Late last week, the Consumer Financial Protection Bureau quietly published a statement that could fundamentally change the fintech industry.
The catchily-named "Advance Notice of Proposed Rulemaking on Consumer Access to Financial Records" (colloquially known as the ANPR) explained that the CFPB plans to create new regulation to implement Section 1033 of the Dodd-Frank Act, and is seeking stakeholder input before it does so. Yes, that's a lot of jargon. But look past that, and the consequences are significant: The future of fintech is now on the line.
The Dodd-Frank Act is a behemoth of financial legislation, passed in the aftermath of the last financial crisis. It sought to overhaul the system and revive trust in a sector where that was deeply lacking. In doing so, it also laid the groundwork for the following decade's fintech boom. That's partly down to the unassuming Section 1033. "It says consumers have the right to access their financial account information in a machine-readable format," Plaid's global head of policy, John Pitts, told Protocol. That allows companies like Mint to aggregate your accounts, for instance, and lets cash-flow based lenders access your bank details so they can effectively underwrite loans. It's the closest thing the U.S. has to something like the U.K.'s Open Banking regime, or the EU's Payment Services Directive 2. Section 1033, Pitts said, "underpins all of fintech."
Despite its importance, the CFPB hasn't formally implemented it. After a request for information in November 2016, it issued a set of non-binding principles the following year. But the lack of formal regulation has caused problems. As the CFPB noted, "there are indications that some emerging market practices may not reflect the access rights described in Section 1033." Plaid has encountered some of those issues itself, Pitts said: Some banks refuse to share customers' interest rate charges, he said, on the basis that the charges are proprietary information. Others are worried about enabling competition, it seems. "We have ... seen a bank include language in a contract saying Plaid may not connect a customer with any service that might cause that customer to leave this bank," Pitts said.
The CFPB clearly summed up the issue: "Competitive dynamics mean that data holders may have an incentive to restrict access by certain data users."
Formal regulation that defines just who can access data and when they can do it may offer a solution. The single most important line of this ANPR, according to Pitts, is the following: "Authorized data access holds the potential to intensify competition and innovation in many, perhaps even most, consumer financial markets." The key, he thinks, is the focus on competition, a theme that regularly repeats throughout the ANPR. "That's surprising for an agency that does not have competition jurisdiction," he said.
Overall, the ANPR indicates to Pitts that the agency is "not going small." It seems, he said, that the CFPB has recognized just how critical data-sharing is to the future of finance. The bureau is indicating that it sees this as "a critical regulatory piece of infrastructure," he said — something worth devoting its time to, given the repercussions for the entire financial industry.
But doing so won't be easy. There are some thorny debates to be had, some of which have no easy answers. Banks and fintechs may disagree about what the scope of the data is: whether banks are obligated to share interest rate data, for instance. They'll also have to figure out who's in control: If a customer wants to connect their bank account to a company the bank thinks is a fraud, is the bank allowed to stop them? If so, what's stopping the bank from preventing customers from accessing legitimate companies that the bank deems illegitimate? And if not, who's liable when something goes wrong? In a statement last year, the American Banking Association said that data aggregators like Plaid ought to be designated financial institutions, and subject to the rules that come with that — including being liable when something goes wrong.
Issues like that are complicated. But Pitts is hopeful that they'll be worked out without too much animosity. "I actually am not expecting [banks] to lobby in the other direction," he said, noting that everyone is just "working in the interest of their customers." And he's not bothered about the banking industry's vast lobbying budgets, either. "Money and influence matters, but policy and consumer demand also matters," he said. Plus, he added, "the CFPB is supposed to be insulated from that type of money and lobbying — so fingers crossed."
Surprisingly for a policy debate in 2020, Section 1033 "seems to be a non-partisan, non-political issue right now," Pitts said. No politicians are strongly supporting either side. But as things progress, that might change: The level of attention being given to it now "gives it some possibility that it gets picked up as an issue," he said.
There's plenty of time for that to happen. Once the Federal Register prints the CFPB's ANPR, a 90-day comment window will open, giving the public plenty of time to respond to the ANPR's 111 questions. After that, the CFPB will put together proposed rules, before another comment period — eventually ending with actual regulation. "You should think of [the ANPR] as the start of a two- to four-year process," Pitts said. By which time Europe will probably have new rules, and we can repeat the whole cycle again.
A young Matt Mullenweg (second from left) at a WordPress meetup in 2005.Photo: 
Even early on, Mullenweg used to tell people he wanted to work on WordPress for the rest of his career.
Photo: Arturo Olmos for Protocol
Mullenweg's vitriol has historically been reserved for those who violate the spirit of open software and open systems.
Photo: Arturo Olmos for Protocol