The Consumer Financial Protection Bureau (CFPB) just released proposed rules for Open Banking in the U.S. which offer a framework for understanding Open Banking roles, role-based requirements and rights, and timelines for implementation, among other things. This long-awaited proposal lays the groundwork for a more mature approach to Open Banking in the U.S., or dare I say, Open Finance?

What is Open Banking?

Open Banking enables customer-permissioned data sharing and account-to-account (A2A) payment initiation, using application programming interfaces (APIs) provided by banks to authorized third parties.

For an introduction to Open Banking principles and the implications for payments industry players, read Glenbrook’s previous post: The Open Banking Phenomenon, Explained.

Open Banking supports exciting benefits.

There are numerous benefits to Open Banking, a few of which include:

• Enables customers to own and control their payment account data;
• Enables customer choice and supports the entry of new market players and innovative business models;
• Allows the use of customer payment account data to offer personalized products and services;
• Simplifies the user experience.

What is Open Finance? Markets are maturing towards Open Finance 

Markets across the globe are realizing the benefits of Open Banking. As such, market models are maturing. Moving beyond sharing payment account data, Open Finance focuses on sharing a broader range of data, both financial and non-financial, with many of the same goals of supporting personalized products and services and providing a better user experience. In addition to the consumer benefits, wider sources of data benefit providers – offering deeper insight about their customers and allowing them to better assess risk. Beyond payment account data, examples of data shared in Open Finance include loans, insurance, investments, pension data, and more.

CFPB sets the foundation for Open Banking and components of Open Finance

In my read, the new CFPB proposed rules anchor in Open Banking – supporting read transaction history and the basis for payment initiation (though details remain unclear). I would qualify the approach to Open Banking as relatively mature too, as ‘covered data’ in the rules includes service attributes associated with an account (e.g., things like rewards credits). We also see extensions into Open Finance as covered consumer financial products or services includes ‘Regulation Z credit cards’ (i.e., the sharing of consumer credit data).

What are the basics of the proposed CFPB Open Banking rules?

The CFPB’s recently released proposed rules would require covered entities referred to as “Data Providers” to share customer data (for example, historical transaction information), subject to the customer’s consent, free of charge and in an electronically consumable format. The proposed rules define the role types as the following:

• Data Providers (card issuers, financial institutions, and other deposit account providers)
• Data Aggregators
• Third Parties (entity authorized by consumers to access their data)

These proposed rules would be applicable to all covered entities in a four-year phased approach, based on entity size.

Like Open Banking, we will likely see commercial partnerships bridge the new rules, once in place, to further support Open Finance

The CFPB’s proposed rules are still just that – proposed. While we lack official regulatory structures, market actors can still make movements towards Open Finance. We see this in place already today – companies have stepped in to facilitate Open Banking when regulations are not – as regulations and market movements are not mutually exclusive. For example, a commercial partnership may enable aspects of Open Finance for those two discrete parties. This partnership may exist in a market with formal Open Finance regulations.

How can we best enable Open Finance?

Increased data sharing, while offering many potential benefits for consumers and businesses, necessitates greater focus on data privacy and the need for strong requirements around the safety and security of personal and financial data. Consumers should have the right to share their data with third parties that they authorize, and those third parties should use that data only for the specific purpose intended. Further, consumers should be able to revoke third-party access to their data at any time. The technology infrastructure must also be secure to prevent unauthorized access to sensitive information and to support safe data practices. This should include the use of secure APIs and robust security protocols, including data encryption and multifactor authentication, among others. Strict requirements around technology and the transfer and storage of sensitive data are critical to engendering consumer trust in the ecosystem.

While the CFPB proposed rules address consumer protection concerns by limiting the use and retention of consumer data, and requiring that third parties provide consumers the ability to revoke access to their data, they do not define the standards for data sharing formats, and instead encourage the development of “qualified industry standards” by a recognized standard-setting body.

Lauren Jones, Director of Market Development at the Open Banking Exchange, highlights the importance of a clear regulatory framework in Open Finance initiatives: “Common technical standards and specifications enables the secure and efficient exchange of data. As countries progress on their Open Finance journey, collaboration between the regulators and market actors is essential to promote innovation and cooperation towards a safe and modern financial ecosystem.”

Open Finance is the next phase in the modernization of financial services. It expands the pie of opportunity for providers and promises a more seamless customer experience and better insights into their financial well-being for end-users.

Is your company evaluating how you can capitalize on the newly proposed rules? Let Glenbrook help you develop your strategy. Get in touch with us here.

Around the World

Curious about Open Banking and Open Finance activities around the world? Here are a few highlights:

• Australia: Australia’s Consumer Data Right (CDR) regulation provides the regulatory foundation for data sharing and portability.  While formal regulation for payment initiation is still in progress in Australia, the instant payment system, NPP, has implemented an innovative consumer-facing interface, called PayTo, that enables end users to permission third-parties to initiate payments on their behalf and provides the ability to control all of their provisioned NPP third-party authorizations in one centralized place.
• Brazil: Brazil has implemented formal Open Banking regulations that enables the standardized sharing of data and services through APIs, bringing innovation and promoting competition in Brazil’s financial system. Brazil’s Central Bank (BCB) has been implementing Open Banking and progressively moving towards Open Finance in a 4-phased approach. In parallel, third-party payment initiation is currently supported in the Pix instant payment system.
• Europe: PSD2 provides the regulatory foundation for Open Banking in Europe and requires banks to develop secure channels for third-parties, with the customer’s permission, to transmit data and initiate payments. However, PSD2 did not specify how the banks’ secure channels must be implemented. The EU is currently in the process of modernizing PSD2, slated to become PSD3, and is simultaneously advancing towards Open Finance through a legislative proposal designed to establish a framework for financial data access beyond payment accounts, encompassing a broader spectrum of finance verticals, such as savings, investments, and more.
• India:  While India does not have comprehensive Open Banking regulations, it does permit certain activities. Licensed Account Aggregators can consolidate consumers’ financial information retained at different financial institutions, with the consumer’s consent. Similarly, there is no specific regulation that explicitly permits payment initiation; however, UPI provides scheme-level rules for the role of third-party app provider (TPAP) and technical infrastructure for the use of third-parties for payment initiation. This has been wildly successful in India, and monumentally transformational to the India payments market.
• Singapore: The Monetary Authority of Singapore (MAS) developed API Exchange (now APIX), which is a cross-border, open-architecture API marketplace and sandbox intended to streamline collaboration between financial institutions and fintechs.
• UK: Building on PSD2, the UK’s regulatory body, the Competition and Markets Authority (CMA) created a private entity, Open Banking Implementation Entity (OBIE), to design the architecture for Open Banking (e.g., APIs, data structures and security protocols), which aimed to simplify integration for third-parties by providing standardized APIs for a variety of functions, including payment initiation.