Last week, the Consumer Financial Protection Bureau (CFPB) released their open banking draft rules. These rules outline new requirements for banks, credit unions, financial services companies, and financial data aggregators. The goal is to increase the transparency and innovation of consumer financial products, and ensure safety and trust for account holders.
We’re sharing a summary of the draft rules, as well as our guidance to make sure that depositors are ready for this change, and able to serve customers and regulators easily.
Our guidance comes from working with open banking over a number of years. Our team has been involved in building open banking technology for more than a decade, and our solutions are used for open banking compliance in countries around the world.
The Purpose, Goals, and Timeline for The New CFPB Rules
These regulations are designed to ensure that data providers make certain financial data available to consumers and authorized third parties in an electronic and usable format. It also prescribes standards for the development and use of standardized data formats and imposes obligations on third parties accessing this data. CFPB is implementing these rules as part of their Personal Financial Data Rights mandate, in accordance with the Consumer Financial Protection Act of 2010, and they have been working through the process for several years already.
These rules apply to any company that accepts consumer financial deposits, as well as third parties that aggregate or leverage consumer financial data. This includes anyone using transaction data, account balance information, the ability to transfer funds on behalf of a consumer, and other common banking use cases. However, if you are a depositor that does not have a consumer interface (e.g. you only do B2B banking), these rules don’t apply to you.
Institutions will need to be compliant starting from six months after final approval. Here’s the timeline for compliance:
Depositor Size | Effective Date After Adoption |
$500B+ in deposits | 6 months |
$50-500B in deposits | 1 year |
$850M-50B in deposits | 2.5 years |
<$850M in deposits | 4 years |
Non-Depository Data Provider Size (Prior or Expected Current Year Revenue) | Effective Date After Adoption |
$10B+ in revenue | 6 months |
<$10B in revenue | 1 year |
Next steps: The CFPB has requested public comment on these rules, and will consider additional comments before they are final. If you have thoughts for CFPB,
Overview of New CFPB Rules
Depositors and financial data providers must shift away from screen scraping technologies to collect customer financial information, due to the inherent security risks; and the difficulty in preparing accurate, consistent data via screen scraping.
Data transfer under these new rules must be programmatic; in practice, financial data will need to be exposed over APIs, for consumption and manipulation by external third parties. Many banks and financial institutions already use APIs to make sure their customers’ data has increasing protection and high availability.
In general, the data that must be available over open banking APIs includes most consumer banking transaction details and capabilities, including transaction information; account balance; payment initiation information; terms and conditions; upcoming bill information; and basic account verification information.
Transaction information must include details like amount, date, payment type, payee or merchant name, and more, with a requirement to make at least 24 months of such data available.
Payment initiation information must include tokenized account and routing numbers.
Terms and conditions must include information like fee schedules, annual percentage rates, rewards program terms, overdraft coverage status, and arbitration agreements.
Upcoming bill information must include scheduled third-party bill payments and payments due from the consumer to the data provider.
Proprietary algorithms and fraud detection information is specifically excluded, and need not be published.
How This Information Should Be Made Accessible
CFPB has a strong interest in promoting financial services innovation, and to support that goal, this information needs to be available to be used both by the consumer and industry third parties that are authorized by the consumer.
The services need to be performant, with specific performance expectations for response time and overall availability, with regular reporting to CFPB on these metrics.
Security requirements are also built into the regulations. One common practice today is to ask the customer to share their credentials, in order to log in on the customer’s behalf to access their data. This practice is inherently insecure and will be curtailed under the new regulations. Instead, data processors must have their own credentials, and also collect permissions and consents from the consumer in order to process data on their behalf.
Access to these platforms must be open and transparent. Data providers may deny access to interfaces based on risk management concerns as long as it is necessary to comply with relevant laws. Denials must be directly related to specific risks, applied consistently, and non-discriminatory; and they may be considered reasonable if they adhere to industry standards related to data security or risk management.
With some specific exceptions, data providers must respond to requests from consumers and third parties when provided with sufficient information to authenticate identity and identify the scope of the requested data.
Finally, companies must build and maintain documentation for consumers and third parties to use their APIs. This documentation must be available in both human-readable and machine-readable formats. Documentation and access to these interfaces must be provided transparently and without charge or cost to the consumer or third-party data processors.
The Need for API Standards
The CFPB further outlines that open banking APIs can’t be built as a one-off by each company. This would slow down advancements in open banking infrastructure, because in order to aggregate financial data for the consumer, data processors would need to build custom integrations into each financial institution.
Instead, the format and structure of open banking APIs must be provided in a standardized format, either following a qualified industry standard or widely used formats by similar data providers.
The CFPB will look to industry standard-setting bodies to define these standards. The agency requires that any standard be fair, open, and inclusive in their processes, and recognized by the CFPB as issuers of qualified industry standards. This includes criteria related to openness, balance, due process, appeals, consensus, and transparency. Standard-setting bodies can request recognition by the CFPB, and the CFPB considers these attributes when making recognition decisions.
How to Prepare for the CFPB’s New Open Baking API Requirements
Many financial institutions have already started building and exposing APIs for third parties to use. Existing APIs will need to be rebuilt with an eye toward new compliance requirements, including format, structure, performance, scalability, documentation, standardization, and other requirements. Teams that have not started to build their APIs should put the tooling in place to build quickly. Contxt and APImetrics have built many of the necessary toolings for open banking API products already, including all of the requirements for monitoring API performance, security, documentation, and standard enforcement.
If you are thinking about new open banking API requirements, and you need support on your API products, please reach out.
Written by Conxt President and Co-Founder Jamie Beckland