It’s been 12 years since Congress passed the Dodd-Frank Act, the largest Wall Street reform in American history. The effects of the bill have been far-reaching, but one key part, Section 1033, has been on hold all this time.
The provision was meant to provide marching orders to banks and fintech firms looking to share data and grow their businesses by providing new digital services to customers, like budgeting software and online bill pay. Instead, it prolonged years of squabbling and competition between banks, fintech companies, and consumer advocacy groups, which couldn’t agree on how rules stemming from Section 1033 needed to be written. At stake was control over customer data, the ability to ensure secure online transactions, and a chance to shape a new era of digital banking.
Now, finally, an end appears to be in sight. The Consumer Financial Protection Bureau, the agency tasked with rulemaking under Section 1033, has signaled that the issue will go before its small business review panel before the end of the year.
An industry group called the Financial Data Exchange, or FDX, has been a key player in breaking the stalemate, generating surprising cohesion between fintechs, banks, and consumer groups on the technical tenets of what those rules should be. Though FDX doesn’t advocate for specific policy proposals, its approximately 230-organization membership — composed of banks like Citi and Wells Fargo, fintechs like Intuit and Plaid, and consumer groups like the National Consumer Law Center — has settled on a single open API standard they think should adequately address any regulatory or industry concerns. Now those members are acting in unison, pushing CFPB director Rohit Chopra to write rules that are friendly to their standard.
“Once you start getting everyone together, you realize there’s a lot of commonality,” Don Cardinal, FDX’s managing director, told Protocol. Cardinal says his sources on Capitol Hill tell him that draft rulemaking can be expected six months after panel review, and rules 90 days after that, putting the end of what would be a 13-year wait for rules governing the field of open banking sometime near August 2023.
But anyone who works in finance knows that generating alignment among banks, fintechs, and consumer advocates on regulatory policy isn’t nearly as easy as Cardinal makes it sound.
Once you start getting everyone together, you realize there’s a lot of commonality.”
Open banking got its start in the mid-'90s in part as an unlikely collaboration among companies in bitter competition: Microsoft, Intuit (which then owned Quicken), and CheckFree. Microsoft and Intuit each had their own proprietary APIs, then open versions of their APIs, before laying down their weapons and forming a combined open API standard that is still used to this day, called OFX. The standard was formed in 1997, before “open banking” was even a term, but the premise was the same as now: creating an open-access standard to transmit bank information to financial technology companies for consumers’ use.
Banks recognized that tech companies “had an inside track with the customers,” explained Eric Dunn, CEO of Quicken and then-CTO of Intuit. “Banks were open to sharing data with Intuit and Microsoft so that customers could have a digital experience with their financial information.”
By the early 2000s, however, banks and fintechs were tussling over who was in control of data transmission. Banks’ argument was that data sharing should be minimized in order to ensure financial and data privacy. Fintechs, meanwhile, felt that customers should be able to share as much of their own data as they would like, so they can use fintech products and services — positions that, for the most part, have remained the same ever since.
However, banks began to lose leverage as investment in fintechs exploded, nearly tripling in 2014. That led to a new wave of venture-backed, fast-growing, often consumer-facing startups offering online payment and lending services. Each of these companies required access to customers’ bank-held data, and a tactic known as screen scraping, which had existed since the late 1990s, took off. The process involves customers sharing their login credentials with fintech companies so they can access their financial records — something banks and consumer groups saw as a red flag for data security. Fintechs had access to data without having to ask financial institutions’ permission, and the balance of power was off, forcing banks and consumer groups to come to the table and search for a compromise.
“The CFPB should encourage aggregators to move away from screen scraping,” reads a comment letter Chi Chi Wu, a staff attorney for the National Consumer Law Center, sent the CFPB on rule 1033 in February 2021. The bureau should instead “encourage financial institutions to accept data sharing through application programming interfaces (APIs).”
Cardinal, who worked at Bank of America before leading FDX, says that the threat of screen scraping — and the clear improvement that can be made by allowing fintechs to access data via a secure API — is the biggest reason banks now mostly support open banking. “In one fell swoop, I can improve my cyber posture, my risk posture, and my privacy posture, and it doesn’t cost the customer anything. How cool is that? I mean, I retired from my job at B of A to go do this,” Cardinal said.
The CFPB’s press office did not respond to the direct question of why rulemaking has taken over a decade. But the bureau’s director, Rohit Chopra, was appointed last year and has suggested open banking is an issue he’s eager to tackle.
“Currently, the United States is lurching toward a consolidated market structure where finance and commerce co-mingle fueled by uncontrolled flows of consumer data,” said Chopra in his testimony last year before the Senate Banking Committee. Chopra’s stated goal is to increase competition while giving consumers more control over their data. According to hosts and two attendees, Chopra clarified at the Fintech Policy Forum last month that impending rules would place guardrails on what APIs should and should not do, rather than forcing the implementation of a singular standard like the one crafted by FDX.
“One of the things we hear regularly from the CFPB is that the market is moving fast and they want to make sure the rule is one that captures the real issues in the market,” Plaid’s global head of policy, John Pitts, told Protocol. Pitts criticizes PSD2 — an early example of open banking regulation, which came into force in the U.K. in 2018 — for only addressing data in “payment accounts,” rather than all asset-holding accounts. Meanwhile, the CFPB “started with principles of data access, and part of the reasoning behind those principles was that they can help guide decisions on ‘These are the basic protections that should exist,’ but still allow space for the market to continue to create more innovation and competition.”
FDX, cat herder
The organizational structure of FDX also has allowed for more constructive conversations around open banking standards than previously existed. When the organization is making decisions, whether that be on cybersecurity specs or how information should be presented to end users, each company gets one vote. This means that smaller firms and big banks have equal say, despite their sizes. A two-thirds majority is required to approve changes, forcing the members to reach more widespread consensus. “We don’t have the tyranny of any groups or cliques,” Cardinal said.
We don’t have the tyranny of any groups or cliques.”
There still remain a few unanswered debates in open banking, however, that the CFPB will need to settle. FDX’s standard suggests interoperable data formats that should be used, but does not force any firm to comply, for example. Cardinal also confesses that there are edge cases — small, regional financial institutions, for example, of which there are thousands in the United States — that are not as engaged in standards creation or may have suggestions that are yet unaccounted for. The diversity of the financial system in America allows for many different niche perspectives, which Cardinal coyly refers to as “a lot of cats to herd.”
Despite those wrinkles, after a long wait, open banking appears to be on the cusp of being mostly ironed out. Its history proves that tactful, savvy collaboration is still possible in an industry that is at times bitterly divided. The legacy of the first collaborative standards in the 1990s was proving that collaboration was possible, Cardinal said, and that belief is also what has generated consensus today. “Without OFX proving it could be done, I think open banking would still be being built.”