Open banking has been lauded as the future of the global financial system, and the U.S. is now beginning to adopt a model that has already gained significant traction overseas. After the Consumer Financial Protection Bureau (CFPB) released its rules governing open banking, many are wondering about the impact these regulations will have on financial institutions—and the technology that powers them.
In his latest report, Navigating 1033: Technology Considerations for the New Rules of the Road, James Wester, Co-Head of Payments at Javelin Strategy & Research, discussed the motivations and implications of Section 1033, and how financial technology professionals can prepare for the changes to come.
Freedom of Choice
Section 1033 refers to a portion of the Dodd-Frank Wall Street Reform and Consumer Protection Act which Congress passed in the wake of the financial crisis. The data protections laid out in Section 1033 have been largely inactive for over a decade, but the CFPB is now set to bring these regulations into effect.
At the heart of the new rules is the concept of freedom of choice. Consumers will have greater control over their financial data, enabling them to transfer their information between financial institutions at no cost or restrictions.
The regulations are designed to eliminate excessive fees often charged by banks or fintechs and to drive innovation in the market. Consumers will be able to shop around for the best rates and financial products, which the CFPB hopes will foster competition among banks, encouraging them to offer better products and services.
While the new model promises substantial benefits for consumers, banks are also expected to see long-term benefits. However, the increased focus on safeguarding consumer data will present some short-term obstacles for financial institutions.
“The big takeaway is that compliance is becoming more of a technology concern,” Wester said. “That’s a two-fold issue. For the technologists that are tasked with making the open banking environment work, compliance now needs to be one of the original concerns when building out anything that’s going to be dealing with consumer data. The other part of it is that compliance teams often still don’t understand a lot of the technical considerations and concerns.”
Translating Tech
On the technology side, making the product works has often been a more important consideration than compliance. However, technologists who may not have previously interacted with compliance teams will now frequently be called upon by risk, compliance, and regulatory affairs teams to help address technology considerations.
“It’s hard to find a person in a technology role who is not comfortable with telling people about technology,” Wester said. “However, they’re now going to have to look at it through that compliance lens. That can be oftentimes frustrating to folks on the technology side—translating tech for the layman. But doing so for a compliance audience is going to now be a more important consideration and something they’re going to have to become more comfortable with.”
Collaboration will be necessary to ensure that an institution’s customers are given the full transparency demanded by Section 1033. Before giving a third-party access to consumer data, banks must get consent from customers and explain what data will be collected and how it will be used. They will also have to verify the identity of the customer and the third-party.
However, Section 1033 goes beyond the initial consent process. Financial institutions must provide consumers with accessible tools that allow them to revoke their consent to share data at any time. Consumers must renew their consent every year, and any changes in consent status must prompt notification to all affected data providers.
Third-party financial providers will not be allowed to collect more consumer financial data than explicitly specified, sell consumer information, or use it for any other purpose that isn’t directly tied to the customer’s request. Additionally, fintechs will have to provide developer portals for their APIs, including documentation and support systems.
Financial institutions will also have more robust recordkeeping requirements under Section 1033, and they will have to undergo periodic audits to prove they are compliant with the standards.
Growing Pains
While the open banking model will likely prove worthwhile in the long run, many financial institutions have limited time to prepare for the upcoming changes. Large banks and fintechs have just two years to comply with the new rules, whereas smaller banks will have a bit more leeway, with up to six years to conform to the CFPB’s regulations.
“Especially in smaller institutions, many of the technology and infrastructure professionals who might not have been paying attention to the compliance angle will now need to,” Wester said. “From a payment standpoint, it is going to involve more moving parts to initiate payments through a third-party provider and include all those things that are in a larger financial toolbox, while still maintaining compliance.”
