Issue 4: Could other federal regulators or state regulators begin to regulate open banking?
Federal prudential regulators — namely the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve, the Office of the Comptroller of the Currency, and the National Credit Union Administration — could provide perspective on the risks that exist from open banking, with or without the final rules.
More specifically, these regulators could provide much sought-after guidance regarding a bank or credit union’s third party risk management obligations. For example, what risks should banks and credit unions evaluate for each third party that seeks access to data on behalf of a consumer? And when the third party is a data aggregator, what risks should banks and credit unions evaluate for each fourth party (e.g., the data aggregator’s client and ultimate recipient of data), if any?
The Federal Trade Commission could also provide guidance on the applicability of its Safeguards Rule to the open banking ecosystem, which imposes data security obligations on many non-bank financial institutions.
The states could also exert their power in the open banking market. In the final rule, the CFPB identified a number of potential UDAAPs in open banking use cases. State regulators and attorneys general with enforcement powers could examine and bring cases against companies that engage in these and other UDAAPs when offering open banking services. In addition, state regulators and attorneys general also have the power to enforce the CFPB’s rules, including the final 1033 rules to the extent they exist and are not stayed or vacated by a court.
Furthermore, at least one state — Wyoming — has adopted a standalone open banking law. It does not appear that other states have followed suit. However, high-profile actions to eliminate the CFPB’s final rules could catch federal and state regulators’ attention and cause them to scrutinize open banking practices.
What Should Banks and Fintechs Do Now?
Banks and fintechs should recognize the trend towards more consumer-directed data sharing, not less, and devise a strategy to capture the opportunities, and manage the risks that these open banking activities present, with or without the final rules.
Following are a series of questions that companies should ask and answer, with or without the CFPB’s final rules.
When acting as a data provider:
• Screen scraping: Will you block screen scraping activity and, if so, under what circumstances?
• APIs: Will you develop an API to share data with third parties? If so, which products and data elements will you include? Will you follow a standard API specification, e.g., the FDX API specification? Will you hire a third party to deliver some or all of your API capabilities?
• Third party risk management: How will you determine which third parties may access data? How will you monitor their activities on an ongoing basis?
• Bilateral data access…
Read More: How Banks & Fintechs Move Forward While Open Banking Rules Go Through the
