting friction on customer end points. Tokenized Account Numbers (TANs) will assist in the solution, through obfuscating raw data, pinpointing a breach (since TANs are merchant-specific), and promoting scalability. TANs are also utilized by users and merchants today and will fulfill section 1033’s mandate for secure, standardized documentation through a low-code, or no-code integration path.
In addition to the other benefits noted, open banking’s inevitable integration of AI models/algorithms will increase efficiency and user personalization. The increase in reliance on AI-driven data analytics, however, will require a continued balance between innovation and safeguarding user privacy. Named entity recognition (NER), as a subset of natural language processing (NLP), will undoubtedly be used to extract relevant information from open banking’s text-based transaction data—both for beneficial use cases such as organization and ease of customer use and for improper uses like payment surveillance. Machine learning will also solve classification problems with ease—identifying purchasing, prioritizing payments, and supporting other open-banking use cases.
Conclusion
If properly implemented, open banking will drive exciting pro-consumer innovation and competition in financial services. This new reality will have to balance privacy and AI implications to build consumer trust and maximize the potential of section 1033. To do so, the CFPB should take into account legitimate concerns raised by financial institutions regarding the burdens that the proposed rule places on them to ensure the accuracy, integrity, and accessibility of sensitive payments–related and other financial data to consumers and authorized third parties—without any ability to recoup the significant costs involved, to protect themselves against liability once the data leaves their control, or to prepare adequately for compliance with the rule in the absence of certainty as to the role SSOs will play under this regulatory framework.
Jehan Patterson is counsel at Debevoise & Plimpton LLP; Sumeet Chugani is general counsel at Cloaked. The coauthors participated on a panel titled “AI + Privacy in the New Age of Open Banking” presented at the American Bar Association’s Consumer Financial Services Committee Winter Meeting on January 7, 2024, in Santa Barbara, California, and their remarks are adapted for this article. In addition, Patterson assisted one of the industry trade groups cited in a footnote to this article in preparing comments on the proposed rulemaking to implement section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. ↑
Proposed Rule 12 C.F.R. § 1033.111. ↑
Id. §§ 1033.111, 1033.211. ↑
Id. §§ 1033.131, 1033.401. ↑
Id. § 1033.401. ↑
Id. § 1033.421(a), (f). ↑
Id. § 1033.301(a). ↑
Id. § 1033.311(c)(2). ↑
See, e.g., SIFMA Comment Letter (Dec. 20, 2023); Consumer Bankers Association Comment Letter (Dec. 29, 2023); American Bankers Association Comment Letter (Dec. 29, 2023); Bank Policy Institute & Clearing House Association Comment Letter (Dec. 29, 2023). ↑
Consumer Bankers Association Comment Letter, supra note 8, at 16. ↑
Id. at 17. ↑
SIFMA Comment Letter, supra note 8, at 8. ↑
Proposed Rule 12 C.F.R. § 1033.421(a)(1). ↑
Id. § 1033.421(a)(2). ↑
