Will CFPB take cues from Canada in writing data-sharing rules?

Will CFPB take cues from Canada in writing data-sharing rules?

Spread the love

Will CFPB take cues from Canada in writing data-sharing rules?

As the Consumer Financial Protection Bureau mulls standards on the portability of consumer financial data, a concurrent effort by Canada to craft an open banking system could help determine the shape of US rules.

An advisory report issued earlier this month by the Canadian government calls on Ottawa to launch a new framework by January 2023, with rules for banks and an accreditation process for third-party providers to govern data-sharing.

The CFPB plans to have a data-sharing rule in place sooner, by April 2022. But observers note the Canadian report has shed much more on what an open banking regime would look like than the US agency’s request for public comment issued last fall, and could influence the rulemaking process in both countries.

“For banks that straddle the border, it now looks like Canada is slightly ahead of the US, and is setting up some of the dynamics on how the bureau is thinking about it’s rulemaking,” said John Pitts, a policy lead at the financial data aggregator Plaid and a former CFPB deputy assistant director.

The Canadian report comes on the heels of President Biden’s executive order last month urging the CFPB to act quickly on a rule that would make customer data portable. The CFPB’s rulemaking was mandated by Section 1033 of the Dodd-Frank Act, a law enacted 11 years ago.

The rule could be one of the most consequential policies implemented by Rohit Chopra, Biden’s nominee to lead the bureau. But Chopra is still waiting for confirmation by the Senate, which is expected in September. The CFPB asked for industry feedback in an advance notice of proposed rulemaking issued in October.

Banks and fintech firms are paying close attention to the Canadian advisory board report because it details the scope of how much data should be made available to third-party providers and how companies would be held liable for a data breach if a consumer suffers a financial loss .

“The [Canadian] report is the playbook for how to implement an open finance regime, ”said Steve Boms, executive director of the North American chapter of the Financial Data and Technology Association, a trade group representing data aggregators such as Plaid, Envestnet, Yodlee, Intuit and MX , as well as the fintech firms themselves.

The report doesn’t have the force of law but rather signals that regulatory action will be taken to make firms accountable in an open banking regime, Boms said.

“This provides more momentum for a fulsome 1033 rule, because our closest neighbor to the north is now on its way to doing something very similar to what a 1033 rule would do here in the US”

Canada, like the US, is trying to facilitate efficient data-sharing between banks and fintech firms – giving consumers access to third-party apps – that moves on from much-criticized screen-scraping practices.

The report states that “screen scraping presents real security and liability risks,” because it requires consumers to share their banking login credentials with third-party providers.

While fintech companies still use screen-scraping to obtain access to consumer bank records, many aggregators have created partnerships with banks to send data to fintechs using application programming interfaces.

Banks remain concerned about the security of consumer financial data and continue to advocate for increased supervision of fintechs.

Fours year ago, the CFPB outlined broad principles for protecting consumer when they let fintech companies access their data.

“Since the CFPB released its principles in 2017, banks, data aggregators and other technology companies have worked together to invest in technologies that move away from less secure methods of data sharing like screen scraping to more secure API-based standards that give consumers transparency and control when they share their financial data, ”said Rob Morgan, senior vice president of innovation and strategy at the American Bankers Association.

Broad scope of data

When it comes to what data should be included in a Canadian open banking regime, the report takes a broad view by recommending that checking, insurance and brokerage accounts should be included. A key takeaway is still that the data will be limited to lower-risk, “read-only” activities seen by a consumer, experts said.

“The scope of Canada’s open banking system in its initial phase should include data that is currently available to consumers and small business through their online banking applications,” the report said.

Companies retrieving data on behalf of a consumer would be limited to collecting data that the consumer can see on a screen.

“With a few exceptions, if you can see it on your screen, then this report says it is in,” said Tom Carpenter, director of public affairs and marketing at the Financial Data Exchange, a Reston, Virginia, nonprofit that is working to set technology standards. “The report’s initial scope says it is data that is traditionally readily available to consumers through online banking rather than tying it exactly to each website.”

Excluded from the scope is proprietary bank data such as internal credit risk assessments or “know your customer” standards that are designed by banks to protect against fraud and money laundering.

Banks have been concerned that fintechs could change consumer data. So the carve-out for proprietary data would allow banks to create their own proprietary products that could be sold to consumers.

“The division between proprietary and nonproprietary data will make the banks happy,” said Pitts, the Plaid policy lead. “A broad scope of data – which is what Canada has proposed here – means that the number of value-added products or proprietary products that can be built on top of those pipes are also much broader.”

Technical specifications

Canada did not endorse any one technology or standard for data-sharing. Instead, the advisory board report encouraged industry to continue working on technical specifications for an open banking regime and it set a deadline of nine months after the government appoints a lead authority to oversee implementation of the open banking system.

Prime Minister Justin Trudeau may appoint the lead authority before Canadian elections to have specific purview over the design of the open banking regime in collaboration with industry stakeholders.

Some suggest that the CFPB also is seeking to be technology-neutral by setting ground rules for protecting and giving control to consumers while the industry delivers on technical specifications.

“This isn’t just an opportunity in Canada,” Carpenter of FDX said. “We are working to get it right and be the market’s preferred standard in Canada and in the US, which sets up this same hybrid approach where government does some of this through regulation and the market really figures out the technology to deliver on.”

Who pays if something goes wrong?

Another key takeaway from the report involves establishing liability to determine who is responsible if a data breach occurs and how compensation would be provided to consumers when something goes wrong with their data.

In the US, banks are ultimately accountable for managing the risks of third-party business arrangements. But the Canadian government report proposes that that liability moves with the data, suggesting that a nonbank fintech firm with access to a consumer’s account information could also be on the hook.

“To put it simply, liability should flow with the data and rests with the party at fault,” the report states. “Furthermore, the priority for the liability structure should be to provide effective protection and redress for consumers.”

Some experts said the Canadian government is essentially weighing in on the concept that third-party vendor management doesn’t quite work in an open banking regime.

“Third-party liability is huge,” said Pitts. “Those two paragraphs are going to end up being the two most critical paragraphs in this entire report because they ultimately are pushing in the direction of saying that these fintechs aren’t your vendor, they’re not a traditional third party, so banks don ‘t have liability for what they do. “

The report’s recommendation comes at the same time that prudential regulators in the US are jointly proposing guidance on third-party risks, including the risks of fintech partnerships.

The proposal by the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. centers on the responsibilities of banks when practicing risk management with business partners.

“The fintechs in Canada were advocating for liability,” Pitts said. “The advisory committee framework recommends that fintechs have to be accredited, and once they are accredited, liability follows the data. So as soon as the data moves from the bank to the aggregator, it’s the aggregator’s liability. “