Open Banking shares consumer data and needs privacy policy



Since July 9, 2021 from President Joe Biden, Executive Decree, “Promoting Competition in the US Economy,” there has been renewed interest and speculation regarding the upcoming Consumer Financial Protection Bureau (CFPB) regulation under the Dodd-Frank Act, Section 1033. Many industry leaders are optimistic. Requests for comment are a sign that the United States is moving closer to open banking. Open banking refers to “opening up data and internal processes of bank customers to other parties through digital channels” called APIs.[1] Open banking promises to foster greater choice for consumers, competition and innovation.[2]

Banking in the United States is a relatively closed ecosystem in which banks act as custodians of customer data. Open banking refers to a different ecosystem in which a customer can transfer bank account information and other data to other banks, third-party application providers, and the proliferation of products from fintech companies that depend on consumers’ permission to access their bank accounts or other sensitive financial information. . Section 1033 of the Dodd-Frank Act of 2010 directed the CFPB to create a formalized framework for sharing consumer data through rule making. Eleven years later, the CFPB has made no visible progress towards the proposed rules dealing with these issues. The presidential decree should make open banking a priority for the CFPB.

While other countries such as the UK and Australia have had open banking regulations in place for several years, the US lags behind its global peers. US industry leaders are eager to see US regulators follow suit. Without well-established legal regulations, U.S. banks will continue to have little incentive to implement open banking.[3] While the need for open banking regulation is well recognized, industry executives remain concerned about what regulation may entail. Many of these concerns center on privacy, data ownership rights, and consumer trust. These concerns highlight the difficulty of balancing the competing goals of an open bank and promoting access to data while continuing to protect consumer data. As the CFPB and federal regulators come together to set new rules, they should learn from and build on the open banking programs implemented by their global peers.[4] A successful regulatory system must be able to balance safety, a fair exchange of value and transparency.[5]

Confidentiality concerns

Historically, most laws in the United States “governing the collection and use of data have focused almost exclusively on protecting consumers from harm resulting from unauthorized access and improper use of their data.”[6] However, as other countries have turned to open banking, “the regulatory focus has shifted to both giving consumers a shield to protect their data and giving them a sword.”[7] In other words, open banking regulations offer consumers a way to proactively use their data to achieve their financial goals.[8] As the threat of data breaches and cybersecurity risks continue to increase, one of the concerns with open banking is that it will only magnify the impacts of cybersecurity breaches and incidents.[9] Additionally, increased interactions and dependence on third parties will force banks to continue to carefully review third party security capabilities and monitor their protocols.[10] Banking applications are often more secure than other external applications that can interface with bank systems via APIs, making it all the more critical for banks to act quickly in the event of a peak in activity. suspicious.[11]

While many of the technologies underlying open banking are not necessarily new to the US banking industry, regulations requiring open banking will certainly increase the speed and volume at which organizations share their data.your.[12] With this increase in activity and volume, it will be imperative for organizations to have more controls in place to detect fraudulent activity.[13] Organizations implementing open banking will need to think deeply about privacy and build it into their design from the start.[14] This in-depth thinking is resource-intensive and glosses over the fact that many banks, especially smaller ones, are still using legacy systems that will require them to invest in a whole new software architecture.[15] It is reasonable for banks to remain wary of the potential risks of opening consumer data to third parties; However, if the CFPB is successful in implementing a regulated approach to data sharing, implementing sound privacy policies for open banking in the United States will be much easier.[16]

Property rights over consumer data

Beyond the question of who can access consumer data, open banking raises questions about the beneficial ownership of individuals’ financial data.[17] One of the biggest questions that will hopefully be answered in CFPB rule-making is whether the financial institution is the “real custodian” of information shared by a client, or if the responsibility lies with third-party companies.[18] While other countries have “concrete regulatory guidance on how to deal with fundamental issues such as informed consumer consent, the appropriate scope and duration of data access and the attribution of liability for loss of data ”, no such guidance exists for US banks.[19] Beyond these ambiguities, banks have historically had little incentive to provide third parties with access to customer data.[20] This consumer data is one of the bank’s most valuable assets and gives it a competitive advantage.[21]

As the CFPB seeks to create its own guidelines, GDPR regulations have been hailed for providing consumers with transparency about how their data is used, prohibiting the use of data outside of the agreed purpose, requiring that requests of consent are in plain language. , and requiring prompt notifications of violations.[22] Open banking data regulations must go beyond simply regulating the use of data, open banking regulations must also “take into account APIs, data repositories and other infrastructure elements.”[23] CFPB needs to lay the groundwork for a data management model to ensure “accountability for confidentiality across the ecosystem” and ensure that the use of data is “legal, fair and ethical”.[24] Many are asking the CFPB to institute clear rules clarifying some of the existing regulatory ambiguities and delimiting a right for consumers and authorized third parties to access their data.[25] Additionally, once customers have chosen their consent preferences, banks and third parties must have a system in place to ensure these preferences are enforced.[26] Today, applying preferences creates administrative burdens, even internally within a single organization. As more and more parties get involved in data sharing, data management will become more and more important. CFPB final rule on data access rights and data loss liability will be key to boosting open banking efforts in the United States[27]

Consumer confidence

While addressing privacy concerns and clearly defining property rights will help promote consumer confidence in open banking, promoting consumer confidence must be a priority in itself. In addition to rule making, banks and regulators must be prepared to devote time and resources to educating consumers. As experience with other products has shown, customers will engage in open banking if they trust and understand it.[28] The ability of banks to be transparent in how they use and share consumer data will be key to this understanding, while underscoring the value that open banking offers to consumers who share their data.[29] CFPB regulations will help lay the groundwork for such disclosures, but the onus will be on the bank to effectively disseminate the information to its customers. Ultimately, for US regulators to deliver on the promise of innovation and freedom of choice in open banking services to consumers, they must achieve two seemingly conflicting goals: prioritizing transparency and ensuring confidentiality.

* Lindsey Adams is a summer associate and is not licensed to practice.


[1] PwC, Canadian Banks 2019: Open Banking is Coming (2019)

[2] Pascal Gautheron & Katrina Cuthell, Open Banking in Australia: an opportunity to regain confidence, Bain & Company (Sep 18, 2019)

[3] Open Banking in the United States: Are you ready to catch up?, Confidence [hereinafter Trustly].

[4] Terry Ray, BankThink Open Banking can be a privacy nightmare, PaymentsSource (Jun 2, 2020 12:01 AM)

[5] Deloitte, Open Banking: confidentiality at the epicenter (June 2018)

[6] Evershed Sutherland, CFPB data access rule could be a victory for Open Banking in the United States (September 8, 2020)

[7] Identifier.

[8] Identifier.

[9] Sajith Nair, Jordan Prokopy and Naren Kalyanaraman, Placing security and confidentiality at the heart of Open Banking, PwC (2019)

[10] Tarun Bhasin, Open banking could transform the industry – but security is key, Forbes (April 21, 2021, 08:20)

[11] Identifier.

[12] Nair and. al, supra note 9.

[13] Identifier.

[14] Identifier.

[15] With confidence, supra note 3.

[16] Gregory Magana, Consumer Financial Protection Bureau moves towards open banking regulation, Business Insider (26 Oct 2020, 09:43)

[17] John Egan, What is Open Banking?, US News (Jun 2, 2021, 4:17 PM)

[18] Identifier.

[19] Eversheds Sutherland, supra note 6.

[20] Identifier.

[21] Identifier.

[22] Ray, supra note 4.

[23] Identifier.

[24] Nair and. al, supra note 9.

[25] Brett Carr, Charles Weinstein and Deric Behar, Diverging Paths to Open Banking in the UK and US, Latham and Watkins (November 6, 2020 17:39)

[26] Nair and. al, supra note 9.

[27] See Eversheds Sutherland, supra note 6.

[28] Deloitte, supra note 5.

[29] Identifier.

© 2021 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume XI, Number 239



About Author

Comments are closed.