The Way Forward on Open Banking

In partnership with

Steve Smith is the co-founder and CEO of open finance risk management company Invela. He previously co-founded Finicity, a financial data aggregation platform that Mastercard acquired in 2020, and was also a founding member and former co-chair of the Financial Data Exchange.

Regulatory clarity on open banking in the United States is further away than we hoped.

After years of effort to come together, banks and fintechs seem to be retrenching, drawing old battle lines in comments responding to the CFPB’s renewed 1033 rulemaking. And not long after the comment period closed, the District Court for the Eastern District of Kentucky delayed implementation until the CFPB completes its reconsideration of section 1033.

Losing momentum on 1033 is disappointing, to be sure, but it shouldn’t become an all-consuming distraction. While the CFPB goes back to the drawing board, the open banking community must turn its focus to other ways to keep moving forward. 

First, industry needs to recognize that there are certain issues that the CFPB is unlikely to ever solve for us, liability and risk management in particular. We don’t need permission to start working on those issues ourselves — so we should do so, and without delay. 

Second, prudential regulators need to provide regulatory clarity just as much as the CFPB does. It would be a mistake for them to wait for the CFPB rulemaking to run its course. By going back to guidance issued by the Office of the Comptroller of the Currency under the first Trump Administration, prudential regulators could quickly provide much-needed regulatory clarity that advances the market now and makes the CFPB’s work easier.

Recognizing Reality

Banks, fintechs, consumer advocates, and others have been asking the CFPB for help on a rotating series of open banking issues for more than a decade now. Liability, risk management, security, privacy, accuracy, screen-scraping, standard-setting, fees, secondary use — the list goes on and on. 

Each of these issues is important, and industry really needs the CFPB’s help with some of them. But it’s also time for industry to recognize that the CFPB cannot solve all of them for us — liability and risk management in particular.

On liability, banks understandably don’t want to be on the hook when something bad happens with a third party. Unfortunately, section 1033 doesn’t mention liability. After last year’s Supreme Court decision in Loper Bright Enterprises v. Raimondo, it seems unlikely that the CFPB will take the risk of stretching its authority to create a new liability allocation regime without Congressional instructions to do so.

On third party risk management, it’s even more simple. The authority lies with prudential regulators, not the CFPB. That means that even if the CFPB somehow gets everything right, risk management will always be on prudential regulators' to-do list, not the CFPB’s.

Unless industry thinks a Republican administration is going to interpret the CFPB’s authorities more expansively than Rohit Chopra did, the reality is that we have work to do. 

Industry’s To-Do List

To start addressing these issues ourselves, industry must first start taking information security and risk management in the open banking ecosystem more seriously. 

Today, risks at the data recipient level are swept under the rug so long as data aggregators agree to indemnifications, liability limitations, and certain flow-down provisions for their data recipient customers. The trouble is that data aggregators often lack the resources, insurance, or incentives to make such agreements meaningful. And even if that weren’t true, variation in approaches taken by data aggregators creates inconsistency across the market. That inconsistency alone creates great potential for risk in the open banking ecosystem. 

To address this, a common sense first step would be for industry to align around common standards for information security and risk management in the open banking space. Specifically, banks and other data providers need common criteria against which they assess third parties, similar to the Payment Card Industry Data Security Standard (PCI-DSS). 

Such standardization would unlock innovation by ensuring a level playing field for third parties and efficiency for data providers. That efficiency is meaningful for all data providers, but it’s particularly valuable for small banks and credit unions that have limited resources for compliance and technology costs.

Prudential Regulators’ To Do List

Clarity from prudential regulators could make risk management more efficient and ensure stronger information security in the open banking ecosystem at the same time. In particular, prudential regulators should clarify the extent to which risk management obligations do — and, critically, do not — apply to open finance. 

As described in recent white paper by my company, Invela, prudential regulators can do this by going back to the statutory roots of their third party risk management authority. When they do so, they’ll find that the Federal Deposit Insurance Act and the Bank Service Company Act only contemplate third parties a bank chooses to work with. In other words, they do not speak to the open finance context, where a consumer chooses to work with a given third party. 

Conversely, the Gramm-Leach-Bliley Act speaks directly to issues related to data privacy, information security, and the need for common standards. The OCC seemed to sensibly recognize this in guidance issued during the first Trump Administration, but interagency guidance issued in 2023 created confusion that risks undermining innovation.

By broadly applying third party risk management to open banking, prudential regulators are unwittingly encouraging market participants to take a wide, but shallow, view of risk management — incentivizing the market to keep sweeping risks at the data recipient level under the rug. A more thoughtful approach would encourage market participants to take a narrow, but deep, view of risk management focused on risks that open banking actually creates.

The Way Forward

I’ve been leading open banking ventures in the United States for more than a decade, and I can tell you that we’ve had regulatory uncertainty before. Now, as then, the correct response is for industry to focus on what it can control, and to keep moving forward. 

To be clear, that doesn’t mean the CFPB isn’t on the hook for doing its part. Industry has been waiting a long time for clear rules of the road on section 1033, and those are still badly needed. While a new administration is entitled to make changes to the current rule, CFPB leaders should resist the temptation to reinvent the wheel.

But open banking in the United States is bigger than the CFPB, and regulatory uncertainty should not hold up progress forever. If industry participants and prudential regulators take the steps described above, the market will be better for it whenever a new 1033 rule arrives.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].

Find your customers on Roku this Black Friday

As with any digital ad campaign, the important thing is to reach streaming audiences who will convert. To that end, Roku’s self-service Ads Manager stands ready with powerful segmentation and targeting options. After all, you know your customers, and we know our streaming audience.

Worried it’s too late to spin up new Black Friday creative? With Roku Ads Manager, you can easily import and augment existing creative assets from your social channels. We also have AI-assisted upscaling, so every ad is primed for CTV.

Once you’ve done this, then you can easily set up A/B tests to flight different creative variants and Black Friday offers. If you’re a Shopify brand, you can even run shoppable ads directly on-screen so viewers can purchase with just a click of their Roku remote.

Bonus: we’re gifting you $5K in ad credits when you spend your first $5K on Roku Ads Manager. Just sign up and use code GET5K. Terms apply.

Use code GET5K now