How is Open Banking Regulated?

April 25, 2019

Authored by: Barry Hester and John Bush

In previous posts in our BankBCLP.com series on this topic, we’ve attempted to define “open banking” and the ways in which it is attracting increasing industry attention through open APIs.  As our series continues, we describe how open banking is or may be regulated, as well as its critical licensing and intellectual property implications in practice.

As we have previously described, at least in the United States, “open banking” is more of a sweeping term of art than a distinct practice or product.  As a result, its legal and regulatory implications are potentially wide-ranging.    

Image by mohamed Hassan from Pixabay

In the United Kingdom, “Open Banking” is a more precise legal term for a sharing framework that the Competition and Markets Authority (CMA) has introduced for the stated purposes of increasing competition and expanding customer control over financial data.  In 2017, the CMA began to implement this framework by requiring the nine largest banks and building societies in the U.K. to begin sharing certain customer information with registered third-party providers (with customer consent).  In its earliest stages, this data sharing requirement was limited to data specific to the institution, as opposed to its customers, such as branch and ATM locations.  Subsequent stages have focused on transaction histories and even payments APIs.  These stages provide an early look at some of the more tangible consumer-oriented use cases for open banking.  For example, third-party applications can facilitate real-time bank location or price comparison shopping.

Importantly, under Financial Conduct Authority (FCA) implementing rules, the providers to whom this access is granted must be approved as a form of payments business or specialty service provider in the U.K. or in another jurisdiction under certain passporting provisions.  In any case, this will subject the provider to direct supervision and examination by a U.K. or EU regulator.  This framework dovetails with the European Union’s revised Payment Services Directive (PSD2) data security regulation in that these registered providers must specifically demonstrate PSD2 compliance.  The CMA is touting Open Banking as a secure, transparent means of providing consumers with more control over their finances. 

Other jurisdictions are taking a similar, top-down approach to open banking.  Australia is mandating that its four largest banks make certain banking information available on a “read only” API basis beginning July 2019.  India’s Unified Payments Interface (introduced August 2016) is an open API-based platform for real-time payments.  It ties to the government’s policy goals of minimizing the use of cash, promoting digital identity, and leveraging mobile devices in a rapidly developing economy.  Hong Kong published an open API framework in July 2018.  On the other end of the spectrum, China and Singapore are taking a more industry-driven approach.  China’s extensively cashless and mobile economy is incorporating open banking as a market response, rather than by regulatory mandate.

In the United States, the Department of the Treasury’s 2018 Report on Nonbank Financials, Fintech, and Innovation provides one of the most complete U.S. policy deliberations on open banking to date.  Treasury describes open banking as a trend that “has entailed greater access to financial data or payment clearing and settlement systems that were previously maintained by or provided to banks and unavailable to nonbanks,” often through APIs.  In its 2018 report Treasury generally encourages an industry-driven solution to the promises and pitfalls of open banking.  However, in so doing, it calls out a number of key regulatory matters implicated by data-sharing trends:

  • Uncertainty surrounding the liability of consumers under current data aggregation practices.  Specifically, Treasury notes that it is unclear whether or not data aggregators engaged in screen scraping, rather than account-holding financial institutions, are liable for any losses arising from a breach or unauthorized use of account login credentials.  This echoes comments by the American Bankers Association and others calling on the Consumer Financial Protection Bureau (CFPB) to clarify that data aggregators are “service providers” for purposes of Regulation E.  The use of APIs may or may not change this calculus, but they might ensure a more secure means of data sharing.  The CFPB solicited these comments as it began to explore its implementation of Section 1033 of the Dodd-Frank Act, which requires certain financial institutions to provide banking data to consumers in an electronic form upon request. 
  • Privacy and data security generally.  Treasury also noted in its report that third-party access to consumer financial data has traditionally been controlled by institutions subject to the Safeguards Rule implementing certain information security provisions of the federal Gramm-Leach-Bliley Act (GLBA).  Treasury observed that the Federal Trade Commission (FTC) has indicated that data aggregators and other fintech providers significantly engaged in financial services and products are “financial institutions” for GLBA purposes and therefore subject to the Safeguards Rule.  At a minimum, it would appear that U.S. regulators are inclined to take steps to ensure that third parties accessing consumer financial data are required to disclose clearly and conspicuously the uses which the third party may make of such data and whether or not it is used for the provider’s own marketing purposes (and on a personally identifiable or aggregate basis). 
  • Unfair, deceptive, or abusive acts or practices (UDAP/UDAAP). This historic basis for privacy claims took on greater significance after the Dodd-Frank Act and its enforcement by the CFPB.  As applied to data sharing and open banking, it likely will continue to show up as a gap-filler where more specific privacy laws or regulations are technically satisfied.  Guarding fully against UDAAP/UDAP risks is difficult to do, but banks and other financial services firms that focus on transparency and basic fairness considerations should limit their exposure when it comes to open banking, especially if the products and services enabled are otherwise consumer-friendly.

As with any financial service or product, a number of specific existing laws and regulations may apply to the sharing of information and use by third parties.  For example, sharing that results in referrals or leads for mortgages may be scrutinized under the Real Estate Settlement Procedures Act (RESPA), and banking partnerships may raise brokered deposit concerns.  To the extent that banks contract directly with such providers, banks should account for vendor management principles as articulated by regulators in recent years, such as through OCC Bulletin 2013-29.

While there are important compliance considerations to address in an open banking environment, there appears to be room in the United States for industry solutions to do so, if Treasury’s 2018 report and the OCC’s innovation-friendly fintech charter are any indication.  We hope that any new or expanded regulation will strike a balance between consumer access rights and certainty among financial services providers competing to deliver it.  In our final post in this series, we will look at the key licensing and intellectual property matters facing providers that are currently active in this space. 

Continue to Part 4, A Practical API Licensing Primer.