This post is the fourth and final in a series discussing Open Banking, its implementations, and its implications. The start of the series is here, and all of the posts in the series are available here.

In the United States, “open banking” does not yet mean that bank account and transaction data can be freely accessed on standardized terms—though it may in the future. For now, those who allow financial data to be accessed through APIs can impose their own conditions on that access. As we have described in this blog series, without further regulatory invention, in the U.S. API access is principally a contractual matter. For these purposes, we will refer to “providers” as those making API data available and “users” as those intermediaries accessing that data in order to deliver services to consumers or other clients. Although bank partnerships are subject to established contract standards, we will focus in this post on key issues that arise specifically in the course of the API licensing and access process.

APIs made available for free may be provided pursuant to “licenses” or may alternatively be provided pursuant to a “terms of use” document that sets forth the conditions under which use is permitted. Under either approach, if the user refuses to accept the terms, then use is barred. APIs made available for a fee may also be governed by “terms of use” but these terms may be negotiated as a license or service agreement. There, traditional assumptions about bargaining power often play out, with the dominant players typically demanding conformity.

Gating Considerations for API Access Terms

Particularly when the API license is presented as a take-it-or-leave-it agreement, the terms are often written to protect the provider from any liability for an offering from which the provider derives no or limited direct financial benefit. Users that will be paying for access may do so on a “per transaction,” “per user,” or some other basis; when the user pays money, the user understandably has more leverage over other contract terms. Either way, prospective users need to consider at least the following:

In previous posts in our BankBCLP.com series on this topic, we’ve attempted to define “open banking” and the ways in which it is attracting increasing industry attention through open APIs.  As our series continues, we describe how open banking is or may be regulated, as well as its critical licensing and intellectual property implications in practice.

As we have previously described, at least in the United States, “open banking” is more of a sweeping term of art than a distinct practice or product.  As a result, its legal and regulatory implications are potentially wide-ranging.    

In the United Kingdom, “Open Banking” is a more precise legal term for a sharing framework that the Competition and Markets Authority (CMA) has introduced for the stated purposes of increasing competition and expanding customer control over financial data.  In 2017, the CMA began to implement this framework by requiring the nine largest banks and building societies in the U.K. to begin sharing certain customer information with registered third-party providers (with customer consent).  In its earliest stages, this data sharing requirement was limited to data specific to the institution, as opposed to its customers, such as branch and ATM locations.  Subsequent stages have focused on transaction histories and even payments APIs.  These stages provide an early look at some of the more tangible consumer-oriented use cases for open banking.  For example, third-party applications can facilitate real-time bank location or price comparison shopping.

Importantly, under Financial Conduct Authority (FCA) implementing rules, the providers to whom this access is granted must be approved as a form of payments business or specialty service provider in the U.K. or in another jurisdiction under certain passporting provisions.  In any case, this will subject the provider to direct supervision and examination by a U.K. or EU regulator.  This framework dovetails with the European Union’s revised Payment Services Directive (PSD2) data security regulation in that these registered providers must specifically demonstrate PSD2 compliance.  The CMA is touting Open Banking as a secure, transparent means of providing consumers with more control over their finances. 

Other jurisdictions are taking a similar, top-down approach to open banking.  Australia is mandating that its four largest banks make certain banking information available on a “read only” API basis beginning July 2019.  India’s Unified Payments Interface (introduced August 2016) is an open API-based platform for real-time payments.  It ties to the government’s policy goals of minimizing the use of cash, promoting digital identity, and leveraging mobile devices in a rapidly developing economy.  Hong Kong published an open API framework in July 2018.  On the other end of the spectrum, China and Singapore are taking a more industry-driven approach.  China’s extensively cashless and mobile economy is incorporating open banking as a market response, rather than by regulatory mandate.

This post is the second in a series discussing Open Banking, its implementations, and its implications.  Part 1 is here.

APIs or “Application Programming Interfaces” are everywhere in ecommerce, and they provide the building blocks in the primordial soup of innovations that may stem from open banking. 

Among other roles, APIs provide a protocol allowing one computer system to talk with another.  For example, The Weather Channel (“TWC”) has invested heavily in providing detailed meteorological information and forecasts by region.  TWC could conceivably require people to visit its website as the exclusive way to access this information.  Instead, however, TWC permits some of its information to be accessed automatically across apps, websites, and services and in ways third-party developers can predictably map (e.g., certain tagged data reflects values like “75°F” or “Partly Cloudy”).  TWC has determined such use advances the TWC business plan.  Conversely, the developers of apps, websites, and services have determined using the TWC API is superior to reinventing what TWC has accomplished—or not offering weather information at all. 

Without an API, a third party could create a bot to visit the TWC website and automatically “scrape” the information, but such an approach poses risks.  First, even a slight change to the TWC website could cause the bot to misunderstand which data it is supposed to scrape.  Second, such an approach raises contractual and copyright risks.  See, e.g., Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp.2d 1096 (C.D. Cal. 2007) (granting injunctive relief on grounds that defendant infringed copyright and terms of use through automated screen-scraping of Ticketmaster’s site in order to facilitate its own large-volume ticket brokerage).  Third, this conversion step fails to capture the richer, more reliable, and more on-point data TWC is willing to make available via its API. 

This post is the first in a series discussing open banking, its implementations, and its implications. 

“Open banking” is a phrase that has been coined to capture a current theme in financial sector innovation – one that some say is going to revolutionize banking.  For years, banks have given their customers increasing access to account information.  Now, with open banking, the access is opening to the point where customers can potentially obtain financial services in entirely novel ways, and the customer’s expectations of their bank may shift. 

The push to open consumers’ financial data goes back decades.  In the 1990s and 2000s, financial institutions began giving customers online access to their accounts—and instantaneous access to information previously reserved for monthly statements. Card-based transactions gradually shifted away from signed papers with carbon copy receipts to electronic devices.  With rapid access to financial information, debit cards that could immediately draw on bank accounts became more feasible.  Meanwhile, third-party vendors, such as Intuit, Microsoft, and Checkfree, were among the providers who encouraged institutions to go even further by making financial data available in a format that could be imported into their software; their work led to the promulgation of the Open Financial Exchange (“OFX”) data stream format, among others. 

In the past 10 years, the priorities in data exchange have incorporated the agenda of government proponents.  Notably, in 2016, a U.K. regulatory authority required the country’s nine largest banks to allow certain registered third-party developers to access certain customer data.  In 2018, the European Economic Area began implementing the Second Payment Services Directive (“PSD2”), including its goal to provide financial data through a central register.  In the United States, the Consumer Financial Protection Bureau has expressed its view that consumers should have timely, secure, and transparent access to their financial account information and to data sharing opportunities.  During this same time, digitization has accelerated to unprecedented levels in all facets of life and commerce, and data privacy risk awareness and regulation has emerged. 

You’re Invited – Join the Atlanta Chapter of the BayPay Forum on February 19 for a 2019 Fintech Legal and Regulatory Panel Discussion

On Tuesday, February 19, from 6-8:30 pm, the Atlanta chapter of the BayPay Forum will meet at Bryan Cave Leighton Paisner’s offices in Midtown Atlanta for a networking reception and panel discussion on the state of fintech regulation.

Start 2019 on solid footing with an engaging panel discussion reflecting on regulatory responses to faster payments, open banking/APIs, blockchain applications and ICOs, and other innovations.  Panelists will include Dick Fraher, Vice President and Counsel to the Retail Payments Office at Federal Reserve Bank of Atlanta; C. Ryan Germany, General Counsel and Assistant Commissioner of Securities & Charities, Office of Georgia Secretary of State Brad Raffensperger; Ben Robey, BSA/AML Compliance Specialist at MSB Compliance, Inc.; and Ken Achenbach, Partner at Bryan Cave Leighton Paisner.  The panel will be moderated by Barry Hester, Counsel at Bryan Cave Leighton Paisner.  Details and free registration are available here using the passcode BRYANCAVE. 

Participants will take away product and service design implications and a better understanding of the consumer protection, safety and soundness, jurisdictional, other policy issues at play.  Discussion will address, among other issues:

Exercising “exceptive” relief authority, FinCEN has extended permanent relief from the beneficial ownership requirements of its new Customer Due Diligence (CDD) rule to existing autorenewing CDs and safe deposit boxes, as well as existing autorenewing commercial lines of credit and credit cards that do not require underwriting review and approval.  FinCEN reasoned that these products pose such a low risk for money laundering and terrorist financing activity that the benefits of requiring the collection of this information does not outweigh the impacts of compliance on financial institutions and their customers.  Specifically, institutions need not treat rollovers or renewals of such products as “new accounts” requiring the collection of the beneficial ownership elements of the CDD rule, whether or not the initial accounts were established prior to the rule’s May 11, 2018 effective date.

FinCEN previously issued temporary relief to autorenewing CDs and loan products established prior to May 11, 2018, and in a second release extended this relief through September 9, 2018.  The new release both extends this treatment indefinitely and expands it to include certain safe deposit box rentals, such that the exception applies now to any of the following occurring on or after May 11, 2018:

• A rollover of a CD, defined as a deposit account that has a specified maturity date, prior to which funds cannot be withdrawn without the imposition of a penalty, and which does not permit the customer to add funds;
• A renewal, modification, or extension of a loan (e.g., setting a later payoff date) that does not require underwriting review and approval;
• A renewal, modification, or extension of a commercial line of credit or credit card account (e.g., setting a later payoff date) that does not require underwriting review and approval; and
• A renewal of a safe deposit box rental (e.g., upon the automatic deduction of the rental fee as agreed-upon between a bank and its customer).

FinCEN is careful in this September 7, 2018, release to explain that it does not relieve institutions of the obligation to collect and verify the identity of beneficial owners of legal entity customers where the initial account opening of such accounts occurs on or after May 11, 2018.  It does mean, however, that institutions need not collect beneficial ownership information for certain older accounts of the types described above (those opened prior to May 11, 2018) solely because they are rolled over or renewed.

On July 31, 2018, the OCC announced that it had finalized parameters for its new limited-purpose financial technology national bank charter and is ready to begin taking applications.  This release follows several years of formal deliberation on the topic and coincided with the release of a 222-page U.S. Treasury report on innovation.  Industry reactions have been wide-ranging – will this level the playing field or usher in a FinTech “apocalypse“?

Highlights of the OCC notice include:

• Designation of the charter type as a national bank.  Like its other special-purpose charters, including the non-depository trust company or the credit card bank, the FinTech charter will be a “national association” in the National Bank Act sense of the term.  As the saying goes, membership will have its privileges (and burdens):  capital requirements, examinations, and federal preemption of certain state laws.
• Eligibility for qualified applicants that plan to conduct activities “within the business of banking.”  Pursuant to existing OCC regulations, a limited-purpose national bank not engaging in fiduciary activities “must conduct at least one of the following three core banking functions:  receiving deposits; paying checks; or lending money.”  In its FinTech charter announcement, the OCC notes that it “views the National Bank Act as sufficiently adaptable to permit national banks to engage in traditional activities like paying checks and lending money in new ways.  For example, facilitating payments electronically may be considered the modern equivalent of paying checks.”
• A requirement for a commitment to “financial inclusion.”  We will see how this element is administered.  In theory it provides a non-depository parallel to the Community Reinvestment Act (“CRA”).
• Publication and comment period.  Just as for other types of national banks, applications will feature newspaper publication requirements and will be generally subject to public review and comment.

The OCC stated that its decision to open the door for this new form of national bank “is consistent with bi-partisan government efforts at federal and state levels to promote economic opportunity and support innovation that can improve financial services to consumers, businesses, and communities.”  Comptroller Otting added:

Providing a path for fintech companies to become national banks can make the federal banking system stronger by promoting economic growth and opportunity, modernization and innovation, and competition.  It also provides consumers greater choice, can promote financial inclusion, and creates a more level playing field for financial services competition.

Treasury’s report is consistent with these themes, noting, “A forward-looking approach to federal charters could be effective in reducing regulatory fragmentation and growing markets by supporting beneficial business models” and that the OCC should proceed with “thoughtful consideration” of FinTech charter applications.  Treasury also calls out specifically the need for updating regulations that relate to data aggregation, for addressing those which have become “outdated” in light of technological advances (e.g., in the mortgage lending and servicing space, according to Treasury), and for a regulatory approach that enables “responsible experimentation” in the financial sector.

The temporary exception that FinCEN extended to autorenewing CDs and loans established prior to the May 11, 2018 compliance effective date of its beneficial ownership requirements was scheduled to expire on August 9, 2018.  On August 8, FinCEN published a short release in which it announced the extension of this relief through September 8, 2018.  FinCEN noted that it was providing this extension in order to further consider the issues raised by the application of these aspects of its Customer Due Diligence (CDD) rules to such products.

As a reminder, this exception only applies to CDs and loans that (i) automatically rollover or renew and (ii) were established prior to May 11, 2018.  Such accounts or loans established subsequent to this date (and older accounts that are renewed on new or modified terms) are fully subject to the CDD rules, and all accounts are subject to its general due diligence and monitoring requirements.  In particular, institutions should continue to collect or update beneficial ownership information as other “risk events” warrant for particular customers–including those whose autorenewing CDs or loans or other accounts were established prior to May 11, 2018.  FinCEN has given as an example of such risk or “trigger” events an unexplained spike in cross-border wire transfers.  Moreover, as we noted previously, OFAC’s strict liability framework continues to apply to any U.S. person that does business with a sanctioned party, so institutions that do not collect beneficial ownership information may be exposed to this type of risk.

In a unique administrative ruling under delegated “exceptive” authority, on May 16, 2018 FinCEN issued relief from its new beneficial ownership requirements through at least August 9, 2018, for “certain financial products and services that automatically rollover or renew (i.e., certificate of deposit (CD) or loan accounts) and were established before the Beneficial Ownership Rule’s Applicability Date, May 11, 2018.”

FinCEN acknowledged in its notice that “some covered institutions have not treated such rollovers or renewals as new accounts and have established automatic processes to continue the banking relationship with the customer.”

The exception is effective retroactively from May 11, 2018 and expires on August 9, 2018.  FinCEN added that it was considering whether additional relief may be appropriate for such products and services established prior to May 11, 2018 and expected to rollover or renew thereafter.

We will explore how we got here, but first, some practical considerations:

• Institutions that have already set into motion new systems, procedures, and communications to collect this info on renewable loans and CDs established prior to May 11 will need to decide whether to discontinue these measures, or alternatively to conclude there is now greater flexibility for handling customers that do not adhere to them – e.g., by failing to submit a completed ownership certification form.  The prevailing view among our clients seems to be the latter.
• Institutions that were still rushing to implement such measures will need to decide whether to put these plans on hold or to continue to develop them as to loans and CDs established prior to May 11, 2018.  The preference within the industry in this regard appears to be a function of how far along these plans are into production, and the extent to which they constitute separate solutions specific to these existing account types.
• Any discussions with examiners and auditors about any changes to implementation plans in light of this release should be direct and documented.  We would encourage institutions to think broadly and generously about the purpose of these rules and the BSA generally, and what risks to the bank (such as sanctions exposure or fraud) might be mitigated by the spirit if not the letter of FinCEN’s new rules.  OFAC’s strict liability framework for doing business with sanctioned parties is unaffected by the relief afforded by FinCEN’s May 16 notice.
• Institutions should consider ways to continue socializing their views to FinCEN, through trade associations or otherwise, as this interim relief appears directly responsive to industry feedback such as that provided in an April 27 hearing held by the House Financial Services Committee (e.g., “. . . there is no reason to believe that an auto-renewal is evidence that a change in beneficial ownership might have occurred. The FAQ 12 guidance is further complicated by the fact that these products include contractual provisions requiring the financial institution to auto renew them without interruption.”)

Let’s revisit how this unfolded as a regulatory matter.

The supplemental FAQs issued by FinCEN on April 3, 2018 provided certain interpretations of its own final rules, originally published on May 11, 2016, including that it believed a bank established a “new account” each time an autorenewing loan or CD renewed (see FAQ 12).  FinCEN opined at that time on ways a bank could comply with the Beneficial Ownership certification requirements implicated by the opening of a “new account” for a legal entity customer in such cases, namely by (1) providing the required information and certification on FinCEN’s new form or its equivalent once and (2) agreeing at that time to notify the bank of any change in such information going forward.  FinCEN’s view then was that a customer’s agreement to notify a bank of any changes in its beneficial ownership information can be considered a “certification” of this information for purposes of subsequent rollovers of renewable products.

Just in time for the effective date of FinCEN’s Customer Due Diligence (CDD) and Beneficial Ownership Rules, on May 11, 2018 the Federal Financial Institutions Examination Council (FFIEC) published updates to its Bank Secrecy Act/Anti-Money Laundering Examination Manual.  The FFIEC is an interagency body comprised of representatives of the U.S. Federal Reserve Board, the FDIC, OCC, CFPB, NCUA, and state banking regulators.  The agencies’ changes (1) replace existing CDD sections of the manual and (2) add new Beneficial Ownership overview and exam procedures sections, in each case corresponding to the new CDD and Beneficial Ownership requirements.

The publication of this new content was announced through separate press releases by the FDIC, OCC, and NCUA.  The OCC’s release (OCC Bulletin 2018-12) makes the technical point that the new CDD content replaces pages 56-59 of the FFIEC manual, last updated in 2014, and the FDIC’s release (FIL-26-2018) adds that the new sections will be incorporated into the manual in its next update.  The FFIEC’s examination manual is used by the bank regulators in conducting supervisory BSA/AML exams and features step-by-step review procedures to be used by examiners, consistent with the FFIEC’s statutory purpose of establishing uniform forms and regulatory examination processes.

One doesn’t generally expect new substantive guidance or interpretation to emerge from the FFIEC examination procedures, but a review of this new content emphasizes the following:

(1) BSA/AML exams including scope periods on or after May 11, 2018 will feature scrutiny of new accounts opened on or after that date.  At this point, the CDD and Beneficial Ownership rules are live and in full effect, and institutions will be expected to adhere to them.  For example, the revised examiner’s guide specifies:  “3. On the basis of a risk assessment, prior examination reports, and a review of the bank’s audit findings, select a sample of new accounts opened for legal entity customers since May 11, 2018 to review for compliance with the Beneficial Ownership Rule.”  The transition and implementation period for this rule is officially over.