The development of the Consumer Finance Protection Bureau’s (CFPB) “open banking rule” is causing concern in the financial services world. The CFPB’s new focus on open banking is part of efforts to expand consumer data sharing, an initiative designed to allow consumers greater flexibility in choosing services, as well as remove barriers to transfer from one institution to another.
However, as the name suggests, the openness inherent in the new rule has many concerned about its impact on privacy and data security. These concerns are at the heart of the concerns of many players in the sector. It is therefore important to determine exactly what the rule is supposed to do and what steps financial institutions can take to best protect consumer privacy and ensure security.
What is that?
Open banking was first mandated by Congress as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. Although this gave the CFPB responsibility for developing rules regarding consumer data, the agency did not propose a rule open banking until the Biden administration urges them to do so through a July 2021 Executive Decree. The agency is now working on a final proposal for an open banking rule that would give consumers more control over their financial data.
Once approved and implemented, the Open Banking Rule aims to enable consumers to own, access and share their financial data how and with whom they want. This includes allowing third-party vendors to access and use their data for payments and financial data – two features that banks have traditionally restricted.
As stated by the CFBP, there are three stated purposes of the rule:
- Improving competition and consumer choice
- Strengthen consumer privacy and control
- Develop financial inclusion
While these goals are certainly laudable, for many fintech companies and financial institutions they present significant security and consumer data privacy concerns. Since there is no single US law governing the privacy and security of all types of consumer data, financial institutions, as custodians of their customer data, must comply with all applicable regulations. When third parties are included in the mix to facilitate the basic principle of open banking, the task of keeping data safe and secure becomes much more complicated.
To alleviate these concerns, many organizations are adopting APIs to more easily interface and protect sensitive information, but data governance and security issues persist. Although open banking APIs provide access to consumer transactional data, it will likely be difficult for the average consumer to know who has access to their personal data. In addition,
Gartner identified APIs as the top attack vector of 2022, while Salt Security found a
681% increase in API attacks in 2021.
Additionally, without an agreed standard or requirement for open banking data, practices such as data copying and screen scraping could make it even more difficult to restrict how businesses can use this information. Given the prevalence of identity-based attacks – as well as the lack of data exchange standards – many fear that looser frameworks around data orientation will lead to increased threats and security vulnerabilities that could prove detrimental to consumers and financial institutions.
What should we do?
Consumer education is an essential part of the adoption of any new innovation, especially in the financial services sector. Despite concerted efforts to educate consumers, customers of banks and financial institutions are still being victimized by scammers, especially as criminals continually change their tactics to evade detection. In 2021, consumers lost almost
$52 billion to traditional identity fraud and identity fraud scams, with nearly $7 billion attributed to fraud when opening a new account.
With this in mind, many fear that open banking could become a dangerous way for criminals to trick unsuspecting consumers into divulging confidential information that ultimately provides unauthorized access to their personal data. Although Reuters reports that most banks do not oppose the new rules, they are working to limit their scope, arguing that it could put consumer data at risk because third-party providers may not have the same rigorous cybersecurity and privacy standards than traditional companies.
As such, it is paramount that all financial institutions use the best tools at their disposal – including behavioral biometrics and other real-time threat detection technologies – to stop attacks before they happen. . There is now technology that can flag irregular behavior and lock down all sensitive account information, processes and transactions before any practical damage can be done. The best defense is targeted prevention, and with contemporary protections, banks can defend their customers without implementing prohibitive controls. These will prove critical in preventing the expected influx of identity-based attacks that open banking is likely to lead to.
It is a little early to understand exactly what form open banking rules will eventually take in the United States. The next step in the CFPB’s rule-making process is a review by a panel of small businesses, which is expected to be conducted before the end of the year. It is important to note that Open Banking Rules have been in place for some time in the UK and can therefore serve as a framework for US regulators and financial institutions to follow with respect to data security and privacy.
The CFPB is expected to carefully consider all angles before announcing the timeline for this groundbreaking change and its official rollout. However, regardless of its final form, the open banking rule promises to benefit the average consumer while increasing risks related to data security, consumer data privacy and financial harm. Given this reality, savvy financial institutions should not only thoroughly review the proposed rule now, but also put the structures and protocols in place to protect their users now and in the future.