Open Banking Is on the Way in the U.S., Accompanied by Risk Concerns

Open banking is inching its way into the U.S., and with it new possibilities for innovation and competition along with data-protection risks to be managed.

Already accommodated by European regulations, open banking systems are characterized by data-sharing arrangements that allow for portability of customer information between financial institutions and third parties, often enabled by fintech services and application programming interfaces (APIs). Customers can more easily and quickly choose, or change, their providers, unbundle their relationships and make “best of breed” product decisions.

U.S. open banking could be accelerated by a “data rights” rulemaking set in motion by the Consumer Financial Protection Bureau (CFPB) for possible implementation next year. It “has the potential to jump start competition, giving Americans new options for financial products,” agency director Rohit Chopra said in October.

“Once a country introduces open banking regulation, allowing fintechs to have access to consumer data normally held by banks, the result is an increase in VC investment in fintechs and greater financial innovation,” says Columbia Business School assistant professor Tania Babina. She co-authored a 2022 paper, Customer Data Access and Fintech Entry: Early Evidence from Open Banking, surveying 49 countries that have implemented open banking policies and 31 more in active discussions.

Widening the Market

In addition to stimulating choice and competition – fueled by fintechs, neo-banks and alternative data providers challenging the status quo – open banking could help bring the unbanked and underbanked into the financial mainstream.

“Open banking helps the under-represented and underserved customer groups, making financial services available to everyone,” says Elona Ruka-Wright, chief risk and compliance officer at financial technology company Finastra.

A Finastra survey released in December indicated a growing appetite for open banking or open finance, with 61% of 758 financial industry respondents globally considering it a “must have.” That was up from 51% a year earlier. The year-over-year increase was greater in both the U.S. (to 68% from 48%) and U.K. (to 61% from 38%).

Source: Finastra State of the Nation Survey

Regulations and Standards

Open banking was given an initial boost by a U.K. regulatory initiative in 2015 and, in the European Union, subsequent revisions to the Payment Services Directive, now known as PSD2. The EU General Data Protection Regulation (GDPR), effective in 2018, came into play as digital finance grew within and across borders. APIs and standardization efforts such as the Open Bank Project, Banking Industry Architecture Network (BIAN) and, in the U.S., the Afinis Interoperability Standards and Financial Data Exchange (FDX) are also factors.

Along with the progress, concerns have grown about new risks and challenges.

A January 25 letter to the CFPB from the Bank Policy Institute advocated a “principles-based rather than overly technical and prescriptive” approach to the rulemaking and said, “We support the ability of bank customers to securely connect their bank accounts to the third-party apps of their choice, which can involve the use of a data aggregator to retrieve the customer’s information from the customer’s financial institution and share it with the app. It is critical, however, that consumers’ personal and financial information remains secure when it is shared between financial institutions and third parties.”

“With open banking, a large chunk of banking data is now accessible across a new ecosystem of participants, and that increases the amount of sensitive data that can now be stolen or misused by bad actors,” explains Amit Mallick, managing director and global open banking lead at Accenture.

“Bank leaders should begin building their capabilities in data custodianship, data management and analytics, agile partnerships and security now to ensure they don’t lose market share or their slice of the $416 billion open banking revenue pie,” Mallick wrote in a 2021 blog article, Four Actions for Banks to Prepare for the Open Banking Wave.

Brendan Jones, COO of Konsentus, a provider of open-banking enabling technology, points out that the ecosystem in Europe extends beyond third parties accessing account information to fourth and fifth parties, such as data aggregators, that are not regulated and require attention to cybersecurity and fraud risks.

“No one has oversight of these companies or what they are doing with the data they obtain,” Jones remarks.

Importance of Security

According to Ron van Wezel, strategic advisor of research firm Aite-Novarica and co-author of Open Banking, Open Finance, Open Economy: The New Identity of Finance, U.S. regulators can make a positive contribution with rules that do not only pave the way for data sharing, but that encourage development of secure API-based services.

“Reading the CFPB’s consultation, it looks like they are moving in the right direction,” van Wezel says.

Ron van Wezel of Aite-Novarica Group

Jones at Konsentus agrees that policy should “drive for a standardized approach to open banking, telling you how to do it, how to interact with other ecosystem participants” to ensure safe and secure practices.

Also key to managing risks will be participation in networking groups and standards bodies that can help guide risk managers, says FDX managing director Don Cardinal. His nonprofit standards organization says that 42 million consumer accounts currently use its API for financial data sharing.

“We have a number of tools to help risk managers make more informed decisions about how to manage open banking risk, Cardinal says, adding, “Don’t do it alone, come talk to your peers, and come and take advantage of what we offer for free.”

Explicit Consent

Aside from cybersecurity concerns, van Wezel stresses that “banks and other open banking providers need to have a consent mechanism in place to allow consumers to give explicit consent for data sharing – for which purpose, for how long, etc., including the ability to easily withdraw their consent.”

It is critical for bank risk managers to know who they are connecting with in the ecosystem. In Europe, van Wezel says, “the regulation requires third-party providers to use a strong electronic signature to identify themselves securely when accessing bank data.”

Amit Mallick of Accenture

Accenture’s Mallick points to Know Your Customer (KYC) and anti-money laundering (AML) risks from third parties offering financial products and services linked to bank partners. He says that risk managers need to consider how to ensure that applicable KYC and AML processes are in place.

Regarding legal and reputational risks, “banks will have to uphold a pretty high bar for these new vendor relationships,” says Warren Kornfeld, senior vice president, Financial Institutions Group at Moody’s Investors Service.

Guard Against Bias

Other issues for consideration, says Mallick, include operational performance and potential bias on the part of banks and other firms: Are their systems resilient enough to cope with the additional traffic and demands that come with open banking practices? Are they prepared to address potential bias – because open banking may initially serve a digitally savvy population – before regulators take notice?

Bence Jendruszak, chief operating officer of antifraud software company Seon, provider of a real-time, fraud prevention platform, mentioned in a blog key actions to take to prevent open banking risks: Follow the best and highest level data protection guidelines; be vigilant about identity proofing verification, considering the use of biometrics, two-factor authentication and digital footprint analysis; and perform due diligence on third parties as well as on their customers’ third parties.

The ultimate risk, says Finastra’s Ruka-Wright, is to not do anything at all, because “in three or five years, [open banking] will be just the way we do business.”

“Open banking is still an emerging space,” van Wezel says, “but in five years’ time, it will explode. Risk managers need to get their arms around a financial ecosystem that consists of multiple connected players rather than just their own banks and start thinking about a new ‘internet of finance.’”

Katherine Heires is a freelance business journalist and founder of MediaKat llc.