Bank Think: The CFPB’s ‘Open Banking’ Rule Is a Solution in Search of a Problem

Originally published by American Banker

To understand all that is wrong with the CFPB's new consumer financial data sharing rule, which it labels an "open banking" rule, it's important to understand the current state of affairs.

Currently, millions of bank customers routinely and securely transfer data from their bank to fintechs and other service providers in a secure way through application programming interfaces, or APIs. There are over 120 data aggregators currently connecting bank data to other providers of financial services. Plaid, the leading provider of APIs, is connected to over 200 million bank accounts. Financial Data Exchange, a nonprofit standard-setting body created as a partnership between banks and fintechs, has an established API that securely connects 94 million bank accounts.

These results have been achieved through years of negotiation between banks and other data users. They have largely replaced screen scraping, where a third party obtains a customer's username and password and simply siphons data from the bank - in many cases on a constant, flow basis with the aim of harvesting and selling that data. Banks have sought to ensure that data is being transmitted securely and to an authorized user, and banks have leverage because they can shut off the data flow in the event of poor data security practices or fraudulent behavior at the third party. On the other hand, banks also want to please their customers, who object if data is not transferred where they want it. The result has been a reasonable balance where banks transfer data at a customer's request but retain some ability to prevent fraud and ensure the security of that data.

As a result, customers at the largest U.S. banks are receiving a wide range of services from fintechs, with a constant flow of data through APIs. Customers are managing their finances, making peer-to-peer payments through services like Venmo, paying their taxes and monitoring their overall financial health - all successfully leveraging their bank data. The only gap in the system is smaller banks, which in many cases lack the resources to negotiate and implement APIs.

Notably, this entire ecosystem was created and is thriving without any government intervention. However, the current CFPB - which has never found a market-based solution it likes - has decided to overturn this happy apple cart. Its rule upsets the balance and requires banks to ignore privacy and security concerns and simply open the taps on customer data.

What is most remarkable about the CFPB's rule is that it fails to acknowledge in any way that it is being issued at a time of massive and ongoing online fraud. Data from the Identity Theft Resource Center found that data breaches are at an all-time high and experiencing significant year-over-year increases. Data from Experian also shows that more than 70 million consumers were affected by a data breach globally in 2023, a 30% increase from 2022.