Fintech Law TL;DR (Nov 16)
Open (the) Banking (Floodgates)
Hi all 👋
Between Money2020 (was great to meet a lot of you in person!), midterm elections, and FTX’s explosion, it’s been a heck of a few weeks.
We had Ron Shevlin on Fintech Layer Cake to talk about Apple Checking Account prospects, Super Apps, and his recent Teen Spirit piece.
This edition’s a bit different than usual. It’s a deep dive on the CFPB’s open banking proposals and an attempt to suss out some avenues for innovation they may open up, in a way most law firm blogs don’t.
If you’re reading this in email…click here to open this edition in a browser, and grab a coffee because this is, uhh, the longest edition I’ve written. Sorry not sorry.
Open (the) Banking (Floodgates)
Right now, the proposals are going through a not-so-brief SBREFA review, which means the CFPB is analyzing the economic impacts it might have on small businesses. But this is the first real glimpse we’re getting of what open banking regs might look like in the US.
Open banking generally refers to “the practice of giving financial services firms access to customer banking and other financial data.”1 In the US, open banking takes the shape of Section 1033 of the Dodd-Frank Act, which generally gives consumers the right to access their financial info. The idea is banks don’t own your account info. You do, and you should be able to share it as you wish.
But Section 1033 is part of a law, so it’s pretty high-level and hand-wavy. The Bureau has done some initial legwork on it,2 but hasn’t written any 1033 regs yet.
The new releases mean we’re likely to see open banking regs take shape over the coming year, and they might be finalized in 2024.3
But…Don’t We Already Have Open Banking?
Banks generally don’t like third parties accessing their systems, especially via screen scraping. So there’s been a game of cat-and-mouse, moreso during the early days of US open banking, where banks would try and block access, third parties would find a workaround, banks would block access, third parties would find a workaround, etc. etc. If a bank said “we’re going to sue the daylights out of you,” the data accessors could say “lol no, 1033 lets us do this.”
But there are no regs that clearly spell out what’s OK. As a result, open banking in the US has largely been industry-led, not regulation-led (like in other countries). Instead of banks creating APIs to comply with regulations, third party data accessors started with screen scraping and graduated to negotiating contracts with banks for access.
So we’re entering a new phase of open banking. One that will be both industry- and regulation-driven.4
Why does open banking matter?
The narrative around open banking has generally been that it’s a good thing because it gives consumers more control, promotes competition, and enables better and new products and services. Lots of folks believe it will practically facilitate bank account switching and drive down fees.
I, and others I’ve talked with, have thought about open banking as being about financial info. But, if you connect a few dots in the CFPB releases, you start to see it’s about a lot more. Let’s explore.
Lawyers Gotta Disclaim
Three caveats. First, I’m no policy expert, and there are far greater minds digesting the proposals. Releases like these can take months to truly digest. So consider this a “first round of thoughts” from me.
Second, this isn’t an exhaustive summary. Do your own research, etc., etc.
Third, we only have very high-level proposals. Not proposed regulations. Just questions like “should we allow screen scraping?” Some of what the Bureau’s thinking will shift, and a lot needs to be filled in.
OK, onto the fun part.
Summary of Proposals
Who Has to Provide Data?
Under the 1033 proposals, the types of entities who have to open up consumers’ financial info are “financial institutions”5 (aka, banks, savings associations, credit unions, etc.), and credit card issuers.6 For simplicity, I’m just going to refer to “banks” in this edition. But don’t forget it includes credit card issuers, too!
The Bureau is considering exempting smaller institutions; smaller, resource-strapped banks probably shouldn’t be forced to build an API or pay a third party to do so.
Who is covered by 1033 comes from the Dodd-Frank Act’s definition of covered person: “any person that engages in offering or providing a consumer financial product or service” or a service provider of such person. That’s…a potentially wide-reaching definition. It seems the CFPB might just be starting with a narrower scope than actually done in practice right now, waiting to see see how it goes, and expand from there.
A Theme Emerges: The proposals – even any final regs – are a starting point, and may expand over time. 1033 could cover so much more than “banks” and “credit card issuers.” For example, payroll companies or mortgage providers aren’t included in the proposal.
What Products Are Covered?
The Bureau intends to apply 1033 to “accounts” under Reg E and “open-end credit cards” under Reg Z.7 In English, this mainly means: checking and savings accounts, credit cards, prepaid cards, and digital wallets.
“While we expect to cover more products over time, we are starting with these ones,” Chopra said in his speech. See Theme One above: the 1033 proposals are a starting point that can be built on. The SBREFA proposal even notes that the Bureau is already considering adding needs-based government benefit accounts and other credit products.
Who Gets Access? How?
The proposal gives consumers the right to access their own info (in human or machine-readable format). But it also says consumers can authorize third parties (e.g., Plaid) to access their info if the third party:
Provides the consumer with key terms (e.g., what accounts will be accessed, how often and for how long, and how to revoke access);
Gets the consumer’s consent to those terms; and
Certifies they’ll abide by third party obligations about how the info will be used (discussed below).
One obvious concern: how easily could fraudsters fake an authorization when they call a bank’s API? The Bureau seems to get that, though. They ask if banks should be required to notify or get authorization from a consumer for a third party’s initial access attempt.
What Info Is Covered?
The Bureau’s release sketches six categories of info that banks would need to make available, though it has some exemptions (e.g., for proprietary algorithms, or info collected for fraud or AML purposes).
IMO, the six categories are where you can get a sense of the potential for innovation, so let’s go through each.
First Category: Periodic statement information, including:
The amount, date, location, and merchant name for transactions
Interest credited or charged
Terms and conditions of the account and fees that may be charged
Total charges for overdrafts and returned items unpaid
Some implications to get you thinking:
A consumer can ask a bank competitor to see if they can get offered a better APR than their existing credit card. By looking into the consumer’s existing account and card info, the bank competitor can do more complete underwriting (based on account history) and offer a lower APR and more tailored rewards.
Same as above, but for bank account fees like overdrafts. A competitor bank could analyze an account’s history and tell a consumer “based on the fees your bank charged vs. what we charge, you’ll save $X next year if you switch to us.”
Better, more inclusive underwriting by being able to access more info. Lots of folks are highly skeptical of this; the Bureau would need to re-do other regs that effectively chill innovative underwriting.
Second Category: Info about pending transactions and deposits.
Third Category: Info about transactions that isn’t typically shown on periodic statements or in consumer portals (e.g., info from a card, ATM, ACH, or RTP network).
The Bureau specifically cites info about interbank routing, and says the data could identify the name and account number where funds were sent from and ultimately deposited, and the banks that handled it along the way. And, the Bureau says, this info could be used to better resolve disputes, identify fraud, or recover fraudulently stolen funds.
Two thoughts. First, another theme emerges: 1033 could be used to enable innovative fraud-fighting tools.8
Second, the Bureau notes this kind of info has the potential to better resolve disputes and recover fraudulently stolen funds. And that’s likely to be important for consumers with low balances and “could therefore . . . promote financial inclusion.”9
Another theme emerges: 1033 can be used to promote inclusion.
Fourth Category: online transactions consumers have set up, but which haven’t happened.
Think recurring bills or rent. The proposal would make banks provide bill amounts, dates, and advance notices. One practical example (from the proposal): a third party could monitor for advance notice of bills and advance a deposit to avoid an overdraft fee.
Fifth Category: The proposals include opening up “information related to the identity and characteristics of the consumer accountholder.”10 The CFPB says this could include: name, age, gender, marital status, number of dependents, race, ethnicity, citizenship or immigration status, veteran status, address, phone number, email, DOB, SSN, and driver’s license number.
Another theme has entered the chat: 1033 as a tool for identity innovation.
Imagine a consumer signs up for a fintech debit card, and it goes something like:
A consumer has an account at a bank.
The consumer applies for an account at fintech.
As a first onboarding step, the consumer authorizes fintech to access their account at the bank.
The fintech pulls the consumer’s identity info from the bank.
The fintech runs KYC and sanctions checks in the background, and the consumer is verified and doesn't have any sanction hits.
The fintech approves the consumer, and the consumer is all set up because they’ve already linked a funding step (see step 3) and their name, address, email, etc. has pulled (also see step 3).
All the consumer does is authorize the fintech to access their info! That’s it! It kind of looks like signing up for a new service using your existing Google or Facebook account. One click, you’re done.
There’s also gotta be fraud-fighting potential if you can pull or confirm a user’s identity info from another bank. 🤔
Great idea. But let’s come back down to earth with some caveats:
lol, KYC is never that simple (and that’s not necessarily bad!). For example, there are always applicants that will need to provide additional KYC info or docs.
Whether the KYC hypo above could work depends, in significant part, on what a bank’s policies allow. Which depends, in significant part, on guidance from regulators other than the CFPB. And neither of those things may allow it. But the idea of getting an SSN for KYC purposes from a consumer-permissioned existing bank account is…not all that infeasible, and might, practically, be more effective than some of what’s done today. There’s also a potential middle ground where, for example, a consumer has to actively confirm the SSN that was pulled is theirs.
The proposals aren’t done! Who knows what the final rules will be!
You can already get some information from banks like this via Plaid and others. But the 1033 proposal would open up the info a little more (i.e., SSN and driver’s license number would be new, based on the folks I’ve talked with).
The CFPB flags that making a consumer’s identity info available could be a huge fraud, security, and privacy risk. To mitigate the risk, they’re considering a “confirm/deny” approach where a third party would get info from a consumer, send it to the consumer’s bank, and the bank would only confirm or deny if the info matches what they have (without providing any info). This would moot identity and fraud innovation like the sign up hypo above. I would love to see them dig into the identity innovation potentials because IMO there might be a happy middle-ground. Don’t do the confirm/deny idea (most folks I’ve chatted with think it’s an innovation-killer); instead, make banks give notice or require confirmation any time a third party wants to access info.
Got any other ideas for how 1033 could open up identity or fraud innovation? Let me know, I want to hear ‘em! It’s one of the more under-discussed pieces of open banking, IMO.
Sixth Category: The CFPB is considering including a grab bag of other financial info, like:
Consumer reports that a bank used in deciding to provide a product/service.
Bonuses, rewards, discounts, or other incentives.
Food for thought: what if a bank or credit card competitor could directly see what your current rewards etc. are and offer you better ones?
Info about security breaches that exposed a consumer’s identity or financial info. See the theme “1033 could help fight fraud.”
API vs. Screen Scraping
The proposal shows a clear preference for APIs over screen scraping, in light of the latter’s limits and risks. It sounds like the default rule is “banks need an API, unless an exception applies, in which case, screen scraping is fine.”
For example, if a bank is exempt from 1033’s API requirement because it’s too small…then yes, screen scrape away. Or if a bank’s API goes down, then, yep, feel free to screen scrape (which also disincentivizes banks from setting up shoddy APIs that break often).
The Bureau’s open to alternatives, though, and asks whether there’s some way to mitigate screen scraping risk by having banks provide some sort of login token so consumers don’t have to disclose their credentials. I expect there’ll be standards and other requirements for screen scraping before the rules are finalized.
Noticeably absent from the proposals: webhooks.
Credit where it’s due: the Bureau is already using wishy-washy language to describe APIs (“third-party portal that does not require . . . consumer credentials”). And that’s great; the language should be flexible so tech doesn’t get locked in and can’t evolve because of how a regulator defined it years ago. 👏
The Bureau is considering giving consumers the right to dispute inaccurate data. They also ask whether banks should be required to provide info they believe is inaccurate.
Private vs. Public Regulation?
Who will regulate open banking? Do we want a mix of industry self-regulation + regulators?
Remember, it’s effectively been industry-led till now. There are instances where an industry sets its own rules. One salient example is FINRA, which is a “self-regulatory organization” (not government regulator!) that oversees broker-dealers, though there are plenty of other examples.
In separate remarks, Director Chopra acknowledged that “[d]ecentralized, open banking will likely rely on fair standard-setting, through an amalgam of legally binding rules and industry developed standards.” Makes sense; the Bureau should probably set a floor and let industry experts raise it and deal with the details with their expertise (e.g., setting standard API fields and security standards).
The CFPB is considering limiting the use of shared info to only what’s “reasonably necessary” for the requested product/service, requiring reauthorization after a certain amount of time, and requiring a simple way to revoke access.
The Bureau’s considering letting data providers limit the frequency and duration of access requests. I imagine the idea here is to prevent DDOS-style attacks and general abuse.
The Bureau is proposing requirements that will limit how much data providers can game the system (e.g., overly restricting access, or APIs that barely work) as well as how to prevent monopolization.
The proposal says existing law (GLBA) probably already imposes sufficient data security requirements, so we may not need 1033-specific ones. The gist of that law is banks should have security programs that depend on the nature of their activities; it doesn’t dictate minutiae.
The CFPB’s considering setting API availability requirements (e.g., uptime and latency). IMO not something they should get too granular on, but some vague “must provide a reasonably functioning API” isn’t the worst idea, so there’s at least some tool to go after banks that half-ass their API.
Layers to the 1033 Cake
Now that we’ve got a high-level summary of 1033, I want to write some big picture thoughts out loud.
The Big Question
What will having 1033 regs enable that isn’t currently being done? Will it actually matter more for fraud and identity than for financial account info, since that’s mostly being done? It’ll depend a lot on the final regs.
In Chopra’s speech, he says they’re aiming for 2024 final rules. That doesn’t mean we’ll see change then. There’ll likely be an on-ramp period where banks build out their APIs after that. I’ve heard that banks expect it would take 4-9 years (depending on bank size) after the rules are finalized to have APIs ready.
We’ve got some themes:
1033 might open up new fraud-fighting tools.
1033 might enable identity innovation.
1033 might promote financial inclusion.
Also, the CFPB seems to view the proposals as a starting point, and will expand over time, even after the first set of regs are done. The final regs will likely be narrower than what’s done in practice. So the Argyles and Pinwheels of the world will still exist in the liminal state that the Plaids have existed in (two clothing patterns in one sentence is a PR for this newsletter 🎉 ).
The “start small” and expand approach is risky, though. What if a Republican wins the next presidential election, and Chopra only has time to finalize the initial proposals? It might be the more responsible approach, but it could leave a lot on the table.
1033 is for consumer accounts. Banks don’t have to open up commercial accounts! So open business banking will continue to be industry-led, not regulation-driven. As a result, I wouldn’t be surprised if the innovation we see for consumers is different than for businesses.
Props to the Bureau
The Bureau has generally done a great job understanding open banking and with the initial proposal. I know the Bureau can sometimes get blasted on Twitter, so it’s worth calling out impressive, thoughtful work from the CFPB when you see it. Open banking is a Sisyphean task. 👏👏👏
“Account switching will change everything!”
There’s this belief that 1033 will make it easier to switch bank accounts. I don’t buy it. At least not yet. And every person I’ve talked to in the past two weeks about open banking also doesn’t.
Easy example: switching direct deposit. How can you do that if payroll providers aren’t included? AFAIK, you can’t re-route a direct deposit from your bank account alone. That capability is owned by a third party.
And what if you’ve got recurring utility bills set up? Giving Plaid access to your bank account doesn’t change the payment instructions you set with your utility company.
It mainly seems like the only “bank account switching” capability under 1033 is porting over account history. Which is better than nothing. But probably not enough to practically switch your default account easily.
What Happens to the Plaids of the World?
If medium and big banks have APIs and they coalesce around a standardized format, fintechs might just cut Plaid out and build to the APIs themselves.
BUT. Fintechs probably won’t build for the long tail of banks, especially if (as I expect) the Bureau exempts small banks from building an API and allows screen scraping them.
And, practically, cutting Plaid out will mean you take on 1033 regulatory responsibilities. It’s not just going to be about building to banks’ APIs, but also creating a simple way for consumers to revoke access, and having to comply with security requirements, inaccurate info disputes, etc. That is a regulatory moat suggesting existing players won’t lose a ton of importance and pricing power. It seems anti-competitive, which is counter to what the Bureau wants for 1033. But there probably should be some meaningful compliance obligations for any third party accessing consumer bank accounts.
What About Fintechs?
Will fintechs be responsible for handling the 1033 obligations of their bank partners? Maybe banks pass 1033 compliance obligations onto fintechs (subject to bank oversight, ofc!).
Maybe we end up in a Durbin exemption-like world: smaller banks don’t have to have an API. So partnering with a smaller bank means you don’t have to deal with 1033-related compliance obligations from the bank. 🤔
The proposals don’t mention opening up fintechs (independent of bank partners who pass on 1033 obligations). But as I’ve mentioned, the Bureau seems to be taking an incremental approach. So maybe that comes down the road.
Build All the APIs
There almost certainly will be a business that emerges as a vendor building 1033 APIs for small-and medium-sized banks who want to outsource it (probably most of them?).
Thanks for coming to my Open Banking TED Talk. 🙏🏻
If you have any thoughts about the practical implications and avenues of innovation the 1033 proposals might open up, reach out! I’d love to hear them.
Happy three millionth complaint, CFPB. 🎂
The OCC announced a new Office of Financial Technology to “provide strategic leadership, vision, and perspectives for the OCC’s [fintech] activities and supervision.” As far as I can tell from searching Money2020’s speakers and events, no current OCC representative spoke (in contrast to the CFPB and FinCEN). The CFPB’s director used the conference to announce open banking. The OCC’s new office was announced later that same week. Food for thought: why didn’t the OCC announce it at Money2020? Some folks expect the new office means increased fintech scrutiny.
The CFPB asked the Supreme Court to review the 5th Circuit’s ruling last month that the Bureau is unconstitutionally funded.
The Bureau also issued guidance that it will treat surprise overdraft fees as unfair and abusive; the White House also issued a press release noting the Bureau is also developing rules for other bank and credit card fees, and highlighted recent FTC initiatives also targeting junk fees.
The Bank Reg Blog published a great summary of the OCC’s approval of Flagstar bank’s merger with New York Community Bank, which includes requiring Flagstar to to divest from a stablecoin consortium it had invested in.
The CFPB issued a circular affirming that consumer reporting companies and furnishers cannot “skirt dispute investigation requirements,” following the Bureau’s observations that CRAs and furnishers have failed to conduct reasonable dispute investigations.
The CFPB re-opened its comment period for public input on big tech and payment services (not for want of input…as of 11/12, there were well over 100 comments). The Bureau is particularly interested in input on acceptable use policies, like a result of PayPal’s recent misinformation policy updates.
The CFPB finalized its rules for supervising nonbanks. In April, we talked about the Bureau’s announcement it would use its dormant nonbank (aka, fintech) supervision authority. The finalized rules clarify when the CFPB will decide to make info about nonbank supervisions public.
Democratic Senators urged the CFPB to revise the Remittance Rule on the grounds it doesn’t currently require sufficiently transparent fee disclosures.
A federal court in TX ruled President Biden’s student loan forgiveness order was unlawful.
The CFTC recommended rejecting prediction market Kalshi’s request to offer contracts tied to US election outcomes, though the advice is non-binding.
The White House announced the SBA will propose a rule to allow fintechs to participate in the SBA’s 7(a) lending program.
The big news is FTX’s spectacular implosion after the exchange used funds from CEO Sam Bankman-Fried’s affiliated trading firm Alameda. Ineffective altruism, amirite? ¯\_(ツ)_/¯
It started with an announcement that Binance signed a non-binding letter to acquire FTX, which it savagely walked away from a day later, allegedly after seeing FTX’s books. FTX’s legal and compliance team quit en masse; we learned FTX had no board of directors; their non-US and US branches declared bankruptcy; they hired a new CEO, the person who ran Enron during its bankruptcy; the DOJ, SEC, and other regulators are investigating FTX; Sam Bankman-Fried tweeted some threads no lawyer would have let him; FTX was apparently hacked to the tune of more than $600M; contagion is triggering the collapse of other exchanges like BlockFi; the Miami HEAT Arena terminated the FTX Arena naming rights contract. And that’s just a fraction of the jaw-dropping spectacle. Oh, also, Michael Lewis was apparently working on a book about FTX already, which will now have a different ending…seems like the kind of book Lewis was born to write.
Many legal folks agree that the big takeaway is regulators are going to play hardball and come down hard on crypto, especially given the lobbying that FTX and Sam Bankman-Fried had done in DC. The industry lost a lot of credibility with regulators.
In non-FTX news, the CFPB published a bulletin analyzing the rise in crypto-related complaints, highlighting romance scams and pig butchering.
OFAC updated Tornado Cash’s sanctions, indicating the decentralized mixer played a role in supporting North Korea’s nuclear weapons programs. Notably, OFAC said it has not designated individual members of the DAO “at this time” as sanctioned. Previously, some crypto advocates criticized the sanction for effectively piercing the DAO and potentially holding all members liable.
The DOJ announced the seizure of $3.36B of crypto connected to fraud on the Silk Road.
A New Hampshire judge ruled LBC tokens qualified as securities that should have been registered. The ruling could have implications for crypto broadly (including the SEC’s case against Ripple Labs), as the industry eternally grapples with what counts as a security.
Sui Generis (Fun Finds)
Humbled to see Prince Harry endorse Lithic a few weeks ago
Hi. I’m Reggie. I’m a fintech product lawyer at Lithic.
Reach out (email or Twitter) if you’re interested in any of the following:
Sponsoring the newsletter
Early stage fintech looking to raise
Just want to say hey!
Any views expressed are my own (well, sort of? I mean, they’re based on laws and regulations, so they’re not really “mine”?). Nothing here is legal or financial advice. Don’t get your legal advice from Substack, duh.
Open Banking, Data Sharing, and the CFPB’s 1033 Rulemaking from Congressional Research Service
Chopra’s speech mentions the Bureau plans to issue proposed rules in late 2023 and finalize them in 2024
There are pros and cons to both approaches. For example: you probably don’t want regulators deciding what fields an API uses. But banks likely want to provide access to as few info fields as possible.
Yes, I know, but I’ll clarify for the lawyers: “credit card account under an open-end (not home-secured) consumer credit plan.”
It’s not clear to me how this specific interbank routing example would actually be that impactful. The card networks already pass across a good amount of info, for example, and it’s not clear this third category would meaningfully expand that. But I’m also no fraud expert, and I expect 1033’s final regs will open up new fraud-fighting capabilities.
SBREFA, p. 21.
SBREFA, p. 22.