As the financial industry awaits the release of the Consumer Financial Protection Bureau’s (CFPB) proposed rules governing data sharing, businesses of all sizes are preparing for potential changes in data access and standards.
It may seem like a seismic shift looms on the horizon, but Matt Janiga, director of regulatory and public affairs at Trustly, said many of the issues — and even government approaches to those issues — are not necessarily new.
Laws designed to protect consumer information have been on the books for decades, he said, pointing to the Fair Credit Reporting Act and the Right to Financial Privacy Act, which were enacted in the 1970s.
The spirit of those laws is tied to a basic principle, as Janiga said: If companies are sharing your data — whether it’s with another company or even the government — you should have some right to know about it and also to know what information the company has about you.
“These laws have been around for a long time, but we rarely study them in American history class in high school,” Janiga said. “And there are no documentaries about them on Hulu.”
Now, as we near the middle of the 2020s, section 1033 of the Dodd-Frank Act looms large, with the authority of the CFPB stating that consumers should be able to request and obtain copies of their data from their bank. Open banking aims to “empower consumers” and foster competition in the payments and data space, bringing back concepts of privacy and control.
“The consumer should be in control of their data,” said Janiga, who added that “U.S. consumers with a U.S. bank account, a U.S. checking account, a U.S. credit card will be able to go to a bank” and direct their data or direct that that data be shared (as Trustly interacts with merchants to initiate payments between the consumer and merchant), with third parties to gain access and offer permission to be on the receiving end of new financial products and services.
But the path to getting there has been a bit labyrinthine, as implementation involves stages like proposed rules, review of comments, final rules and implementation. The regulation may also introduce standards for encryption, data access and frequency, aiming to spur adoption, Janiga said.
The CFPB is currently on track in its rulemaking process, noted Janiga, with a proposed rule anticipated to be released by October of this year.
“We’re about midway through the process,” said Janiga, and a final rule may come within a matter of six to 12 months after the proposed rule has been shaped by input from all corners of the financial realm.
But as he told PYMNTS, “the market is already coalescing around certain standards — and this makes it easier for the bureau, as it doesn’t have to worry about complicated implementation timelines … the rule ideally will overlay and formalize some of the current market practices.”
Current market practices, he said, are coalescing around application programming interfaces (APIs), which offer single points of connectivity and integration that link data recipients, merchants, aggregators, payments companies like Trustly, and financial institutions (FIs).
One key advantage of a final rule is that it should clarify certain liability issues around data sharing, he said. This should help the industry cut down on lengthy contracting times tied to data sharing, as encryption and tokenization help ensure that the data is kept secure.
Europe’s experience with tokenization and open banking has been informative for the market, he said. The CFPB has been tracking what happens in other markets and announced it would be engaging formally with European regulators, which Janiga said he thinks will be helpful for the upcoming open banking rule.
“If you can ‘standardize out’ what data can be shared, who gets access to it and how often, well, all of that is really helpful,” he said.
Among the ripple effects once open banking takes root: The wider adoption of APIs will have stakeholders move away from credential sharing, where consumers share their usernames and passwords with data aggregators or payments companies. Some companies like Trustly have security practices, like split tokenization with merchants, that make the breach of consumer credentials functionally impossible. But regulators and banks have long had concerns that wide credential sharing creates data security risks for consumers.
Open banking may also change some of the competitive dynamics of commerce and payments themselves.
While credit cards will still be widely used due to their convenience and perks, traditional financial providers will likely need to adapt and offer competitive rates and terms to consumers to remain relevant, said Janiga. Consumers will be able to easily share their cash flow data with competitors, and savvy card issuers and other consumer lenders will be able to take advantage of that to acquire customers.
Janiga told PYMNTS that open banking will also foster competition in the domestic payments industry, presenting new opportunities for alternative payment methods. Consumers will have more control and leverage in the financial industry, potentially leading to shifts in banking preferences (and banks may pivot to meet those changing tastes, offering installment loans and buy now, pay later options, for example).
“Ultimately,” Janiga told PYMNTS, “open banking is going to be additive to the data space, the technology space, and also the payment space.”