Financial institutions expressed concern about the operational burdens related to the enabling of consumer data sharing in the Consumer Financial Protection Bureau's open banking proposal, a review of comment letters found.
As an implementation of Section 1033 of the Dodd-Frank Act, the CFPB proposed rules in October requiring financial service providers to share consumer data using application programming interfaces, or API. It requires financial institutions to send such banking data as account balances or payment history to third parties, upon the consumer's consent. Banks often work with so-called data aggregators like Plaid Inc., Envestnet Inc.'s Yodlee or Intuit Inc., who build connections with thousands of institutions to transmit their consumers' banking data.
The CFPB proposal would make it clear for the first time that using screen scraping to access certain banking data no longer meets regulatory standards. The benefit of the shift from screen scraping to API, which is already happening among open banking practitioners, is largely recognized by industry participants, according to the comment letters. But the liability framework appears unclear regarding who should be held accountable if banking data is being shared via screen scraping.
If the responsibility to combat screen scraping falls to regulated financial institutions disproportionally, the up-front investment to build related technology and the ongoing costs to filter screen scraping requests would be too significant, which will hurt smaller institutions in particular, industry experts wrote. Screen scraping is viewed as a less secure method because it enables outsiders to obtain and store consumers' login credentials for digital banking apps, which increases the risk of data breaches.
"[JPMorgan Chase & Co.] has spent millions of dollars on techniques and technologies to block evasive screen scraping. It is not practical or possible for all data providers, particularly smaller entities with less technological sophistication, to block determined evaders," wrote Rohan Amin, Chase's chief product officer.
Blocking screen scraping requires large technology investments in part because it "still remains far too prevalent," wrote Alex Overstrom, head of retail banking at PNC Bank NA. At PNC, more than half of all online banking requests that it receives are screen scraping attempts from known data aggregators, Overstrom wrote.
"PNC makes considerable investments in its security monitoring to identify authorized and unauthorized connection attempts, including unauthorized screen scraping, but smaller data providers may lack the resources or technical expertise to do so," Overstrom wrote.
Several letters recommended a broader ban on screen scraping in the final rule. For instance, third-party vendors and data aggregators, besides financial institutions, should also be required to block screen scraping in their offerings.
Small banks vs. large fintech vendors
While large banks are leading the development of API connectivity in their digital banking suite, smaller institutions commonly rely on third-party vendors, but they do not necessarily have the same bargaining power with the large data aggregators, industry executives wrote in the comment letters.
"Dominant market players (e.g., large data aggregators) could dictate the contract terms against smaller entities, negotiating away key compliance obligations and liability — including obligations to ensure compliance by third-party data recipients — while maximizing their access and use of consumer information," wrote Melissa MacGregor, deputy general counsel and corporate secretary at the Securities Industry and Financial Markets Association.
Seeing millions of login requests every month from screen scrapers, Lakewood, Colo.-based FirstBank wanted to switch to API and has reached out to data aggregators to build a more formal relationship, but it was turned away, according to Christopher Kelley, executive vice president in digital banking at the $25 billion asset-sized bank.
"Smaller community banks such as FirstBank are not a priority for the data aggregators and as a result our customers are not experiencing the open and transparent access to data that they deserve," Kelley wrote in the comment letter.
Given the unbalanced dynamics between smaller institutions and large data aggregators, industry executives recommended that the CFPB impose clearer lines of responsibilities in the final rule, not requiring financial institutions to carry all the responsibilities of regulatory compliance.
Debate over opt-out provision
Several smaller institutions and trade groups representing them asked for an option to opt out of the open banking rule with a threshold of asset sizes. In the proposal, the CFPB would not allow financial institutions to charge fees for making covered data available. Financial institutions broadly raised concerns about the no-fee mechanism, which will make it challenging to recoup the costs despite extra expenses to implement the technology.
While the CFPB proposed applying the new rule to every financial institution that has consumer interfaces, the Independent Community Bankers of America suggested that depository institutions that hold less than $850 million in total assets should be exempted.
However, being excluded from the open banking rules could make smaller institutions less competitive in consumer engagement compared to large banks, wrote John Pitts, head of policy at data aggregator Plaid. Small community banks and credit unions would not need to invest in this technology as much as large institutions, because they tend to have a much smaller customer base and thus fewer data requests.
On Plaid's network, about 5,600 financial institutions receive fewer than 100 data requests per day, while a top 10 institution today would typically permit 500 API calls per second, Pitts wrote.
