By Ryan Miller
It’s an easy trap to fall into. At some point, financial activity becomes inextricably intertwined with the regulatory framework. It is understandable why this happens, but it is nonetheless self-limiting. We have to separate the two concepts despite the natural gravitational force, reframing the regulation as a “floor” and everything beyond that as a competitive differentiator.
This was exactly the theme of my recent presentation at FinovateFall in New York City, titled “The future for open banking: How will open data impact the U.S. banking industry and what are the benefits of being an early mover?” While it was tempting to focus on the soap opera that unfolded since the October 2024 release of the CFPB’s 1033 final regulation, that would have lost a valuable opportunity to highlight some important truths.
The most salient of these is that the entire U.S. open banking ecosystem that exists today has been achieved before we have reached any compliance date. All the use cases, all the consumer protections, everything has been built by the market — by stakeholders such as banks, data aggregators and fintech firms pushing and pulling as part of their efforts to meet consumer demand.
Speaking of consumers, an important tenet to bear in mind is that everyone is a consumer. I am a consumer. Bank employees are consumers, as are those who work at fintech firms. Speaking for myself, I want this functionality. I like my bank, and I also enjoy using fintech apps. And I’m not the only one.
It’s not really about being an early mover anymore, so much as not getting left behind. The activity is happening in the background whether the bank knows it or not. If they aren’t being proactive, their online banking portals are being screen scraped (a nightmare for privacy and security risks, not to mention a bad experience for the consumer). If banks aren’t engaging in the data sharing ecosystem with intentionality, they run the risk of their customers moving to financial institutions that make it easier.
By embracing open banking, banks are able to curb the dangerous practice of screen scraping and move to more secure application programming interfaces (APIs). APIs allow for controlling access and mitigating risks. However, they are not panaceas. APIs require mature data governance practices and are expensive to build and maintain. In addition, they must be supported through the negotiation of data access agreements, which are labor-intensive and can take a lot of time to conclude.
My Finovate presentation ended with a reminder: A bank is not only or always a data provider; it can also obtain consumer consent and become a data recipient. Likewise, if a fintech is offering financial products and services for its customers, it is a data provider. Entities wear many hats in this ecosystem. Therefore, as we advocate for provisions applying to data providers and data recipients in the revamped 1033 rule, we would do well to do so fairly and in good faith — because we will all live under the same roof.
Ryan Miller is VP and senior counsel for innovation policy at ABA.
