stay ahead of the 1033 compliance curve

Many people think of open banking as a new – even trendy – development in financial services.

But open banking has been around since the early 2000s, when it relied heavily on screen scraping to facilitate sharing consumer data. Today, the CFPB estimates that at least 100 million consumers have authorized at least one third party to access their account data.¹ These third parties largely consist of the 9,000 banks and credit unions in the U.S. along with approximately 10,000 fintech providers.

In 2022 alone, there were between 50 billion and 100 billion instances of financial data sharing between consumers and third parties.

It’s those financial data exchange instances that Chris Dodd and Barney Frank addressed in section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) establishing accountholders’ ownership of their respective financial data.

proposing the personal financial data rights rule

In late 2023, the CFPB proposed the Personal Financial Data Rights rule to implement section 1033.

This proposal identified affected data providers – including banks and credit unions – while specifying the types of data that must be shared along with how the data must be made available. If implemented, the rule would prohibit screen scraping in the exchange of financial data and would require data providers to make this data available using developer interfaces and machine-readable, standardized formats.

Screen Scraping vs. API Connections:

• Screen scraping is an automated process in which bots, web crawlers, and other proprietary software access websites using accountholders’ passwords and credentials. In addition to being a slow and unreliable method of data extraction, screen scraping makes it difficult for financial institutions to distinguish between legitimate and fraudulent login attempts, leaving systems vulnerable to credential-stuffing attacks and other cyber threats that continue to plague the industry as a whole.
• Open API connections require consumer permission to share data via secure tokens and machine-readable data. This decreases inaccuracy and the risk of security breaches by providing accountholders and their financial institution with visibility into the data being transferred.

putting it all together

While the proposed rule omits detailed technical standards for compliance, it relies heavily on compliance with qualified industry standards and minimum thresholds for compliance. 

As a result, the expectation across the financial services industry is the use of industry-standard, secure open API connections to facilitate financial data exchange.

planning ahead: financial data aggregation

Since 2022, Jack Henry™ has been working with the major data aggregators – Finicity, Plaid, Akoya, Envestnet | Yodlee, Intuit, and MX – to implement open API-enabled data exchange.

This effort has replaced all inbound screen scraping with APIs on the Banno Digital Platform™, far ahead of the implementation of the CFPB’s new rule. Eliminating screen scraping not only reduces financial institution and accountholder exposure to a wide variety of cyber-attack methods and liabilities, but it also differentiates those financial institutions on security while others take years to catch up.

Unlike the indiscriminate data extraction performed by screen scraping, open API aggregation enables accountholders to specify, minimize, and fully control their data and how it’s shared with third-party providers. This includes the ability to grant or revoke data permissions within their bank’s or credit union’s digital banking experience. It also ensures that accountholders’ login credentials no longer have to be shared with third parties.

API-based aggregation also paves the way for securely aggregating third-party data back to the bank or credit union, giving accountholders a reliable, unified view of their money in one place – and giving financial institutions first-app status among their accountholders’ disparate financial service providers and apps.

What’s Next

The proposed timeline for compliance with the rule varies based on asset size and ranges from six months to four years.

But why wait when you can provide your accountholders with safer, more reliable data exchange now?

prepare ahead of time

Learn more about how you can prepare for the implementation of the Personal Financial Data rule with the Banno Digital Platform.

For more information about Jack Henry, visit jackhenry.com.

source

¹ CFPB. Notice of Proposed Rulemaking – Required Rulemaking on Personal Financial Data Rights.