Without Strong Data Safety Rules, Open Banking Is a Meltdown Waiting to Happen

Max Bentovim is the Data Protection Lead at Financial Innovation for Impact. Previously, he served in the Consumer Financial Protection Bureau’s Office of Markets, where he helped craft the Bureau’s open banking rules.

As the CFPB works at revising its abeyant open banking regulations, even the rule’s fiercest partisans agree there is room for improvement. But there may be much, much more room for disaster. Getting open banking wrong could wreck American fintech, destabilize America’s banks, and hit American consumers in the wallet: the rare own-goal hat trick.

Someone smarter and wiser than me once compared writing rules for open banking to a cat’s cradle, where a change in one place in the system ripples throughout the whole system. While I think that’s a strong analogy, I’ve come to think of it more like a nuclear power plant. Capable of generating enormous amounts of useful clean energy, but, as so elegantly demonstrated in the memorable denouement to HBO’s Chernobyl, capable of catastrophe if the complex scaffolding that keeps the system in balance is mismanaged.

In particular, I’m concerned that the issues that are currently consuming the most attention among stakeholders aren’t the issues that will determine whether open banking succeeds. Most pointedly, the lack of sustained attention to the rule’s unique — and uniquely important — provisions on third-party data collection, use, and retention is deeply concerning. These are the provisions, more than all the others put together, that will determine whether open banking is a safe, reliable source of financial power for the United States — or a meltdown waiting to happen.

Fees Are Not The Real Challenge In Open Banking

Don’t get me wrong — it’s not that fees are a totally unimportant issue. They are, in fact, the perfect example of an open banking china shop into which anyone other than a feckless dilettante would have thought twice about before admitting a bull. Good luck to the CFPB in rewriting fee rules in a way that’s a) administrable, b) doesn’t create a massive loophole for banks to pretextually throttle data access and strangle fintech, and c) results in any bank or credit union below the biggest five getting a check large enough to buy more than a latte. 

Even assuming the Bureau threads this needle, the cost-limited fees open banking might generate for data providers will never amount to a fraction of the overall benefits to the U.S. economy that open banking could produce.¹ Or, for that matter, of the costs of cleaning up the Superfund site that could result if the CFPB gets the most important issue in open banking wrong.

That issue is data protection. I prefer the term ‘data safety,’ because the problem isn’t about protecting data, it’s about protecting us from the data; or more specifically, from abuses, misuses, and other undue efforts to manipulate people and markets, all powered by the treasure trove of data that open banking makes tantalizingly available to anyone who can secure a consumer’s authorization to access and use it.

Data protection is obviously not a neglected issue. Indeed, it is a global hot topic, with many countries enacting new data protection laws and frameworks, in many cases overseen by newly-established regulatory agencies with sweeping jurisdiction over data-related practices across markets and sectors. Nevertheless, the reasons why data protection and safety are so important are ill-understood, even (and perhaps especially) by regulators. With open banking solidifying as part of the U.S.’s core financial infrastructure, it’s vital to articulate why data safety is doubly critical in financial services, and triply critical in open banking.

Data Safety: Privacy, Autonomy, Market Integrity

The first word people reach for when they try to articulate the problems with data collection, usage, and retention in the digital age is ‘privacy.’ Privacy is indeed an essential human right, and it is imperative that companies and governments foreground privacy in their policies and operations.

But ‘privacy’ omits far too much of what is at stake in data safety. Modern technologies empower governments and companies to amass data with dizzying speeds and at boggling scales, and allow those hoards to be rapidly deployed into building tools and molding environments, reshaping markets and societies with awesome — and sometimes devastating — power. 

As a society, we’ve already seen the amazing power of these data-based applications to reshape our everyday lives, transforming transportation, commerce, and supply chains and powering the new generation of AI tools. We’ve also seen the dark side of data, with social media platforms that thrive on harvesting clicks at the expense of mental and civic health, retailers that ensnare with dark patterns, and unscrupulous lenders that prey on vulnerable consumers. 

These challenges go well beyond privacy: they directly threaten all of our individual autonomy and dignity, as well as the fairness and competitiveness of financial and non-financial markets. Ensuring data safety while still protecting pro-social, pro-growth innovation is among the major challenges facing America and humanity in the 21st century.

Financial Data is Especially Powerful — and Especially Dangerous

Financial data supercharges these issues. The richness, comprehensiveness, and centrality of financial data makes it a uniquely potent source of information and insight about people’s behaviors and motivations. To continue stretching our nuclear metaphor, if most data is uranium, financial data is the lithium deuteride used in thermonuclear weapons whose power dwarfs uranium-fueled fission bombs.

Critically, this fearsome power goes well beyond the ability to manipulate and exploit consumers, though it certainly allows that on a supercharged scale. It also has the power to do grievous harm to financial institutions and markets. As commenters on the CFPB’s open banking rule and Advance Notice of Public Rulemaking (ANPR) noted, if you can access enough of a bank’s credit card data, you can reverse-engineer the bank’s proprietary underwriting models, looting their hard-won investments in expanding credit access and offering competitive pricing.² This would undercut any incentive for data providers (banks, credit unions, and fintechs alike) to invest in models and strategies they know will simply be poached, ultimately leading to disinvestment in financial services and waning U.S. competitiveness.

That’s only just the start of it. Banks with large debit or credit card portfolios can reveal changes in consumer spending at individual retailers, exposing those companies’ stock to front-running and manipulation. (This is especially the case for banks who partner with major retailers to offer co-branded cards, whose consumer and small-business cardholders may represent a large share of their partner retailers’ revenue.) And all financial institutions' data reveals non-public information about those institutions’ business performance, information that could easily be misused or abused. This has the double effect of undermining the integrity of financial markets and open banking, as the economics of the latter will be swamped by an unscrupulous land grab for data that can be monetized in pursuit of the former.

How to Keep Open Banking Safe

To date, regulation, contract, and culture have combined to ensure financial institutions remain stalwart stewards of consumers’ most sensitive and powerful data. (Though there have been concerning steps from some banks in a worrying direction. ) But open banking opens that vast trove of data to actors outside both the traditional financial regulatory perimeter as well as the staid milieu of banks both big and small. Under the guise of offering Personal Financial Managers (PFMs) or payment apps, fly-by-night fintechs could equip themselves almost overnight with the ability to break consumer and capital markets alike. In 2026, it means anyone who can pay for Claude Code can develop a nuclear program. The risks are plainly dire.

This is why the ‘secondary use’ provisions in the 2024 final rules are so essential. Many commenters — including both fintechs and public-interest researchers — pushed back on the Bureau’s determination to limit third parties not just in collecting only the data necessary to offer consumers’ their promised product or service, but in only using those data in connection with that service. (To be fair, the Bureau could’ve done a better job of explaining itself.) But, when seen through the lens of data safety, the centrality and essentiality of these provisions is not just unsurprising but obvious. It is also clear why these provisions are not subject to the consent of consumers — the risks and harms they introduce are systemic and collective, going well beyond the individual privacy harms which traditional consent measures attempt to address.

This is also why the largest banks’ attempt to overturn the rule is disappointingly myopic. Open banking is inevitable globally, especially so in the United States, where (unlike other countries which rushed into fussy and florid frameworks well ahead of underlying market development) open banking-powered applications and services have demonstrated massive market value and attracted fierce consumer loyalty. Traditional financial institutions got a flexible framework that mostly cemented the status quo while giving them exactly the answer they needed and wanted on data safety. Instead, they went all-in on trying to litigate open banking away in the futile hope of turning the clock back or, barring that, getting the equivalent of some walking-around money.

That’s not to say the final rule’s data safety provisions are immaculate. There is a reasonable debate over whether third parties should be able to obtain consumers’ separate authorization to use open banking data to develop and test new consumer financial products, not merely improve the service. The rules make no explicit provision for using data to fight crime, which, even if implicitly permitted by the other allowances, seems harmless at worst to include. While tricky to define and administer, some allowance for public-interest research makes sense. And the rule is silent on AI, which, while a broader concern for any open banking framework, should be addressed more concretely in the data safety context, if only to ensure the application of the limitation standard even in cutting-edge uses.

What is most important, however, is that the CFPB retain the core data safety standard in the original rule, and that any modifications at the margins are carefully crafted to avoid loopholes or carveouts that would re-introduce systemic market risks that the current rule largely succeeds in forestalling. Abandoning the data safety rules, or subjecting to an easily-manipulated opt-out, would be a severe and unforced error (and, likely, an invitation for even more litigation from data providers, in this case much more justifiably).

To be clear, I’m rooting for open banking to supercharge consumer-friendly innovation and competition. I myself use open banking-powered services every day to mind my finances and make essential payments. I’m also rooting for the CFPB’s revisions to ensure open banking succeeds while ameliorating the legitimate concerns of stakeholders and market observers. But that’s critically dependent on the CFPB going all-in on data safety. If the CFPB can resist ill-considered pressure from fintechs and reactive negativity from banks, thread the needle of complex litigation, and keep a strong data safety framework in place, open banking can be a jumping-off point for a ‘clean’ data future that parallels the new wave of investment in nuclear energy. If not, we could all find ourselves watching calamity unfold.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

^[1]  In its final rule, the CFPB noted that even just one subset of conservatively-estimated benefits to consumers from open banking would exceed $1 billion annually. Even a very downwardly revised extrapolation from an EY report prepared for UK Open Banking implies benefits to the US economy well into the tens of billions of dollars annually.

^[2] 2023 NPRM Comment: Capital One Financial Corporation, Comment Letter on Required Rulemaking on Personal Financial Data Rights, Docket No. CFPB-2023-0052 (Dec. 29, 2023), https://www.regulations.gov/document/CFPB-2023-0052-0956; 2021 ANPR Comment: Capital One Financial Corporation, Comment Letter on Consumer Access to Financial Records, Docket No. CFPB-2020-0034 (Feb. 2, 2021), https://www.regulations.gov/document/CFPB-2020-0034-0077

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].