The Consumer Financial Protection Bureau in late October released its long-anticipated proposed open banking rule as part of the implementation of section 1033 of the Consumer Financial Protection Act of 2010. If adopted, this requirement would bring consumer-permissioned financial data sharing to the U.S. in a formal way for the first time, helping it to catch up to other jurisdictions like the U.K. and Europe. However, despite quite a lot of institution-led activity around open banking, the country’s banks don’t exactly seem primed for a true regulatory framework.
Specifically, very few institutions appear to be embracing open banking in its true form — according to CCG Catalyst’s Banking Stability and Innovation Study 2023, only 17% of C-level bank executive respondents in the U.S. said they are committed to providing open data access to third parties. A much greater number — 48% — said they are interested in working with select third-party partners.
The problem with this is that it completely misses the point and spirit of open banking. This concept is built around the idea that financial data ultimately belongs to the customer, and that the customer should be able to share it with third parties as they see fit. The bank doesn’t get to choose.
Many banks are likely going to have to undergo a major shift in mindset as open banking makes its way to the U.S. Open banking regulation elsewhere like the Second Payment Services Directive, called PSD2 or now PSD3 in Europe, mandates that financial institutions share data with third parties at a customer’s request. And it’s expected to take a similar form here. According to the CFPB, this rule “would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts; establish obligations for third parties accessing a consumer’s data, including important privacy protections for that data; provide basic standards for data access; and promote fair, open, and inclusive industry standards.”
The issue for bank executives can probably be boiled down to the prospect of sharing data freely in an already competitive environment, and doing so via application programming interfaces that they will have to build (amid legacy technology hurdles and often with reliance on their core provider). Admittedly, it’s not hard to see why neither of these is particularly appealing from where they are sitting at first blush.
As Lex Sokolin, global director of fintech strategy at Autonomous Research, explained to American Banker, there are fewer and fewer moats banks have to protect their legacy business, and one of them is internal data on clients.
“The bank thinks if they have the data and it’s proprietary to them, then the solutions they can build on them are proprietary to the bank,” he told the outlet. As such, there is little interest in playing ball.
A better use of regulators’ energy may be to refocus around the opportunities open banking presents. For example, banks can use open banking to extend best of breed approaches by enabling customers to use third-party apps more easily, creating greater satisfaction and stickiness with their own products. Beyond that, there is potential to expand the APIs they offer outside of what is required, allowing access to bank functionality that they can charge for.
Often, the technical hurdles related to open banking take up a lot of the conversation. Smaller banks in particular have been very vocal about this. Yet, the way banks think about open banking is arguably a bigger barrier. The U.S. has been so far behind in developing standards that these institutions have had plenty of time to come up with their own definitions and approaches. Arguably, too much time. That’s the real conundrum. And now, they are going to have to reframe all of that in order to move forward.
Ironically, the work required to do this may very well prove to be far more difficult than building APIs to begin with. Ultimately, though, the first step on this journey (and a monumental one for certain) will be accepting that the bank’s data isn’t actually the bank’s at all.