Abstract

Scholars have widely criticized the Supreme Court’s Fourth Amendment jurisprudence as incoherent, especially in cases involving emerging technologies. This Article argues that to understand Fourth Amendment doctrine, one must consider how the values that underlie the Court’s decisions are balanced against each other and shift over time. To do so, this Article first proposes a novel, bottom-up approach to identifying the relevant values that focuses on the specific evidence that the Court considers in each case. Distilling the values underlying the Fourth Amendment provides a more coherent understanding of Fourth Amendment doctrine. This Article then applies this framework to three biometric technologies: facial recognition, iris recognition, and DNA profiling. Law enforcement use of these technologies may all raise Fourth Amendment challenges, but the framework shows how these challenges implicate different values. Recognition and application of this framework can result in a better appreciation of the impact of emerging technologies on Fourth Amendment doctrine.

Read at SSRN.

Aaron, could you please tell us a bit about your background and how you became interested in competition law and digital-competition regulation?

I’m a lawyer by profession, but have taken a somewhat unconventional career path—I started as a litigator in a small general practice in my hometown outside Toronto, moved on to corporate law with one the world’s biggest law firms in London, Hong Kong, and Abu Dhabi, and then came back to Canada, where I moved through roles in polling and market research, lobbying, and tax advocacy. For the last three years, I’ve run the Domestic Policy Program at the Macdonald-Laurier Institute, an Ottawa-based think tank. Competition law—and especially the emergence of dominant digital players—has been one of my biggest files, primarily because it has become so politically salient in recent years.

Read the full piece here.

Abstract

Decentralized Finance (DeFi) on Ethereum lacks a clear legal framework akin to what exists in traditional financial markets, leading to uncertainty for traders, intermediaries, and other market participants regarding their protections, responsibilities, and risk exposures. Key concepts like what constitutes a “transaction,” who serves as a transaction counterparty, and what duties are owed remain undefined. This paper aims to clarify the legal journey of Ethereum transactions, focusing on the stages of trade instruction and execution. We examine the complex technical processes and actors involved, highlight areas where end-user expectations may be violated, discuss potential sources of legal liability, and explore whether certain DeFi activities like DEX trading should be governed by contract law. The paper assesses various parties, including validators, DEX liquidity providers, and smart contracts themselves, as potential legal counterparties to a DeFi trader. Based on this analysis, we provide recommendations for the development of a legal framework to enhance certainty and efficiency in DeFi markets. Establishing clear rules around trade instruction, execution, and liability allocation would enable more accurate risk assessment, support market participation and liquidity, and facilitate the healthy development of the DeFi ecosystem.

 

 

Abstract

Abstract

Once the jurisdiction that most clearly embraced a market-led approach to open banking, the United States appears on the verge of shifting to a regulator-driven regime, with mandated sharing of financial data. More specifically, the U.S. Consumer Financial Protection Bureau (CFPB), relying on Section 1033 of the Dodd-Frank Act, recently proposed rules governing “personal financial data rights.” The rulemaking appears to follow the lead of the European Union (EU), which has long been at the forefront of government-led open banking. This paper seeks to analyze the CFPB proposal through the prism of the EU experience. A review of the EU’s regulatory framework, and particularly its implementation in the United Kingdom, may offer useful insights about the challenging tradeoffs posed by open banking, and thus permit an assessment of whether the CFPB proposal would add value, or simply represent an unnecessary regulatory burden

I. Introduction

Following instructions laid out by President Joe Biden in his 2021 executive order on “Promoting Competition in the American Economy,”[1] the U.S. Consumer Financial Protection Bureau (CFPB) in October 2023 promulgated a “Personal Financial Data Rights” rulemaking to facilitate the portability of consumer banking and financial data.[2] The proposal would activate a to-date dormant provision of Section 1033 (the Consumer Financial Protection Act) of the Wall Street Reform and Consumer Protection Act of 2010 that was intended to accelerate a shift toward so-called “open banking.”[3] Open banking—a term that, in the United States, is frequently used to encompass “open finance” more broadly—refers to a financial-services environment built on interoperability and data-driven services that allows customers to leverage their transaction and financial data, and imposes on financial institutions a duty to share such data, on customers’ request, with third-party providers (TPPs).

Under open banking, financial institutions’ customers gain effective control of their data, as well as the opportunity to benefit from more competitive services enabled by the application of technological innovation to banking and finance (“fintech”). Given access to, and the ability to process, large troves of data (including nonfinancial data—e.g., digital footprints), fintech-enabled products can serve to promote financial inclusion, mitigate consumers’ unwillingness or inability to switch among firms, and help financial consumers to make informed choices and to shop around for the most convenient deals.[4] Open banking is therefore broadly expected to generate substantial benefits for businesses, consumers, and the economy as a whole.

Alongside those opportunities, however, financial innovation also poses several new concerns about consumer protection. Notably, the systematic digitization of financial transactions introduces potential for discrimination, manipulation, and exploitation of vulnerable customers.[5] Considering both consumers’ generally low levels of digital and financial literacy, and the opaque nature of algorithmic decisionmaking, they could be forced to make exceedingly complex choices among tradeoffs, and may be exposed to novel privacy and security risks. Even in cases of truly informed consent, the consumer-welfare impact of the enhanced fintech competition enabled by data sharing could be ambiguous.[6] Further, the emergence of new participants in the delivery of banking and financial services may negatively affect both competition and the financial system’s stability.

For all these reasons, designing a regulatory framework fit for purpose requires sensitive policy decisions about common standards for customer data and technical interfaces; solutions to allow customers to manage data permissions; eligibility rules and requirements for third parties seeking access to data; and the role of data aggregators.

The EU and UK have been at the forefront of the open-banking movement, having inspired other countries to follow their direction (e.g., Australia, Brazil, India, Mexico, Singapore). Those two jurisdictions are also currently evaluating proposals to extend their open-banking regulatory frameworks to “open finance” more broadly. A comparative analysis of the approaches adopted and models developed the EU and UK would therefore aid U.S. policymakers looking to strike the proper balance in the promises and perils of open banking.[7] Among the notable lessons to draw from the EU and UK experience include how those jurisdictions have sought to adopt a harmonized application programming interface (API) standard; to facilitate data access and create incentives to develop high-quality APIs; to define a regulatory framework for access to financial-information data; and whether to make banking and financial data available to nonfinancial companies (in particular, to so-called “Big Tech” platforms).

By taking stock of the EU experience and focusing on those provisions most relevant to innovation and competition, this paper aims to assess the CFPB’s proposal by investigating open banking’s challenging tradeoffs, identifying key features for its effective functioning, and providing policy suggestions for the forthcoming U.S. implementation.

The paper is structured as follows: Section II illustrates the economic rationale and challenges of regulatory-driven open-banking processes. Section III provides an overview of the  EU and UK frameworks, while also analyzing recent proposals to facilitate open finance. Section IV analyzes the U.S. proposal, drawing attention to relevant differences from the EU context. Section V concludes.

II. The Open Banking Conundrum: Rationale, Goals, and Challenges

Legislative initiatives to promote open banking belong to a more general wave of regulatory interventions intended to empower individuals with more control over data and to thereby unlock competition and innovation in both new and traditional markets.

The details vary from jurisdiction to jurisdiction and sector to sector, but data-sharing obligations generally include both data portability and interoperability. The former describes the ability to port from one platform to another any bulk data created through an individual’s use of a particular service. Data portability does not require systemic use of APIs, as it is accomplished via a one-time transfer at a specified point in time.[8] In contrast, open banking involves the creation of an in situ data right; i.e., rather than moving data among platforms, users are permitted to use their data within a given platform ecosystem and determine when and under what conditions third parties can access that in situ data.[9] Therefore, it represents a form of interoperability and, more specifically, belongs to the subcategory of data interoperability. Data interoperability refers to the ability to share and access data on a continuous and real-time basis, usually through APIs.[10]

Because market dynamics are shaped by consumer behavior, open-banking advocates assert that enhancing consumer engagement can play a crucial role in fostering effective competition. The fundamental policy objective of such data-sharing regulatory initiatives is to lower switching costs and avoid personal data lock-in by allowing consumers to switch smoothly or multi-home across platforms. In the case of open banking, this consumer empowerment is believed to strengthen their bargaining position with respect to banks. By gaining effective control of their own transaction data and allowing select TPPs to access such data, it is believed that consumers would be able to make informed choices among various banking and financial products and, with the help of data-driven tools, that they could receive personalized suggestions with the help of big-data analytics applied to their own economic behavior.

In summary, the goal of open banking is to increase competition, spur innovation, and make the market more contestable through data sharing. This is well-illustrated by the UK experience where, as we will see (infra Section III.C), the antitrust authority put forward data-sharing requirements as a regulatory remedy after a market investigation of the retail and business-banking sectors found weak competitive dynamics, including a high degree of market concentration and an extremely low switching rate.[11] UK authorities have even sought to measure the “loyalty penalty” that longstanding customers tend to pay for their inertia, estimating average annual gains they could realize from switching.[12]

Some open-banking proponents therefore seek to justify regulatory intervention on traditional market-failure grounds, noting that the banking sector in many countries suffers chronic deficiencies in its competitive dynamics. Without a legislative obligation to share date, banks may have valid reasons to decline access to or withhold sensitive information from TPPs, due to concerns about intellectual property, security, potential reputational risks, and liability issues.[13]

Nonetheless, it should also be noted that “open banking” does exist even where there is no regulatory mandate to share data. Indeed, even where banks are unwilling to collaborate with TPPs, third parties may gain access to customers’ accounts via screen scraping.[14] Screen scraping happens when consumers share their credentials with TPPs, who in turn impersonate the consumer, leaving them without control regarding what data is collected and how it is used and disclosed. The practice is known to increase the risks of inaccuracies, fraud, and data breaches. Indeed, the prevalence of screen-scraping practices may provide additional justification for open-banking regulations, as they represent a risky data-collection practice inconsistent with cyber-security best practices.

These concerns are further heightened by the fact that screen scraping allows TPPs access to all consumer data, rather than only those needed to provide payment and financial services. Therefore, open-banking proposals have also been advanced to guarantee consumer protection by providing a secure framework and ensuring a shift from screen scraping to developer interfaces (usually, credential-free APIs maintained by data providers or their service providers) as the most common means to access consumer data.[15] This would, it is argued, further enhance consumer trust in data sharing.

While there is consensus that developer interfaces should supplant screen scraping, significant disagreements have emerged around API standardization. Advocates particularly disagree about whether policymakers should mandate adoption of a common API standard or embrace a market-led approach that would leave banks free to develop their own interfaces or participate in privately led standardization initiatives.[16]

On the one hand, a common API standard could jeopardize dynamic competition among standards and undermine market incentives to innovate and develop high-quality interfaces. On the other hand, fragmented API standards could exacerbate the costs of interoperability, which in turn could translate into higher barriers for new entrants.[17] The unintended consequences that may arise from the absence of standardization are arguably worsened by conflicting interests among market participants—notably the lack of incentives for banks to grant access to TPPs.

Moreover, doubts have been expressed about how effective mandatory data sharing actually is in promoting competition. Growing concerns have emerged about financial-stability and monetary-policy risks generated by the entry of new players into the banking and financial-services industries.[18] Indeed, while open-banking regulations were intended primarily to create opportunities for fintech startups, whose services are otherwise constrained by lack of access to customer transaction data, the data-sharing obligations imposed on banks also tend to benefit unregulated financial-services players.

Notably, data-access rules have favored the entry of “Big Tech” firms, which initially entered the finance sector through payment services, but have swiftly diversified their offerings to include credit, insurance, and savings and investment products. While it remains unclear whether fintech startups will be able to compete effectively with legacy banks, rather than cooperate with them by providing complementary services,[19] Big Tech may represent a significant competitive threat to banks. The large tech platforms may be able to scale up quickly in financial markets by exploiting proprietary datasets derived from their non-financial operations (as well as analytical skills and advanced technologies) in order to provide consumers with personalized offers.[20] In this regard, from a competitive standpoint, there have also been questions about the asymmetric nature of data-sharing provisions that, in contrast with the goal of ensuring a level informational playing field, impose on banks a duty to grant access to TPPs without including a reciprocal obligation on the latter that would equally allow banks to enhance digital services.[21]

Further shortcomings and perils are associated with the role played by data aggregators (also known as API aggregators or API hubs). Emerging in response to the multiplicity of bank APIs available on the market, data aggregators act as intermediaries between banks and TPPs by integrating various APIs to offer a single implementation point for TPPs. From a technical perspective, data aggregators bring enhancements to the open-finance ecosystem. Indeed, providing a standardized API—irrespective of the specific APIs or services integrated—allows TPPs to seamlessly connect with various APIs without the need to handle the configuration and formatting intricacies of data and interfaces.

Data aggregators, however, also pose risks of market dominance.[22] Notably, due to their advantageous scale and extensive access to consumer financial data, the market might favor only a handful of major players. In other words, especially in a highly fragmented financial-services market, such as the United States, data aggregators may attract a critical mass of API-software developers that benefit from the same data-accumulation economics that may favor industry concentration and the entrenched dominant position of some Big Tech firms (i.e., strong economies of scale, scope, and network effects).[23] In addition, the API connection service delivered by aggregators can be viewed as a factor contributing to inefficiency, as it elongates transaction chains and introduces costs due to the fact that it is provided against compensation.

By and large, open banking’s rationale, aims, and tradeoffs suggest that one size does not fit all. Therefore, jurisdictions evaluating policy interventions to facilitate data sharing in banking and finance should adopt a tailored approach, taking stock of other countries’ experiences to carefully assess the benefits and drawbacks of market-led and regulatory-led regimes, respectively.

III. The EU Regulatory Framework and Its UK Implementation

From a regulatory perspective, the EU led the way in open banking by introducing a sector-specific data-access right in 2015. The jurisdiction is now on the verge of further extending its legal framework to embrace open finance. While based on the same framework, the UK adopted a different technological model for standardizing data-sharing interactions between banks and TPPs, which has become noteworthy as one of the most advanced examples of mandated interoperability. Further, the EU’s ongoing review of its regulatory regime may offer some useful insights about both the successes and shortcomings of open banking, as well as how it compares to the UK regime.

The EU and UK therefore represent useful benchmarks for U.S. policymakers interested in incorporating the lessons learned from those experiences. Recent proposals in both the EU and UK to go beyond payment-account data in order to promote access to financial data could be equally relevant to the United States, as the CFPB’s rulemaking aims to facilitate a form of open finance.

A. PSD2 and Its Reform

The EU’s 2015 Directive on Payment Services (PSD2) introduced the access-to-account rule (XS2A rule), which requires account-servicing payment-service providers (ASPSPs) to share, upon user request, real-time data on customers’ accounts with TPPs—both payment-initiation service providers (PISPs) and account-information service providers (AISPs)[24]—as well as to execute payment orders.[25] PSD2 enables access without need for a contractual relationship between the ASPSPs and TPPs, and thus without compensation.

While open banking existed in the EU prior to PSD2, the directive’s aim was to provide a secure regulatory framework. Previously, TPPs operated in a largely unregulated environment and accessed customers’ accounts primarily by screen scraping.[26]

Under PSD2, data access is facilitated either through APIs, or by granting TPPs direct access to payment data using the interface that banks employ for customer interactions (customer-facing interface). In order to safeguard business continuity for TPPs, PSD2 requires ASPSPs that opt for a dedicated interface (PSD2 API) to also provide an alternative interface to TPPs (a fallback interface) in the event of malfunction or other issues with the dedicated interface. To facilitate the objective of promoting competition and innovation, PSD2 and its implementing regulatory technical standards (RTSs) chose not to impose a unique API standard; nearly 10 years later, there is still no single pan-European open-banking API standard.

A recent evaluation report concluded that PSD2 has been successful in reducing fraud via the introduction of strong customer authentication (SCA), which involves two authentication factors based on either knowledge (e.g., a password), possession (e.g., a card) or inherence (e.g., a fingerprint).[27] The report, however, also found that PSD2 was only somewhat effective in achieving a level playing field, and was a mixed success in the uptake of open banking in the EU.[28] Indeed, there have been recurrent issues as regards TPPs lacking effective and efficient access to data held by ASPSPs, with a particular imbalance between bank and nonbank service providers.[29]

Notably, the review found that neither ASPSPs nor TPPs are fully satisfied with the current situation.[30] The latter regularly complain about the performance of data-access interfaces, reporting that they experience difficulties in providing basic services due to inadequate and low-quality PSD2 APIs.[31] TPPs also note that, as API standards are set by the industry, this fragmentation leaves them in the disadvantageous position of bearing the costs of developing separate solutions to access different banks’ APIs.[32]

For their part, ASPSPs also express dissatisfaction, reporting significant implementation costs to develop APIs, as well as objections that PSD2 precludes them from charging TPPs for access to customer data.[33] In other words, banks perceive open banking purely as a regulatory burden, and argue that the free access does not offer incentives to create the best possible APIs.[34] Banks are similarly dissatisfied with the low use of their APIs, raising complaints that API aggregators pass on user data to unregulated third parties.[35]

Despite these findings on the imperfect functioning of open banking in the EU, the European Commission has chosen not to pursue radical changes.[36]

With regard to TPPs’ complaints, while acknowledging that a different solution might offer better access to data, the Commission’s proposed amendments to PSD2 do not include imposing a fully standardized EU data-access interface, on belief that the costs of introducing a new single API standard would outweigh the benefits.[37] Indeed, the Commission notes that, despite the existence of different API standards in the EU, the existing PSD2 API standards have substantially converged over time toward two primary solutions (i.e., the Berlin Group standard and the STET standard).[38] In addition, even if not envisaged by PSD2, the emergence of API aggregators that offer a paid alternative to a PSD2 API standard has lowered frictions arising from fragmented API standards.[39]

Nonetheless, starting from the premise that screen scraping should be out of bounds,[40] the proposal suggests streamlining the regime by removing the two interface requirements (i.e., a principal interface and a fallback interface) and imposing, as a general rule, mandatory use of APIs designed and dedicated for open-banking purposes to provide data access to TPPs.[41] Moreover, to ensure TPPs’ business continuity and ability to provide high-quality services to clients, the proposal would grant them the right to benefit from “data parity,” with the customer interface provided by ASPSPs to their users.[42]

In the same way, in response to banks’ requests to modify the PSD2 to allow for compensation to facilitate access to data, the proposed amendments would safeguard the current regime (i.e., TPPs benefiting from the PSD2 baseline services without contractual agreement or charging) but would allow contractual relationships to be established, accompanied by compensation for services that go beyond those required by the PSD2.[43] This would allow the development of “premium” APIs to provide transaction information from other types of accounts (e.g., savings accounts) and allow the schedule of recurring payments.[44]

Finally, to increase trust in open banking and empower consumers to be in full control of their data, the proposal would require ASPSPs to make a dashboard available for customers to monitor data access granted to open-banking service providers, and to easily withdraw or re-establish that access.[45]

B. Open Finance Proposal

Alongside proposals to revise PSD2, the European Commission has also delivered a legislative proposal on data access to financial information (FIDA), which would complement the XS2A rule with an obligation to provide access to financial data.[46]

The FIDA proposal builds on the same rationale as PSD2—i.e., promoting competition and innovation in a data-driven ecosystem by entrusting customers of financial institutions (i.e., both consumers and firms) with effective control over their financial data to benefit from financial products and services tailored to their needs.[47] The wording of the aims section of the proposal clearly resembles PSD2. According to the proposal, the lack of personalized financial products hinders the potential for innovation, as it restricts the ability to provide a broader range of choices and financial services to consumers who could otherwise gain advantages from data-driven tools that help them make informed decisions, easily compare offerings, and switch to more favorable products aligning with their preferences based on their data.[48] A particular emphasis is placed on small players, as they are assumed to suffer most from existing barriers to business-data sharing.[49]

In addition, the FIDA proposal adopts the same approach as PSD2 (confirmed by its proposed revision) toward the lack of reciprocity in data-access obligations. As mentioned above, this approach has garnered criticism for being at-odds with the proclaimed goal of leveling the informational playing field. Against the risk of favoring Big Tech firms over financial incumbents and new fintech entrants, the Commission notes that the Digital Markets Act (DMA)[50] would ensure reciprocity in data access between financial-sector firms and large technology companies.[51] Indeed, under the DMA, gatekeeper platforms are required to ensure real-time access to data provided or generated on the platform by business users and consumers in the context of core platform services.

But to safeguard financial stability, market integrity, and consumer protection, the proposal lays down eligibility rules on access to customer data, establishing that the latter can be accessed only by regulated financial institutions or firms authorized as financial-information service providers (FISPs).[52] The provision applies the principle of “same activity, same risks, same rules,” according to which all financial-market participants that carry out the same activity and generate the same risks ought to be subject to the same standards for consumer protection and operational resilience.[53]

In a nutshell, the FIDA initiative is intended to extend the open-banking framework to open finance, and it proceeds from the same customer-centric approach, building on the lessons learned in the PSD2 review.[54] Therefore, while the FIDA proposal includes the same amendments related to data-access permission dashboards for customers,[55] it differs significantly from the proposed revision of PSD2 with regard to envisaged solutions against the risk of a low-quality and fragmented API landscape.

Notably, the FIDA proposal explicitly acknowledges that making data available via high-quality APIs is essential to facilitate seamless and effective access to data. Seeking to safeguard incentives for data holders to invest toward this aim, the proposal declares that is appropriate to allow them to request reasonable compensation from data users.[56] Such a solution would be in line with the principle recently introduced in the Data Act of a contractual data-sharing model.[57] Accordingly, under the FIDA proposal, a data holder may claim compensation only if the customer data is made available to a data user in accordance with the rules and modalities of a financial-data-sharing scheme.[58]

Moreover, as the consultation strongly indicated that the lack of standardization is a major obstacle to data sharing in finance,[59] the FIDA proposal imagines that market participants would be required to jointly develop common standards for customer data and interfaces as part of these financial-data-sharing schemes.[60] The option to empower European supervisory authorities to develop a single EU-wide standard for the entire financial sector was discarded because of its perceived drawbacks, complexity, and overall costs. More specifically, it was considered unlikely that a single standard would satisfy the diverse needs of data users in different segments of the financial-services industry, and that it would be challenging for public authorities to keep pace with technical developments by updating standards in a timely manner.[61]

The explanation proffered for this apparent discrepancy between open banking and open finance in the EU is simply one of path dependence. As open finance is an emerging market that would be regulated for the first time, it has no legacy compensation regime and no investments in APIs already made; therefore, it is believed there would be no risk of disruption.[62]

C. The UK Regime

Building on the same framework as PSD2, the UK opted for a more extensive and invasive implementation of the XS2A rule. Indeed, while PSD2 is technology-agnostic, the UK promoted a standardized model of open banking. Notably, the UK Competition and Markets Authority (CMA) required the nation’s nine largest banks (CMA9) to agree on common and open API standards, data formats, and security protocols that would allow TPPs to connect to customers’ bank accounts according to a single set of specifications.[63] Further, a special-purpose entity, funded by the CMA9, was created to oversee the rollout of API standards and support parties in the use of such standards.

The CMA decided to promulgate this remedy after a review of the retail-banking sector found perceived structural and longstanding competitive weaknesses.[64] In particular, the UK antitrust authority investigated whether there were barriers constraining banks’ ability to enter or expand competition in personal current accounts (PCAs), whether weak customer response was a result of lack of engagement and/or barriers to searching and switching that dampened banks’ incentives to compete, and whether the level of concentration had an adverse effect on customers. The investigation revealed that the market was concentrated and, despite variations among banks in prices and quality, market shares remained stable over time. Indeed, the four largest UK banks accounted for more than 70% of consumers’ primary PCAs and had collectively lost less than 5% market share since 2005.[65] Further, the market study found that a substantial proportion of customers were paying above-average prices for below-average service quality, thus suggesting they would be better off switching products.[66]

Despite these premises, customer engagement was low. The survey reported that more than a third of respondents had been with their primary PCA provider for more than 20 years, over a half for more than 10 years, and only 8% of customers had switched PCAs to a different bank over the past three years.[67] Such results were even more significant when compared to switching rates in other sectors.[68]

Seven years since its introduction, the UK celebrates the success of its open-banking model, claiming significant take-up and accelerating growth. Today, more than 7 million consumers and businesses (of which 750,000 are small to medium-sized enterprises) use open-banking-enabled products and services.[69] The data show that customers show positive sentiment toward open banking, believing they are in better control of their personal finances. Most TPPs likewise find that the API-standardized implementation has been particularly effective.[70] For these reasons, the UK Government has announced the launch of open finance—i.e., its intention to extend its open-banking model beyond payment accounts to a broader range of financial services and products.[71]

The perceived success of the UK version of open banking was confirmed when an identical model was adopted in Australia, where the Australian Competition and Consumer Commission required the four major banks to share product-reference data with accredited data recipients and mandated the adoption of a single set of API standards for data sharing.^[72] Australia’s open-banking requirements are part of an ambitious legislative initiative to introduce an economy-wide data-sharing framework, tested initially in banking and energy, and expected to eventually be extended to telecommunications, pensions, insurance, and other areas.

IV. The CFPB’s Rulemaking on ‘Personal Financial Data Rights’

Once the jurisdiction that most clearly embraced a market-led approach to open banking and open finance, the United States appears on the verge of shifting toward the EU’s prescriptive and regulator-driven regime, with mandated sharing of financial data.

In 2021, the White House encouraged the CFPB to intervene in the banking market to “promote competition” consistent with the objectives stipulated in Section 1021 of the Dodd-Frank Act and, in particular, to consider commencing rulemaking under Section 1033 of the Dodd-Frank Act to facilitate the portability of consumer-financial-transaction data.[73] Section 1021 entrusts the CFPB with ensuring that all consumers have access to markets for consumer financial products and services, and that these be “fair, transparent, and competitive.” Section 1033 establishes that, subject to certain exceptions, any person that engages in offering or providing a consumer financial product or service shall make available to a consumer, upon request, information in its control concerning that product or service that the covered person obtained from said consumer. In addition, the CFPB shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information, including through the use of machine-readable files, to be made available to consumers under this section.

As a consequence of the White House’s 2021 executive order on competition, the CFPB in October 2023 proposed a Personal Financial Data Rights rule to activate the aforementioned provisions enacted by the U.S. Congress more than a decade ago.[74] Notably, in addition to ensuring that consumers can access covered data in electronic form from data providers, the proposed regulation would delineate the scope of data that TPPs can access on a consumer’s behalf, the terms on which data are made available, and the mechanics of data access.

First, the CFPB chose to prioritize certain types of consumer accounts. The scope of the rulemaking includes as covered entities those providing asset accounts subject to the Electronic Fund Transfer Act and Regulation E; credit cards subject to the Truth in Lending Act and Regulation Z; and related payment-facilitation products and services, and, as covered data, transaction information; account balances; information to initiate payment to or from a Regulation E account; terms and conditions; upcoming bill information; and basic account-verification information.[75]

The rulemaking also requires data providers to establish and maintain a developer interface for third parties to access consumer-authorized data under certain performance and security specifications.[76] In particular, the CFPB established that the performance of a developer interface cannot be commercially reasonable unless it has a response rate of at least 99.5 percent within 3.5 seconds. Despite the costs incurred to meet these requirements, the CFPB suggested forbidding data providers from imposing access caps and levying any direct fee for fulfilling a request.[77]

Further, the rulemaking seeks to promote standardization by supporting industry standards appropriately developed within a data-access framework (“qualified industry standard”).[78] Due to concerns about the pace of technological change,[79] rather than dictating technical standards, the CFPB suggested that indicia of compliance with certain provisions must include conformance to an applicable industry standard issued by a fair, open, and inclusive standard-setting body.[80]

A. Absence of Justifications for Regulatory Intervention

The CFPB’s rulemaking builds on Section 1033 of the Dodd-Frank Act. As noted by some scholars, however, Section 1033 is “silent” on the core principles of open banking.[81] Indeed, the provision creating a data-access right for consumers does not expressly impose on financial institutions a duty to share such data with third parties. Therefore, in contrast with the EU PSD2, it is far from clear whether there is a legislative mandate authorizing the CFPB to promote open banking via interoperability obligations. Indeed, the lack of a clear regulatory mandate is arguably what has allowed a market-driven approach to open banking to emerge in the United States over the last 14 years.

More importantly to the present analysis, the U.S. context differs significantly from the EU, raising questions about the justification for regulatory intervention. These doubts involve both the spread of poor technological-data-access solutions and the respective markets’ structural competitive weaknesses. Regarding the former, the CFPB proposal places significant emphasis on screen scraping. CFPB Director Rohit Chopra has described the current regime as “broken,” with consumer access based on a set of unstable and inconsistent norms across market participants and with many companies accessing consumer data through activities like screen scraping.[82] The proposal thus seeks to move the market away from these risky data-collection practices.[83]

But while acknowledging that screen scraping has allowed open banking to grow quickly in the United States,[84] the CFPB also reports that a large and growing number of consumers currently access their financial data through consumer-authorized third parties, and that the share of access attempts made through screen scraping has declined by a third since 2019.[85] According to the CFPB, the recent growth in traffic through credential-free APIs reflects the technology’s adoption by some of the largest data providers, covering tens of millions of covered accounts.[86] The bureau estimates that API use has grown substantially over the last five years, as the annual number of consumer-authorized access attempts approximately doubled from 2019 to 2022.[87] The U.S. market therefore already appears to be moving away from screen scraping and toward the use of APIs.

Moreover, the U.S. banking and financial-services sector is characterized by a large degree of fragmentation. As noted in the literature, such extreme fragmentation is “stark” when compared with the EU and other jurisdictions that have adopted open banking and open finance.[88] In response, U.S. financial institutions have undertaken initiatives to promote API standards, which already include private standard-setting bodies such as the Financial Data Exchange (FDX). The result has been a commingling of financial institutions, data aggregators, fintechs, payment networks, and consumer groups with the objective of “unifying the financial services ecosystem around a common, interoperable and royalty-free technical standard for user-permissioned financial data sharing.”[89]

But such efforts for industry-supported API standards have been controversial.[90] Indeed, an additional peculiar feature of the U.S. financial-services industry is the emergence of a relatively concentrated data-aggregation market, where a handful of players serve the entire sector.[91]

In summary, while the two primary rationales for regulator-driven open banking in other jurisdictions are chronic deficiencies in market contestability and the widespread use of screen scraping, neither of these features are present in the U.S. scenario. Since regulatory intervention is context-dependent and entails complex tradeoffs and sensitive choices (see supra Section II), the absence of these justifications raises doubts about the potential added value of the CFPB’s initiative—specifically, whether any benefits to innovation, competition, and consumer choice will outweigh regulatory costs.

B. Insights from the EU’s Shortcomings

While the marked differences between the U.S. and EU landscapes raise questions about the rationale for a U.S. shift toward regulator-led open banking, a glance at the EU’s recent review of its open-banking regime underscores the degree to which the proposed CFPB framework may represent an unnecessary regulatory burden. In particular, there should be significant doubts about the competitive implications of the proposed rules, and particularly about the degree to which they would serve to ensure quality data-sharing and a level informational playing field.

Indeed, the CFPB’s primary justification for top-down intervention is to outlaw screen scraping, which is unanimously considered worrisome for data privacy, security, and accuracy.[92] The EU FIDA proposal highlights data accuracy as especially key for competition, noting that making data available via high-quality APIs is essential to facilitate effective access.[93] The CFPB proposal likewise assumes that the quality of data provided through open-banking APIs is greater than that collected through screen scraping.

But the recent review of the EU PSD2 noted TPPs’ dissatisfaction with the performance of data-access interfaces.[94] Notably, many TPPs complained that, despite the high costs of implementation, APIs are implemented differently and don’t always work.[95] At the same time, banks complain about the costs of PSD2 compliance, arguing that the mandated free access leaves them no incentive to offer the best possible APIs.[96] Given the significant implementation costs to develop high-quality APIs, the European Commission has supported a proposal to allow data holders to request reasonable compensation from data users.[97] More generally, the EU Data Act affirms that it is desirable to provide remuneration for data under fair, reasonable, and non-discriminatory (FRAND) terms in order to promote investment and safeguard appropriate incentives to develop high-quality interfaces.[98] Such compensation might include not only the costs incurred to make the data available, but also a margin to account for such factors as the volume, format, or nature of the data. By contrast, the CFPB proposal would impose performance specifications for the developer interface while forbidding any fee or charge in connection with establishing the required interface or receiving requests to make covered data available.[99]

Other CFPB provisions are inconsistent with open banking’s procompetitive goal of levelling the informational playing field. Notably, the CFPB replicates the asymmetric treatment imposed on financial institutions by the PSD2 (as well as by the current EU proposals), under which banks and other lenders have a duty to share account data, while no reciprocal obligation is imposed on data recipients. Restricting access and use of data may serve to hinder development of innovative products or services, and a bidirectional access-to-data-account rule in PSD2 could have been used to enhance digital-payment services. A system in which all eligible entities participate would be more dynamic and promote greater competition. Therefore, in principle, there is good reason to establish that accredited data recipients in a designated sector should also be obliged to provide equivalent data in an equivalent format, in response to a consumer request.[100] Further, an unbalanced data-sharing burden risks over-empowering new players (i.e., fintechs, Big Tech, and data aggregators) relative to legacy banks.

In a similar vein, the CFPB’s blanket prohibition on secondary data use could yield further anticompetitive shortcomings by imposing limits on data flows—namely on the use of covered data for targeted advertising and cross-marketing, even when those data are de-identified.[101] Indeed, such restrictions are at odds with core open-banking principles. As open banking is consumer-centric and aims to promote consumer empowerment to spur innovation and competition, it should abandon purely paternalistic approaches focused only on consumers’ vulnerabilities. Instead, open-banking principles inherently endorse a proactive strategy based on consumers’ ability to manage their data and choose which parties should use it to offer new products and services.[102] An outright ban on targeted advertising and cross-marketing instead reduces consumer choices and their opportunities to discover new products and services. By further hindering the level informational playing field, such a prohibition would favor incumbents over newcomers and challengers.

Finally, following the EU, the CFPB would adopt an open-banking regime with mandatory data sharing, but without regulator-supplied technical standards. Similar to EU policymakers—and in contrast with UK and Australian regulators—the CFPB argues that detailed technical standards are too complex and unsuited to the pace of technological change, even though they would be particularly well-suited to the excessively fragmented U.S. market.[103] In supporting the development of common standards through standard-setting organizations, the CFPB’s proposal is similar to the European FIDA proposal, although the latter mandates participation by financial institutions, data holders, and data users in data-sharing schemes. Indeed, under the FIDA proposal, data that falls within the scope of the sharing obligation would only be available to members of a financial-data-sharing scheme.

The concerns about whether such an invasive intervention will be “future proof” are compelling, especially given the size of the U.S. financial market. But a UK-style remedy would at least be effective against the only potential risk of market dominance—that of a small handful of data aggregators emerging as a response to the peculiar fragmentation of the U.S. market. In this regard, there should be doubts about whether it will be effective to entrust standard-setting bodies to develop “qualified” standards within the CFPB’s framework.[104] In particular, it is unclear what value would be added relative to the way that market-led open banking is currently delivered in the United States, as it already includes industry standard-setting initiatives (e.g., FDX). Subjecting standard-setting organizations to CFPB vetting regarding their fairness, openness, and inclusiveness does not seem like a game changer. On the contrary, it appears to be just another unnecessary regulatory burden, apparently unfit to address the purported risks of standards controlled by dominant incumbents or intermediaries, thus “enabl[ing] rent-extraction and cost increases for smaller participants.”[105]

V. Conclusion: Does the CFPB’s Open Banking Fall Short?

Following the EU and the UK, about 80 countries have recently engaged in government-led open-banking initiatives.[106] The United States is on the brink of joining the club. But even without a regulatory framework to mandate data sharing, open banking is already flourishing in the U.S. market. Therefore, it’s important to understand why the country that has been at the forefront of market-driven open banking would shift to a compulsory regime, as well as what model inspired this change.

The EU’s regulator-driven open-banking regime relies on the twofold rationale of promoting fintech competition and safeguarding consumers from screen-scraping practices. But the EU’s background differs significantly from the U.S. scenario. Rather than being highly concentrated, the U.S. market seems paradoxically to suffer from the opposite problem—namely, excessive fragmentation. As a result, the competitive issue that has emerged in the United States is one of market concentration at the intermediary level (i.e., data aggregators), rather than upstream (i.e., banks). Moreover, as the CFPB acknowledges, the U.S. market has already been moving away from screen scraping, as testified by the exponential increase in the number of consumer-authorized access attempts in recent years.

The state of the U.S. open-banking ecosystem also flies in the fact of the traditional market-failure justification for regulatory intervention. In disregarding the peculiar features of the U.S. context, the CFPB’s proposal may miss badly in selecting effective technical solutions. Indeed, by replicating the EU approach, rather than the UK implementation, the CFPB discards the option of imposing  single U.S.-wide standard because of its cost, complexity, and dynamic innovation shortcomings. While these concerns are well-founded, at the very least, an invasive technological solution would address the only potential competitive issue in the U.S. market, which is the role of data aggregators. Moreover, the CFPB ignores some useful insights from the recent review of the EU experience, which recommends allowing incentives to develop high-quality APIs by compensating banks for their efforts.

For all these reasons, there should be significant concerns about whether the CFPB’s initiative is needed and to extent to which such a top-down intervention would add value in the U.S. market.

Despite the ambiguous effects and challenging tradeoffs of open banking, it has been trendy of late and the government-led version has become widespread around the world. It is worth remembering, however, that regulatory models do not work in a vacuum. They are context-dependent and can be more or less effective depending on the particular features of the markets and countries involved. More importantly, regulation is not inherently preferable to market-led solutions. Regulation is just a pill for a disease—ideally, the cure for a market failure. If the latter is missing or is not properly detected, consumers effectively be asked to pay the price for an unneeded dress, however stylish it might be.

[1] Executive Order on Promoting Competition in the American Economy, White House (Jul. 9, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/07/09/executive-order-on-promoting-competition-in-the-american-economy.

[2] Required Rulemaking on Personal Financial Data Rights, Docket No. 2023-CFPB-0052, U.S. Consumer Financial Protection Bureau (Oct. 19, 2023), https://www.consumerfinance.gov/rules-policy/notice-opportunities-comment/open-notices/required-rulemaking-on-personal-financial-data-rights.

[3] Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, 12 USC 53 (2010), §1033.

[4] See, e.g., Tania Babina, Saleem Bahaj, Greg Buchak, Filippo De Marco, Angus Foulis, Will Gornall, Francesco Mazzola, & Tong Yu, Customer Data Access and Fintech Entry: Early Evidence from Open Banking (NBER Working Paper 32089, Jan. 2024), http://www.nber.org/papers/w32089; Tobias Berg, Valentin Burg, Ana Gombovic, & Manju Puri, On the Rise of Fintechs: Credit Scoring Using Digital Footprints, 33 Rev. Financ. Stud. 2845 (Sep. 12, 2019); Thomas Philippon, On Fintech and Financial Inclusion (NBER Working Paper No. 26330, Sep. 2019), https://www.nber.org/papers/w26330.

[5] See, e.g., Access to Finance for Inclusive and Social Entrepreneurship. What Role Can Fintech and Financial Literacy Play? (OECD Local Economic and Employment Development (LEED) Papers, 2022), https://www.oecd-ilibrary.org/industry-and-services/policy-brief-on-access-to-finance-for-inclusive-and-social-entrepreneurship_77a15208-en; Isil Erel & Jack Liebersohn, Can Fintech Reduce Disparities in Access to Finance? Evidence from the Paycheck Protection Program, 146 J. Financ. Econ. 90 (Oct. 2022); Yoke Wang Tok & Dyna Heng, Fintech: Financial Inclusion or Exclusion? (IMF Working Paper No. 80, May 6, 2022), https://www.imf.org/en/Publications/WP/Issues/2022/05/06/Fintech-Financial-Inclusion-or-Exclusion-517619.

[6] See, e.g., Zhiguo He, Jing Huang, & Jidong Zhou, Open Banking: Credit Market Competition When Borrowers Own the Data, 147 J. Financ. Econ. 449 (Feb. 2023); Christine A. Parlour, Uday Rajan, & Haoxiang Zhu, When FinTech Competes for Payment Flows, 35 Rev. Financ. Stud. 4985 (Apr. 27, 2022).

[7] For an overview of the international landscape, see Babina et al., supra note 4; Shifting from Open Banking to Open Finance: Results from the 2022 OECD Survey on Data Sharing Frameworks (OECD Business and Finance Policy Papers, 2023), https://doi.org/10.1787/9f881c0c-en.

[8] Daniel Schnurr, Switching and Interoperability Between Data Processing Services in the Proposed Data Act, Centre on Regulation in Europe (Dec. 2022), 11, available at https://cerre.eu/wp-content/uploads/2022/12/Data_Act_Cloud_Switching.pdf.

[9] Bertin Martens, Geoffrey Parker, Georgios Petropoulos, & Marshall van Alstyne, Towards Efficient Information Sharing in Network Markets (Bruegel Working Paper No. 12, Nov. 10, 2021), https://www.bruegel.org/2021/11/towards-efficient-information-sharing-in-network-markets.

[10] On the various degrees of interoperability, see Jacques Cre?mer, Yves-Alexandre de Montjoye, & Heike Schweitzer, Competition Policy for the Digital Era, European Commission Directorate-General for Competition (2019), 58-59, https://op.europa.eu/en/publication-detail/-/publication/21dc175c-7b76-11e9-9f05-01aa75ed71a1/language-en.

[11] The Retail Banking Market Investigation Order 2017, UK Competition and Markets Authority (Feb. 2, 2017), https://www.gov.uk/government/publications/retail-banking-market-investigation-order-2017.

[12] See Oscar Borgogno & Giuseppe Colangelo, Consumer Inertia and Competition-Sensitive Data Governance: The Case of Open Banking, 9 EuCML 143 (2020).

[13] Impact Assessment Accompanying the Proposal for a Directive on Payment Service in the Internal Market, European Commission (Staff Working Document, 288 final, 2013), 137.

[14] Report on the Review of Directive 2015/2366/EU of the European Parliament and of the Council on Payment Services in the Internal Market, European Commission (COM(2023) 365 final), 4.

[15] See, e.g., Screen Scraping – Policy and Regulatory Implications, Australian Government – The Treasury (2023), https://treasury.gov.au/consultation/c2023-436961.

[16] For a literature review on the different modes of the standardization process, see Dize Dinçkol, Pinar Ozcan, & Markos Zachariadis, Regulatory Standards and Consequences for Industry Architecture: The Case of UK Open Banking, 52 Res. Policy 104760 (Jul. 2023).

[17] See, e.g., OECD, supra note 7, 32; Press Release, Final Report on the Sector Inquiry into Financial Technologies, Hellenic Competition Commission (Dec. 27, 2022), https://epant.gr/en/enimerosi/press-releases/item/2460-press-release-publication-of-the-final-report-of-the-fintech-sector-inquiry.html; Opinion on the Sector of New Technologies Applied to Payment Activities, French Competition Authority (Apr. 29, 2021), https://www.autoritedelaconcurrence.fr/en/opinion/sector-new-technologies-applied-payment-activities.

[18] See, e.g., Giulio Cornelli, Fiorella De Fiore, Leonardo Gambacorta, & Cristina Manea, Fintech vs Bank Credit: How Do They React to Monetary Policy?, 234 Econ. Lett. 111475 (Jan. 2024); Karen Croxson, Jon Frost, Leonardo Gambacorta, & Tommaso Valletti, Platform-Based Business Models and Financial Inclusion: Policy Trade-Offs and Approaches, 19 J. Compet. Law Econ. 75 (Mar. 2023); Claudio Borio, Stijn Claessens, & Nikola Tarashev, Entity-Based vs Activity-Based Regulation: A Framework and Applications to Traditional Financial Firms and Big Techs (FSI Occasional Paper No. 19, Aug. 3, 2022), https://www.bis.org/fsi/fsipapers19.htm; Johannes Ehrentraud, Jamie Lloyd Evans, Amelie Monteil, & Fernando Restoy, Big Tech Regulation: In Search of a New Framework (FSI Occasional Paper No. 20, Oct. 3, 2022), https://www.bis.org/fsi/fsipapers20.htm; Raihan Zamil & Aidan Lawson, Gatekeeping the Gatekeepers: When Big Techs and Fintechs Own Banks – Benefits, Risks and Policy Options (FSI Insights No. 39, Jan. 20, 2022), https://www.bis.org/fsi/publ/insights39.htm.

[19] See, e.g., Oskar Kowalewski & Pawel Pisany, The Rise of Fintech: A Cross-Country Perspective, 122 Technovation 102642 (Apr. 2023); Emma Li, Mike Qinghao Mao, Hong Feng Zhang, & Hao Zheng, Banks’ Investments in Fintech Ventures, 149 J. Bank. Financ. 106754 (Apr. 2023); Victor Murinde, Efthymios Rizopoulos, & Markos Zachariadis, The Impact of Fintech Revolution on the Future of Banking: Opportunities and Risks, 81 Int. Rev. Financ. Anal. 102103 (May 2022); Arnoud Boot, Peter Hoffmann, Luc Laeven, & Lev Ratnovski, Fintech: What’s Old, What’s New?, 53 J. Financ. Stab. 100836 (Apr. 2021); Luca Enriques & Wolf-Georg Ringe, Bank-Fintech Partnerships, Outsourcing Arrangements and the Case for a Mentorship Regime, 15 Cap. Mark. Law J. 374 (Jul. 31, 2020); Anjan V. Thakor, Fintech and Banking: What Do We Know?, 41 J. Financ. Intermed. 100833 (Jan. 2020); Aluma Zernik, The (Unfulfilled) Fintech Potential, 1 Notre Dame J. Emerging Tech 352 (Oct. 1, 2018); Rene? M. Stulz, FinTech, BigTech, and the Future of Banks, 31 J. Appl. Corp. Finance 86 (Sep. 2019); Xavier Vives, Digital Disruption in Banking, 11 Annu. Rev. Financ. Econ. 243 (Nov. 2019).

[20] For analysis of the debate on competitive opportunities and concerns coming from Big Tech’s entry into banking and financial markets, see Oscar Borgogno & Giuseppe Colangelo, The Data Sharing Paradox: BigTechs in Finance, 16 Eur. Compet. J. 492 (May 28, 2020).

[21] Miguel de la Mano & Jorge Padilla, Big Tech Banking, 14 J. Compet. Law Econ. 494, 503 (Dec. 4, 2018).

[22] Open Finance Policy Considerations (OECD Business and Finance Policy Papers, 2023), 30-31, https://doi.org/10.1787/19ef3608-en.

[23] See Dan Awrey & Joshua Macey, The Promise and Perils of Open Finance, 40 Yale J. on Reg. 1 (Feb. 28, 2022); Julian Alcazar & Fumiko Hayashi, Data Aggregators: The Connective Tissue for Open Banking, Fed. Res. Bank Kansas City (Aug. 24, 2022), https://www.kansascityfed.org/research/payments-system-research-briefings/data-aggregators-the-connective-tissue-for-open-banking.

[24] Account-information services and payment-initiation services are those that allow a payment-service provider access to a payment-service user’s data data where the provider neither holds the user’s account funds nor does it directly service his or her payment account. Account-information services allow for the aggregation in a single location of user data held by multiple account-servicing payment-service providers; payment-initiation services allow a payment to be initiated from a user’s account in a way that is convenient for both user and payee and without need for a payment instrument, such as a payment card.

[25] Directive 2015/2366 on Payment Services in the Internal Market, (2015) OJ L 337/35, Articles 64-68. For analysis of the XS2A rule, see Oscar Borgogno & Giuseppe Colangelo, Data, Innovation and Competition in Finance: The Case of the Access to Account Rule, 31 Eur. Bus. Law Rev. 573 (Apr. 15, 2019).

[26] European Commission, supra note 14, 4.

[27] Id., 3.

[28] Id.

[29] Id., 4.

[30] European Commission, supra note 13, 16.

[31] Id., 13-14.

[32] Id., 120.

[33] Id., 15.

[34] Id.

[35] Id.

[36] The legislative amendments to PSD2 are set out in two proposals that would separate the rules governing payment services’ conduct from rules on authorization and supervision of payment institutions. On the former, see, Proposal for a Regulation on Payment Services in the Internal Market and Amending Regulation (EU) No 1093/2010, European Commission, COM(2023) 367 final; on the latter, see, Proposal for a Directive on Payment Services and Electronic Money Services in the Internal Market Amending Directive 98/26/EC and Repealing Directives 2015/2366/EU and 2009/110/EC, European Commission, COM(2023) 366 final.

[37] European Commission, supra note 14, 4-5. See also European Commission, supra note 13, 42-43, stating that “[r]equiring a new standard would render the work done on all existing standards wasted. More fundamentally, imposing a single standard would mean abandoning the principle of technology neutrality and could risk being inflexible, not future-proof and hinder innovation, since new better standards for interfaces may arise in future.”

[38] European Commission, supra note 14, 4-5, reporting that the Berlin Group standard claims to account for 80% of the PSD2 APIs.

[39] Id.

[40] European Commission, Proposal for a Regulation on Payment Services, supra note 36, Recital 61.

[41] Id., Recital 57. Exemptions are allowed for cases of failure/unavailability of the dedicated interfaces and small ASPSPs for which a dedicated interface would be disproportionately burdensome (Recital 62).

[42] Id., Recital 59.

[43] Id., Recital 56.

[44] In a similar vein, see, Principles for Commercial Frameworks for Premium APIs, UK Joint Regulatory Oversight Committee (2023), available at https://www.fca.org.uk/publication/corporate/jroc-principles-commercial-frameworks-premium-apis.pdf.

[45] European Commission, Proposal for a Regulation on Payment Services, supra note 36, Recital 65.

[46] Proposal for a Regulation on a Framework for Financial Data Access and Amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554, European Commission, COM(2023) 360 final. In particular, the access provision would apply to the following selected categories of customer data: mortgage-credit agreements, loans, and accounts; savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate, and other related financial assets, as well as the economic benefits derived from such assets; pension rights in occupational-pension schemes; pension rights on the provision of pan-European personal-pension products; non-life insurance products; data which forms part of a firm’s creditworthiness assessment and that is collected as part of a loan-application process or a request for a credit rating.

[47] Id., Recital 2.

[48] Id., Recital 6.

[49] Id.

[50] Regulation (EU) 2022/1925 on Contestable and Fair Markets in the Digital Sector and Amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act), (2022) OJ L 265/1.

[51] Impact Assessment Report accompanying the Proposal for a Regulation on a Framework for Financial Data Access, European Commission, SWD(2023) 224 final, 113.

[52] European Commission, supra note 46, Recital 31.

[53] Report on Open Finance, Expert Group on European Financial Data Space (2022), 35, https://finance.ec.europa.eu/publications/report-open-finance_en.

[54] European Commission, supra note 46, Recital 49.

[55] Id., Recital 21.

[56] Id., Recitals 7 and 29. See also European Commission, supra note 51, 21; Expert Group on European Financial Data Space, supra note 53, 11.

[57] Regulation (EU) 2023/2854 on Harmonized Rules on Fair Access to and Use of Data and Amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act), (2023) OJ L1, Article 9.

[58] European Commission, supra note 46, Articles 5, 9-11.

[59] European Commission, supra note 56, 19.

[60] European Commission, supra note 46, Articles 9 and 10, Recital 25.

[61] European Commission, supra note 56, 55.

[62] European Commission, Proposal for a Regulation on Payment Services, supra note 36, Recital 55; European Commission, supra note 13, 47.

[63] UK Competition and Markets Authority, supra note 11. For further analysis, see Dinçkol, Ozcan, & Zachariadis, supra note 16; Borgogno & Colangelo, supra note 12.

[64] Retail Banking Market Investigation – Final Report, UK Competition and Markets Authority (2016), https://www.gov.uk/cma-cases/review-of-banking-for-small-and-medium-sized-businesses-smes-in-the-uk#final-report.

[65] Id., §46.

[66] Id., §54.

[67] Id., §65.

[68] Id., §66.

[69] Recommendations for the Next Phase of Open Banking in the UK, UK Joint Regulatory Oversight Committee (2023), available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1150988/JROC_report_recommendations_and_actions_paper_April_2023.pdf; Joint Statement by HM Treasury, the CMA, the FCA and the PSR on the Future of Open Banking, UK Government (2022), https://www.gov.uk/government/publications/joint-statement-by-hm-treasury-the-cma-the-fca-and-the-psr-on-the-future-of-open-banking.

[70] European Commission, supra note 13, 195-196.

[71] UK Government, supra note 69. See also, Open Finance – Feedback Statement, Financial Conduct Authority (2021), available at https://www.fca.org.uk/publication/feedback/fs21-7.pdf.

[72] Competition and Consumer (Consumer Data Right) Rules 2020.

[73] White House, supra note 1.

[74] Consumer Financial Protection Bureau, supra note 2.

[75] Id., §§1033.111 and 1033.211.

[76] Id., §1033.311(c)(1).

[77] Id., §1033.301(c) and §1033.311(c)(2).

[78] Id., 21.

[79] Id., arguing that “[c]omprehensive and detailed technical standards mandated by Federal regulation could not address the full range of technical issues in the open banking system in a manner that keeps pace with changes in the market and technology. A rule with very granular coding and data requirements risks becoming obsolete almost immediately, which means the CFPB and regulated entities would experience constant regulatory amendment, or worse, the rule would lock in 2023 technology, and associated business practices, potentially for decades. In developing the proposal, the CFPB is mindful of these limitations and the risk that they may adversely impact the development and efficient evolution of technical standards over time.”

[80] Id., §§1033.131 and §1033.141.

[81] Awrey & Macey, supra note 23, 20. See also He, Huang, & Zhou, supra note 6, noting that open banking’s core principles do not stop at customer ownership of their own data.

[82] Rohit Chopra, Remarks at Money 20/20 (Oct. 25, 2022), https://www.consumerfinance.gov/about-us/newsroom/director-chopra-prepared-remarks-at-money-20-20.

[83] Press Release, CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking, U.S. Consumer Financial Protection Bureau (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking.

[84] Consumer Financial Protection Bureau, supra note 2, 7.

[85] Id., 185 and 213.

[86] Id., 187.

[87] Id., 185-186. Notably, the CFPB estimates that there were between 50 billion and 100 billion total consumer-authorized access attempts in 2022.

[88] See Awrey & Macey, supra note 23, 19 and 35-37, arguing that the U “is home to the world’s largest, most fragmented, and most diverse financial services industry.”

[89] About FDX – Our Mission, Financial Data Exchange, https://financialdataexchange.org/FDX/FDX/About/About-FDX.aspx?hkey=dffb9a93-fc7d-4f65-840c-f2cfbe7fe8a6 (last accessed Jun. 9, 2024).

[90] Consumer Financial Protection Bureau, supra note 2, 9.

[91] Awrey & Macey, supra note 23, 37. See also Consumer Financial Protection Bureau, supra note 2, 16.

[92] Consumer Financial Protection Bureau, supra note 2, 14-15.

[93] European Commission, supra note 46, Recital 7.

[94] European Commission, supra note 13, 14.

[95] Id., 191. See also, A Study on the Application and Impact of Directive (EU) 2015/2366 on Payment Services (PSD2), VVA & CEPS (2023), https://op.europa.eu/en/publication-detail/-/publication/f6f80336-a3aa-11ed-b508-01aa75ed71a1/language-en, estimating that TPPs spent €35 million on problems linked to accessing APIs and €140 million on maintaining legacy systems due to APIs not working properly.

[96] See VVA & CEPS, supra note 95, estimating €2.2 billion in total (one-off) costs for all ASPSPs for setting up of PSD2 APIs.

[97] European Commission, supra note 36, Recital 56; European Commission, supra note 56, Recital 29.

[98] Data Act, supra note 57, Recitals 46 and 47, and Article 9.

[99] Consumer Financial Protection Bureau, supra note 2, §1033.301(c).

[100] See, Review into Open Banking: Giving Customers Choice, Convenience and Confidence, Australian Government (2018), 44, https://treasury.gov.au/consultation/c2018-t247313, acknowledging that determining equivalent data for data recipients whose primary business is not financial services can be complex, and therefore recommending that, as part of the accreditation process for non-bank data recipients, the competition regulator should determine what constitutes equivalent data for the purposes of participating in open banking.

[101] Consumer Financial Protection Bureau, supra note 2, §1033.421(a)(2).

[102] Giuseppe Colangelo & Mariateresa Maggiolino, From Fragile to Smart Consumers: Shifting Paradigm for the Digital Era, 35 Comput. Law Secur. Rev. 173 (Apr. 2019).

[103] Consumer Financial Protection Bureau, supra note 2, 21. See also Rohit Chopra, Remarks at the Financial Data Exchange Global Summit, U.S. Consumer Financial Protection Bureau (Mar. 13, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-financial-data-exchange-global-summit, acknowledging that the EU approach led to fragmented or conflicting standards, which created complications for open-banking implementation and undermined interoperability, but simultaneously arguing that the opposite approach promoted in other jurisdictions to prescribe detailed technical standards for data sharing would not work in the United States.

[104] Consumer Financial Protection Bureau, supra note 2, §1033.131 and 1033.141. But see also Chopra, supra note 103, announcing that, before finalizing the Personal Financial Data Rights rule, the CFPB would “codify” what attributes standard-setting organizations must demonstrate to be recognized under the rule.

[105] Consumer Financial Protection Bureau, supra note 2, 22.

[106] Babina et al., supra note 4; OECD, supra note 7.

Executive Summary

Payment networks connect buyers with sellers. Success hinges on attracting sufficient participation on both sides of the market. Card issuers offer rewards, insurance, fraud prevention, and other benefits that create incentives for use. Issuers can do so, in part, because they receive an “interchange” fee from acquiring banks, who in turn charge a fee to merchants (the “merchant discount rate” or MDR).

Price controls on these fees interfere with the delicate balance of the two-sided market ecosystem. Interchange-fee caps in various jurisdictions have led banks to increase other fees (such as monthly account fees and annual card fees), reduce card benefits, and adjust product offerings. As a result, consumers—especially those with lower incomes—face higher costs and reduced access to financial services. These costs generally exceed by a wide margin any consumer savings from reduced prices. Price controls on MDR, seen recently in India and Costa Rica, have also distorted the market by impeding competition and favoring larger players (big-box merchants and internet-platform-service providers, which are able to monetize in other ways), while harming smaller entities and traditional banks.

Instead of imposing price controls, governments should reduce regulatory barriers and provide core public goods, such as courts of law and identity registers, which enable competition, market-driven innovation, and financial inclusion.

I. Introduction

Payment networks are integral to modern economies, facilitating the seamless exchange of goods and services across vast distances and among unfamiliar parties. This issue brief considers the effects of regulatory interventions on such networks, looking in particular at price controls on interchange fees and merchant discount rates (MDRs). While intended to reduce costs for merchants and consumers, the evidence shows these price controls impede competition and harm consumers.

For a payment network to be self-sustaining, there must be sufficient participation on both sides of the market—i.e., by both buyers and sellers. If too few sellers accept a particular form of payment, buyers will have little reason to adopt it. Likewise, if too few buyers hold a particular form of payment, sellers will have little reason to accept it. At the same time, payment networks must cover their costs of operation, including credit risk, monitoring costs, fraud risk, and investments in innovation. Payment networks typically address these two problems (optimizing participation and covering costs) simultaneously through various fees and incentives, thereby maximizing value to all participants.

Maximizing value often entails that one side of the market (usually, the merchants) subsidizes the other side (consumers) through an “interchange fee” received by the issuing bank from the acquiring bank. The interchange fee covers a much wider range of costs than the operational costs mentioned above. Specifically, it typically includes issuer costs associated with collection and default, as well as many of the additional benefits that cardholders typically receive, including various kinds of insurance and such rewards as cashback rewards and airline miles. The interchange fee, in turn, is typically covered by fees charged by the merchant’s acquiring bank (see Figure 1), known as the merchant discount rate (MDR) or merchant service charge (MSC).

FIGURE 1: Transactions in a Four-Party Card Model

Caps on interchange fees and/or MDR are price controls, which have the effect of reducing the incentive to supply the product subject to that control. Many countries have introduced price controls on interchange fees, and these have been much-studied. Section II presents a summary of the evidence of the effects of price controls on interchange fees.

By contrast, relatively few countries have imposed price controls on MDR and the effects of such price controls have rarely been scrutinized.[1] Section III thus offers an initial assessment of such effects. Finally, Section IV offers conclusions and policy recommendations.

II. Interchange-Fee Price Controls

This section considers the effects of price controls on interchange fees. While more than 30 jurisdictions have imposed such price controls, we focus on the jurisdictions for which we have the best evidence.^[2] While each jurisdiction and each price control is unique, the effects appear  to generalize readily. Therefore, the limited selection of jurisdictions here should be seen as typical examples.

This section begins with a brief description of the specific form price controls took in each jurisdiction. That is followed by a description of the response by (issuing) banks. Finally, the effects on consumers are evaluated.

A. How Jurisdictions Have Capped Interchange Fees

Various jurisdictions have taken a variety of approaches to the imposition of price controls on interchange fees. The following are examples of some of the better-studied interventions.[3] These examples show what happens in the period immediately following the introduction of interchange-fee price controls. While some price controls have been repealed or changed, their effects are most transparent in the immediate aftermath of their implementation, and the inclusion of these examples thus remains instructive.

1. Spain

Spain imposed caps on interchange fees for both credit and debit cards through agreements with merchant associations and card schemes in two distinct phases: the first ran from 1999 to 2003, the second from 2006 to 2010.[4] During the first phase, caps were initially set at 3.5%, falling to 2.75% in July 2002. Caps were much lower during the second phase and were lower for large banks (over €500 million), whose credit-card interchange fees were capped at 0.66% in 2006, falling to 0.45% by 2010, than for small banks (under €100 million), whose credit-card interchange fees were capped at 1.4% in 2006, falling to 0.79% in 2010.

2. Australia

The Reserve Bank of Australia (RBA) introduced caps on interchange fees for credit cards in 2003 under a “cost-based framework,” which adjusted interchange fees based on processing costs. As a result, the RBA aimed in the first instance to reduce interchange fees by 40%, from an average of 0.95% in 2002 to 0.6% in 2003.[5]

3. United States

Under a provision of the Dodd-Frank Wall Street Reform Act of 2010 known commonly as the “Durbin amendment,” the U.S. Federal Reserve imposed caps on debit-card interchange fees for large banks, as well as routing requirements for all debit-card issuers.[6] As a result, debit-card-interchange fees fell by about 50% for large banks almost immediately. Interchange fees on debit cards issued by smaller banks and credit unions initially fell by a smaller amount, and interchange fees on single-message (PIN) debit cards have now fallen to similar levels as PIN debit cards issued by larger banks.[7]

4. European Union

In 2015, the EU capped fees at 0.2% for debit cards and 0.3% for credit cards.[8] These are hard caps with few exceptions, and those rates rapidly became the norm for most transactions (with the exception of some domestic schemes that offer lower rates).[9]

B. Response by Banks

Faced with potentially large losses of revenue, banks adopted numerous strategies to limit their losses, including, most notably:

1. Increasing other fees and interest

Banks commonly increased other fees, including annual-card fees, account-maintenance fees, late fees, and interest on loans and credit cards. For example, in the United States, banks raised monthly account-maintenance fees and increased the minimum balance needed for a fee-free account.[10] In the EU, banks increased other fees and interest rates.[11]

2. Reduced card benefits

Banks reduced the rewards and benefits associated with those cards that were subject to price controls. This included reducing or eliminating cashback rewards, points, and other incentives that were previously funded, in part, by interchange fees. For example, U.S. banks subject to the Durbin amendment generally eliminated debit-card rewards. In Australia, meanwhile, the average value of rewards fell by about 30%.[12]

3. Adjusted product offerings

Some banks shifted their focus to products not affected by the caps. In the United States, where the Durbin amendment applied only to debit cards, banks shifted their promotional efforts toward credit cards. In Australia, banks issued “companion” cards on three-party networks that were initially exempt. In some EU jurisdictions, banks have promoted business credit cards, which are exempt.[13]

C. The Effects on Consumers

Interchange-fee caps make the vast majority of consumers worse off, especially those with lower incomes. This outcome primarily arises from several interconnected factors:

1. Higher costs

As noted, in response to the reduction in interchange fees, banks have increased a range of fees, including higher account-maintenance charges (and higher minimum-balance requirements to qualify for free accounts); larger overdraft fees; increased interest rates on loans and credit cards; and higher annual fees on credit cards. These increased fees have disproportionately affected lower-income consumers, who may struggle more to maintain minimum-balance requirements or avoid overdrafts.[14]

2. Loss of insurance, other services, and the financial benefits of rewards

The reductions in rewards and other benefits on cards subject to interchange-fee caps amount to a direct pecuniary loss for millions of consumers. Often, these losses far exceed the reduction in interchange fees that cause them. A case in point is insurance: credit-card-issuing banks are typically able to negotiate volume-based discounts on insurance, which means they pay less than would an individual seeking his or her own policy. But if there simply is not sufficient revenue to cover the continuation of such benefits, issuers are forced to withdraw it, as many issuers in the EU have done.

3. Lost access to financial services

Larger account fees and increased minimum-balance requirements have resulted in an increase in unbanked and underbanked households in the United States, particularly among lower-income consumers.[15] As a result, more households have become reliant on check-cashing services, payday loans, and other high-cost financial services.

4. Limited savings passed through to consumers

While larger merchants save on transaction fees, due to the lower interchange fees, these savings are not fully passed on to consumers in the form of lower prices. The degree of pass-through can vary greatly, depending on the competitive dynamics of various retail sectors. But in most cases, merchants have passed through the reduced costs associated with lower interchange fees at a lower rate than banks have passed through losses in fee revenue, in the form of higher-priced accounts, cards and services, and reductions in rewards. As such, consumers are, on net, worse off.^[16]

While the intended goal of interchange-fee caps may be to reduce merchants’ costs and generate savings for consumers, in practice, consumers see few, if any, retail-price reductions, even as they experience significantly reduced benefits from their payment cards, as well as increased banking costs.

III. MDR Caps

This section explores the effects of caps on merchant discount rates. As noted earlier, it is difficult to draw broad conclusions of the kind we were able to draw in Section II on the effects of interchange-fee caps. This is both because of the relative rarity of MDR caps, as well as the fact that they have—in the two cases examined here—coincided with other policy changes and broader economic and social phenomena that simultaneously have had significant effects on the payments system. The two case studies nonetheless offer salutary lessons about the problems inherent in imposing price controls on payment fees.

A. India

India’s MDR caps, which date back to 2012, were put in place as part of a series of interventions whose broad objective was to increase access to finance and shift transactions from paper to electronic money. These initiatives included (in order of implementation): a digital ID (launched in 2010); a domestic-card scheme and debit card (RuPay) with MDR caps (implemented in 2012); and a domestic faster-payments system (UPI, launched in 2016) with zero MDR for most transactions. This section focuses primarily on the implementation of UPI, its MDR caps, and the implications for consumers, merchants, and payment-service providers.

1.  Mobile payments in India and the role of MDR

Until 2015, the two largest companies offering mobile phone-based payment services in India were Paytm and MobiKwik, which both relied on MDR to facilitate their expansion. MDR enabled these services to offer consumers cashback rewards and other incentives. MobiKwik signed up 1.5 million merchants and 55 million registered users by 2015,[17] while Paytm had 100 million registered accounts in 2015.[18]

Payment services are the core of Paytm’s business, contributing 58% of its revenue in Q3 2023 (although it fell slightly in Q1 2024).[19] These services arise from users making payments from mobile wallets stored on Paytm’s platform, using debit cards and credit cards. The company charges merchants an MDR that ranges from 0.4% to 2.99% of the transaction amount, depending on the payment type (for small-to-medium-size businesses).[20] MobiKwik, meanwhile, generates revenue from commissions and advertisements from its Zaak payment-gateway franchise subsidiary,[21] as well as loans—including short-term credit, buy-now-pay-later, and personal loans—and investment advice.[22] Of note, Zaak is also highly reliant on MDR as a source of revenue.^[23]

2. Enter UPI

In 2016, the National Payments Corporation of India (NPCI), a public-private partnership between the Reserve Bank of India (RBI) and the Indian Banks Association (IBA), launched the Unified Payment Interface (UPI), an open-source interoperable API that facilitates real-time transfers between individuals with accounts at participating banks that have integrated the API into their smartphone apps.[24] NPCI also built its own app, BHIM UPI, that is available directly and can also be white-labelled by banks and PSPs.[25]

By any measure, UPI has been enormously successful. In April 2024, more than 80% of all retail payments by volume and about 30% by value were made using UPI.[26]

PhonePe, which launched in 2016, and Google Pay, which launched in India in 2017, have from the outset operated exclusively on UPI. PhonePe launched as a wholly owned subsidiary of Flipkart, India’s largest online marketplace. This enabled it to leverage the marketplace’s then-100 million users, as well as subsequent growth of Flipkart’s user base.[27] Although PhonePe has now separated from Flipkart, it is still owned by Walmart, which bought Flipkart in 2018, and is thus able to leverage the retail giant’s merchant ecosystem.

Google, meanwhile, was able to leverage its brand recognition and to monetize Google Pay through a combination of advertising and its local online marketplace. It is noteworthy that, in a 2023 survey, Google was ranked the top brand in India, followed by Amazon and YouTube (which is owned by Google).[28]

PhonePe is now the largest payment network in India, with approximately 200 million active users; Paytm ranks second, with approximately 100 million active users;[29] Google Pay is third, with about 67 million active users;[30] and MobiKwik is fourth, with 35 million active monthly users in 2023.[31]

In April 2024, PhonePe and Google Pay together represented 87% of UPI transactions by volume and value (Table 1). Paytm was the third-largest payment app on UPI, representing 8% of transactions and 6% of value. The fourth-largest app was CRED, which is a members-only app aimed at individuals with higher credit scores.[32] Together, these top four apps represented 96.5% of transaction volume and 95.5% of transaction value. The remaining apps combined all had less than 5% market share between them, and none had more than 1% individually.[33]

TABLE 1: UPI Transactions by App, April 2024

SOURCE: NPCI

Since UPI transactions represented about 80% of India’s retail volume, this means that the combination of Google Pay and PhonePe represented more than 70% of all non-cash retail transactions in India by volume.

3. How zero MDR distorts competition

The reason such as high proportion of UPI payments come from the top four apps is that their operators have been able to monetize transactions and encourage adoption on both sides of the market without relying on MDR. NPCI prohibits MDR for most applications (exceptions are pre-paid debit and rechargeable mobile wallets, which since April 2023 have been permitted to charge up to 1.1% in MDR).[34]

These MDR caps on UPI have, however, made it less economically viable for payment-services providers (PSPs) to offer such incentives for consumers. Indeed, Paytm has recently switched from offering cashback rewards to consumers to offering cashback rewards to merchants—presumably because it realizes it has to compete with other payments ecosystems that run on UPI and therefore charge zero MDR.[35]

Like the interchange-fee caps explored in Section II, MDR caps change the economics of payment systems by reducing the ability of card issuers and payment-app operators to balance the two sides of the market through cross-subsidies. These effects became most visible after UPI went live in 2016 with zero MDR.

As noted, both PhonePe and Google Pay were able to leverage existing networks to attract both merchants and users (Flipkart, in the case of PhonePe, and Google’s search engine and other products, in the case of Google Pay). Having built a significant base of participants on both sides of the market, the companies have been able to monetize their payment systems through product advertising, upselling of related products, and in-app transactions, thereby reinforcing the network effects.

While MDR is prohibited on UPI, PhonePe usually charges a 2% transaction fee for its online-payment gateway service. Acting as a payment gateway carries little counterparty or credit risk, and is typically offered in other jurisdictions for a small flat fee. The 2% charged by PhonePe therefore effectively goes straight to the bottom line, or can be used to cross-subsidize participation, thereby further enhancing the PSPs’ market share. Indeed, in July 2023, PhonePe began offering its payment gateway for free to new customers (an own-side subsidy: existing users subsidize new users).[36]

Google Pay, meanwhile, has offered cashback incentives for use of the service on apps within its own (Android) ecosystem.[37] This encourages the use of Google Pay in much the same way that traditional rewards offer incentives to use other payment systems. The merchant beneficiaries are, however, limited to participants in its app system, for which Google charges a 30% transaction fee.

While Paytm’s share of UPI is low compared to PhonePe and Google Pay, it can monetize such transactions both by providing add-on financial services, such as insurance and investments, as well as through the MDR it charges on non-UPI transactions.[38] Paytm has also built a rewards program for merchants that encourages participation in its marketplace.[39]

Finally, CRED has partnered with a range of high-end brands to undertake targeted advertising, the revenue from which enables CRED to offer rewards to users of various kinds, including cashback rewards.[40]

While UPI has likely contributed to increased financial inclusion, the prohibition on MDR for most types of transactions has distorted the entire market toward merchants affiliated with the large mobile-payment ecosystems (PhonePe, Google, and Paytm) and a payment network targeted at higher-income customers (CRED). Meanwhile, this has come at a huge price for the majority of banks and other PSPs that facilitate payments on UPI. The Payments Council of India estimates that its members lose 55 billion rupees (US$660 million) annually as a result of the zero MDR on UPI and RuPay transactions.[41] This is effectively a transfer from those banks to the companies whose apps monetize UPI transactions.

India’s government partly offsets this loss through a subsidy to UPI participants of between 15 and 25 billion rupees.[42] But this amounts to a subsidy to PhonePe, Google, Paytm, and CRED, which is odd. Moreover, experience with other systems that impose restrictions on payment-transaction fees suggests that banks will seek to recover these losses via other fees.[43] To the extent that such additional fees fall on lower-income account holders, the effect on financial inclusion is likely to be negative.

India’s government has also announced that it intends to cap the share of UPI transactions for any one service provider to 30% by the end of 2024, with the goal of reducing the dominance of Google Pay and PhonePe.[44] It remains unclear how such caps will be implemented, but it is almost certain that whatever mechanism is adopted would cause other harmful effects. Indeed, there is something slightly absurd about introducing a cap on participation in order to address the perverse consequences of caps on MDR.

Given that the MDR caps are the cause of Google Pay and PhonePe’s combined dominance, a far better solution would be to lift those caps. Indeed, based on the evidence adduced here, removing the MDR caps would likely unleash competition and innovation. Instead of being dominated by a few giant players, UPI would become what its visionaries intended: an inclusive platform that facilitates participation by a wide range of players. The platform could then further expand access to payments, enhance smaller merchants’ ability to compete, and improve financial inclusion.

B. Costa Rica

Costa Rica introduced price controls on payment cards in 2020. Legislative Decree No. 9831 authorized the Central Bank of Costa Rice (BCCR) to regulate fees charged by service providers on “the processing of transactions that use payment devices and the operation of the card system.”^[45] The legislation’s stated objective was “to promote its efficiency and security, and guarantee the lowest possible cost for affiliates.” BCCR was tasked with issuing regulations that would ensure the rule is “in the public interest” and guarantee that fees charged to “affiliates” (i.e., merchants) are “the lowest possible … following international best practices.”

Starting Nov. 24, 2020, BCCR set maximum interchange fees for domestic cards at 2.00% and maximum MDR at 2.50%. Over a four-year period, BCCR has gradually ratcheted down both MDR and interchange-fee caps, as shown in Table 2.

TABLE 2: Interchange Fee and MDR Caps in Costa Rica, 2020-2024

An unusual feature of BCCR’s regulation is the simultaneous cap on both MDR and interchange fees, which has the effect of limiting revenue to both acquiring banks and issuing banks. This has likely reduced investments by issuers and acquirers and led to lower levels of system efficiency and speed, and possibly to increased fraud.

It is also worth noting that both interchange fees and MDR vary according to merchant type and location, in large part because the risk of fraud varies among different types of merchants. There is a danger, therefore, that imposing price controls on both MDR and interchange fees could make it unprofitable for acquirers to process payments for some riskier merchants. In other words, in its attempt to reduce merchant costs, BCCR may inadvertently (but predictably) prohibit some merchants from being able to accept payment cards. This is neither efficient, nor is it in the public interest.

Looking at the trajectory of the mean and median MDRs for various merchant categories in Costa Rica before price controls were imposed (as shown in Figures 1 and 2), MDRs were, on average, quite high (a mean of about 4%) but the medians were even higher (ranging from 4% to 10% for all categories except gas stations and passenger transportation). This significant difference between the mean and median MDRs suggests either that a large proportion of merchants represented a particularly high risk (e.g., from fraud and/or chargebacks) or that there was a lack of competition among acquiring banks (and perhaps even collusion)—or perhaps both.

FIGURE 2: Mean MDR for Various Merchants in Costa Rica, 2019-2022 (%)

SOURCE: Author’s calculations based on data from BCCR

If the previously high MDRs were a function of merchant-associated risk, capping MDRs would be expected to cause acquiring banks to drop some merchants. The data, however, show that the number of merchants increased from 2020 to 2022, which suggests that lack of competition among acquirers is a more likely explanation.[46]

FIGURE 2: Median MDR for Various Merchants in Costa Rica, 2019-2022 (%)

SOURCE: Author’s calculations based on data from BCCR

To the extent that these high MDRs reflect a lack of competition among acquiring banks, the appropriate response would have been to seek to understand what was causing this lack of competition and then to remedy that directly. For example, if the lack of competition arose from regulations imposed by BCCR, it would be incumbent on BCCR to modify its regulations to reduce barriers to competition. Capping MDR does not address the underlying problem; indeed, it likely makes it worse, by inhibiting acquirers from being able to differentiate themselves on price or quality.

IV. Conclusions and Policy Implications

In competitive markets without price controls, prices evolve in ways that tend to maximize value for all participants. In payment networks, interchange fees play an important role, enabling issuers to develop appealing and competitive products with features that range from cashback rewards to travel insurance. This encourages customers to use the card or app in question, which, in turn, benefits merchants who see greater sales. The fees also facilitate associated innovations, such as AI-based fraud detection, contactless payments, and online token vaults.

When governments impose price controls on payment fees—whether in the form of caps on interchange fees or on MDR, or both—bank revenue from card transactions falls. Issuers (and acquirers, in the case of MDR caps) respond by increasing other fees, reducing card benefits, and reducing investments in improvements. The ecosystem becomes distorted, unbalanced, and fundamentally less competitive.

The beneficiaries of such interventions tend to be larger merchants and other participants in the system (including larger financial technology, or “fintech,” players). These players can leverage and reinforce their loyal customer base, and often charge fees for services (such as payment gateways) that are as high or higher than interchange fees, and even MDR.

India’s government recognizes the anticompetitive nature of its MDR caps, but appears to think that this is best-addressed by introducing new caps on participation. Costa Rica, meanwhile, appears to have suffered from a lack of competition among merchant acquirers, which drove up the cost of MDR—leading it to introduce caps on MDR.

But, in both cases, regulation is the problem, not the solution. In India’s case, various regulations—especially the caps on MDR for UPI transactions, as well as the government subsidies to UPI—have resulted in heavy concentration and impeded competition from fintech startups. Meanwhile, in Costa Rica, existing regulatory barriers likely impeded competition in the acquisition market, which enabled acquirers to charge excessive rates. This has prompted BCCR to impose MDR and interchange-fee caps that, in turn, have impeded competition in issuance.

The biggest losers from such interventions tend to be lower-income consumers, who end up paying higher bank fees and leaving—or not entering—the banking system. But there are many other losers, including the majority of consumers, and the many potential competitors that are excluded from participation because they are unable to monetize their investments via interchange and/or MDR fees.

Governments should not distort markets in these ways. Quite the opposite: they should be as neutral as possible. Rather than imposing price controls on payment systems, they might look to review and repeal existing government-created barriers to financial inclusion. These could include licensing requirements for banks that limit competition and enable acquirers to charge abnormal MDR rates.

In other words, rather than layer additional distorting regulations atop existing regulations, further harming the operation of complex private-market ecosystems, they should look for ways to reduce government-imposed barriers to competition. And, generally, they should limit themselves to the production of genuine public goods, such as courts and identity registers. Doing so will enable greater participation, competition, and innovation, which will drive financial inclusion.

[1] Other jurisdictions, such as Denmark and China, also have imposed restrictions on MDR/MSC, but this author was unable to adduce sufficient information about the nature and effects of these interventions to develop substantive analyses.

[2] We draw extensively on our earlier review: Julian Morris, Todd J. Zywicki, & Geoffrey A. Manne, The Effects of Price Controls on Payment-Card Interchange Fees: A Review and Update,  (ICLE White Paper 2022-03-04 & George Mason L. & Econ. Research Paper No. 22-07, 2022), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4063914. See also Fumiko Hayashi & Jesse Leigh Maniff, Public Authority Involvement in Payment Card Markets: Various Countries, August 2020 Update, Fed. Res. Bank of Kan. City (August 2020), available at https://www.kansascityfed.org/documents/6660/PublicAuthorityInvolvementPaymentCardMarkets_VariousCountries_August2020Update.pdf.

[3] Morris et al., supra note 2.

[4] Juan Iranzo, Pascual Fernández, Gustavo Matías, & Manuel Delgado, The Effects of the Mandatory Decrease of Interchange Fees in Spain (Munich Personal RePEc Archive, MPRA Working Paper No. 43097, 2012), available at https://mpra.ub.unimuenchen.de/43097/1/MPRA_%20paper_43097.pdf.

[5] Press Release, Reform of Credit Card Schemes in Australia, Res. Bank of Austl. (Aug. 27, 2002), https://www.rba.gov.au/media-releases/2002/mr-02-15.html.

[6] H.R.4173 – Dodd-Frank Wall Street Reform and Consumer Protection Act, s.1075(a)(3); Debit Card Interchange Fees and Routing; Final Rule, 76 Fed. Reg. 43,393-43,475, (Jul. 20, 2011).

[7] Todd J. Zywicki, Geoffrey A. Manne, & Julian Morris, Unreasonable and Disproportionate: How the Durbin Amendment Harms Poorer Americans and Small Businesses, Int’l Cntr For L. & Econ. (Apr. 25, 2017), available at https://laweconcenter.org/wp-content/uploads/2017/08/icle-durbin_update_2017_final-1.pdf.

[8] Regulation (EU) 2015/751 of the European Parliament and of the Council of 29 April 2015 on Interchange Fees for Card-Based Payment Transactions, 2015, O.J. (L 123) 1, 10-11 (hereinafter “IFR”).

[9] Ferdinand Pavel et al., Study on the Application of the Interchange Fee Regulation: Final Report 89, European Commission Directorate-General for Competition (2020), https://op.europa.eu/s/zKl2.

[10] Mark D. Manuszak & Krzysztof Wozniak, The Impact of Price Controls in Two-Sided Markets: Evidence From US Debit Card Interchange Fee Regulation (Bd. of Governors of the Fed. Res. Sys. Fin. & Econ. Discussion Series, Working Paper No. 2017-074,  2017); Vladimir Mukharlyamov & Natasha Sarin, Price Regulation in Two-Sided Markets: Empirical Evidence From Debit Cards (SSRN Working Paper, 2019), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3328579.

[11] Interchange Fee Regulation (IFR) Impact Study Report, Edgar Dunn & Co. (Jan. 21, 2020), https://www.edgardunn.com/reports/interchange-fee-regulation-ifr-impact-assessment-study-report.

[12] Iris Chan, Sophia Chong, & Stephen Mitchell, The Personal Credit Card Market in Australia: Pricing Over the Past Decade, Res. Bank Of Austl. Bull. (2012), available at https://www.rba.gov.au/publications/bulletin/2012/mar/pdf/bu-0312-7.pdf.

[13] IFR, supra note 8, Art. 1(3)(a).

[14] Mukharlyamov & Sarin, supra note 10.

[15] Id.

[16] Iranzo et al., supra note 4 at 34-37; Ian Lee, Geoffrey A. Manne, Julian Morris, & Todd J. Zywicki, Credit Where It’s Due: How Payment Cards Benefit Canadian Merchants and Consumers, and How Regulation Can Harm Them, Macdonald-Laurier Institute 1, 27 (2013); Morris, Zywicki, & Manne, supra note 7 at 23-29.

[17] Shabana Hussain, MobiKwik’s Journey and the Path Ahead, Forbes India (Apr. 6, 2015), http://forbesindia.com/article/work-in-progress/mobikwiks-journey-and-the-path-ahead/39905/1 .

[18] Paytm Reaches 100 Million Users, Business World (Aug. 11, 2015), https://businessworld.in/article/paytm-reaches-100-million-users–84698.

[19] Press Release, Paytm’s Earning’s Release for Quarter and Year Ending March 2024, Paytm (May 22, 2024), available at https://paytm.com/document/ir/financial-results/Paytm_Earnings-Release_INR_Q4_FY24.pdf.

[20] Paytm’s Pricing, Paytm, https://business.paytm.com/pricing (last visited Jun. 07, 2024).

[21] MobiKwik Consolidated Financial Statement, MobiKwik (2023), available at https://documents.mobikwik.com/files/investor-relations/statements/mobikwik/Consolidated-Financials-Sept2023.pdf; Report on the Audit of Special Purpose Interim Financial Statements, Tattvam & Co. (Dec. 31, 2023), available at https://documents.mobikwik.com/files/investor-relations/statements/zaakpay/zaakpay-financials-sept2023.pdf; Subsidiary Financials, MobiKwik, https://www.mobikwik.com/ir/subsidiary-financials (last visited Jun. 7, 2024); Status of Applications Received from Online Payment Aggregators (PAs) Under Payment and Settlement Systems Act, 2007, Res. Bank of India, https://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=4236 (last updated Jun. 1, 2024).

[22] Id., Res. Bank of India.

[23] Pratik Bhakta, MobiKwik to Add Muscle to Its Payment Gateway Business, The Economic Times (May 13, 2017),  https://economictimes.indiatimes.com/small-biz/startups/mobikwik-shifting-focus-to-payment-gateway-space/articleshow/58655807.cms?from=mdr.

[24] Unified Payments Interface (UPI), National Payments Corporation of India (2024), https://www.npci.org.in/what-we-do/upi/product-overview; UPI Live Members, National Payments Corporation of India (2024),  https://www.npci.org.in/what-we-do/upi/live-members.

[25] BHIM, https://www.bhimupi.org.in (last visited Jun. 7, 2024); Pratik Bhakta, BHIM to Be the Right Platform for Small Banks to Enter Payment Space, The Economic Times (Feb. 3, 2017), https://economictimes.indiatimes.com/small-biz/security-tech/technology/bhim-to-be-the-right-platform-for-small-banks-to-enter-payment-space/articleshow/56945820.cms?from=mdr.

[26] Payment System Indicators, Res. Bank of India (Apr. 2024), https://www.rbi.org.in/Scripts/PSIUserView.aspx?Id=35.

[27] Alnoor Peermohamed, Flipkart Grows User Base to 100 million, Business Standard (Jun. 6, 2024), https://www.business-standard.com/article/companies/flipkart-grows-user-base-to-100-million-116092100216_1.html.

[28] Gaurav Laghate, Google, Amazon, YouTube Top India brands, Livemint (Jun. 27, 2023), https://www.livemint.com/companies/news/google-amazon-youtube-top-india-brands-11687887362055.html.

[29] Paytm Surpasses 100 Million Monthly Transacting Users for the First Time in Q3 FY24, Livemint (Jan. 22, 2024), https://www.livemint.com/companies/news/paytm-surpasses-100-million-monthly-transacting-users-for-the-first-time-in-q3-fy24-11705932856486.html.

[30] Michael G. William, How Many People Use Google Pay in 2023?, Watcher Guru (Sep. 14, 2023), https://watcher.guru/news/how-many-people-use-google-pay-in-2023#google_vignette.

[31] MobiKwik Continues Profitable Streak for Second Quarter in a Row, The Economic Times (Oct. 05, 2023), https://economictimes.indiatimes.com/tech/technology/mobikwik-continues-profitable-streak-for-second-quarter-in-a-row/articleshow/104183594.cms?from=mdr.

[32] CRED, https://cred.club/ipl (last visited Jun. 07, 2024).

[33] Eight other apps had between 0.25% and 0.75% of transaction volume and/or value: Amazon Pay, ICICI Bank Apps, Fampay, Kotak Mahindra Bank Apps, HDFC Bank Apps, WhatsApp, BHIM, and Yes Bank Apps.

[34] Upasana Taku, NPCI’s 1.1% Interchange Fee on UPI Payments Via Wallet – The Watershed Moment for Fintech in India, The Times of India (May 15, 2023), https://timesofindia.indiatimes.com/blogs/voices/npcis-1-1-interchange-fee-on-upi-payments-via-wallet-the-watershed-moment-for-fintech-in-india.

[35] Pratik Bhakta, Inside Paytm’s Cashback Offers for Retailers, The Economic Times (Jul. 7, 2023),   https://economictimes.indiatimes.com/tech/startups/in-through-the-other-door-inside-paytms-cashback-offers-for-retailers/articleshow/101551675.cms?from=mdr.

[36] Mayur Shetty, PhonePe Cuts Fees for Payment Gateway Services, The Times of India (Jun. 14, 2023),  https://timesofindia.indiatimes.com/business/india-business/phonepe-cuts-fees-for-payment-gateway-services/articleshow/100986915.cms.

[37] Manish Singh, Google’s New Plan to Push Google Pay in India: Cashback Incentives in Android Apps, TechCrunch (May 16, 2019), https://techcrunch.com/2019/05/16/google-pay-india-android-cashback.

[38] Paytm, supra note 20.

[39] An Overview of Merchant Discount Rate Charges, AMLegals (Mar. 15, 2024), https://amlegals.com/an-overview-of-merchant-discount-rate-charges.

[40] CRED Pay, https://cred.club/cred-pay/onboarding (last visited Jun. 7, 2024).

[41] Roll Back Zero Merchant Discount Rate on UPI, Rupay Debit Card Payments, Industry Body Payments Council of India Writes to Finance Ministry, The Indian Express (Jan. 23, 2022), https://indianexpress.com/article/business/banking-and-finance/merchant-discount-rate-rollback-on-upi-rupay-debit-cards-7737229.

[42] Pratik Bhakta, Fintechs Await Government Word on MDR Subsidy Allocation, The Economic Times (Feb. 22, 2024), https://economictimes.indiatimes.com/tech/technology/fintechs-await-government-support-for-promoting-digital-payments-for-current-fiscal/articleshow/107891943.cms?from=mdr.

[43] Morris et al., supra note 2.

[44] Ajinkya Kawale,  NPCI to Review by End of Year Decision on 30% UPI Market Share Cap, Business Standard (Apr. 19, 2024), https://www.business-standard.com/markets/news/npci-to-review-30-market-share-cap-decision-by-year-end-124041901059_1.html.

[45] Author’s translations from the Spanish original are approximate.

[46] Fijación Ordinaria de Comisiones Máximas del Sistema de Tarjetas de Pago, Banco Centrale de Costa Rica (Oct. 2023), 12, available at https://www.bccr.fi.cr/en/payments-system/DocCards/Estudio_tecnico_2023_fijacion_ordinaria_comisiones_CP.pdf.

Abstract

This paper explores the evolving landscape of competition law enforcement, focusing on the dynamic interplay between ex-ante and ex-post approaches. Amidst the digital transformation and regulatory shifts, traditional enforcement mechanisms are being reevaluated. This study aims to dissect the economic rationale behind these shifts, proposing a hybrid framework that balances legal certainty with the flexibility needed to address contemporary market challenges.

The Federal Communications Commission’s (“FCC”) recent order to reclassify broadband internet access as a Title II “telecommunications service” under the Communications Act, will subject the industry to extensive public utility style regulation. While “net neutrality” principles drove were the initial justifications for Title II, the FCC’s current rationale has shifted to national security, public safety, and privacy concerns and broader regulatory control. Title II’s comprehensive regulatory framework threatens to commoditize broadband by banning practices like paid prioritization, zero-rating, and usage-based pricing, thereby reducing consumer choice and stifling innovation. Such heavy-handed regulation is unnecessary given the increasing competition in broadband markets from new technologies like 5G and satellite internet. Title II common carrier regulation is an outdated regulatory model ill-suited for modern broadband services and may do more harm than good for consumers.

I. Introduction

Net neutrality is the idea that internet service providers (“ISPs”) should treat all data transmitted over the internet the same, and should not discriminate among consumers, entities that provide content, or applications that use the internet. Whether net neutrality should be mandated by rules and regulations — such as the Federal Communications Commission’s (“FCC”) latest net-neutrality regulations — has been a highly controversial topic since the early 2000s. The FCC has imposed net-neutrality rules twice before, in 2010 and 2015, only to see them struck down by courts or repealed, as the commission’s partisan makeup changed. Last month, in a party line vote, the Commission voted to regulate broadband internet under Title II of the Communications Act and impose net-neutrality rules.[1]

For much of the internet’s history, broadband telecommunications have been regulated as an “information service” under Title I of the Communications Act, which is widely considered to be a relatively light-touch regulatory framework. Since the FCC’s 2015 Open Internet Order, the agency has attempted to reclassify broadband as a “telecommunications service” under Title II, subject to the more heavy-handed regulation imposed on public utilities and “common carriers.” Under Title II, broadband companies are required to provide service to all customers equally and may be subject to public-utility-style regulation, including price controls, certificates of convenience and necessity, and quality-of-service requirements.

Because regulation under Title II entails much more than just net neutrality, critics complain that reclassifying broadband providers as common carriers amounts essentially to a federal takeover of a large part of the U.S. economy, used by nearly every American every day. On the other hand, proponents claim that precisely because broadband is so important to the economy, and even to the functioning of society, it must be managed by a government agency that will ensure equal access, maintain privacy and free speech, and protect national security and public safety.

While net neutrality is just a small piece of Title II, Title II is just one cog in massive gearwork of new federal regulations affecting nearly every aspect of access and use of the internet. Under rules adopted by the FCC, broadband deployment, upgrades, pricing, promotions, quality of service, and even marketing and advertising are now subject to FCC monitoring, scrutiny, and enforcement.

In this article, we provide a brief historical overview of net neutrality, including the debates over whether internet service is best classified as a Title I information service or at Title II telecommunications service, and how understanding of the underlying concerns has changed over the past 25 years. We then take a deeper look at what Title II regulation involves, to understand whether it is suitable to address contemporary concerns. We conclude by examining Title II within a broad regulatory framework that is — intentionally or unintentionally — banning or hindering many of the dimensions across which broadband providers compete. Some may argue that the commodification of broadband will nudge broadband toward a more competitive market with standardized (or near-standardized) products. In the process, however, consumers will see dwindling options among service offerings much like Henry Ford’s quip that consumers could get a Model T in any color they like, so long as it’s black.

II. Is Net Neutrality Still a Thing?

Columbia Law School Professor Tim Wu is credited with articulating the concept of “net neutrality” as an anti-discrimination framework, “to give users the right to use non-harmful network attachments or applications, and give innovators the corresponding freedom to supply them.”[2] In a letter to the FCC, Wu & Lawrence Lessing drew a comparison to electric utilities which, as common carriers, provide electricity to all paying customers “without preference for certain brands or products.”[3] Indeed, Wu argued that his net neutrality proposal was “similar” to historic common carriage requirements.[4]

In the years since Wu introduced the term, net-neutrality policies have focused on the prohibition of three practices:

1. Blocking of legal content, such as when a phone company providing service was accused of blocking Voice over Internet Protocol (“VoIP”) telephone service that competed with the phone company’s landline business.[5]
2. Throttling, or the intentional slowing of an internet service, such as when an ISP was alleged to have slowed or interfered with file sharing using BitTorrent protocols;[6] and
3. Paid prioritization, in which a content provider pays an ISP a fee for faster service — commonly referred to as “fast lanes.”[7]

In 2004, FCC Chair Michael Powell articulated four “Internet Freedoms,” derived from Wu & Lessig’s work.[8] These were subsequently incorporated into the FCC’s 2005 “Internet Policy Statement.”[9]

By this point, the question of Title I versus Title II classification had become a central fracture point in discussions of net neutrality. On its face, Title I offers the FCC little, if any, substantive regulatory authority — indeed, it was created to differentiate unregulated services ancillary to the core telephone network services that the FCC regulated throughout the 20th century. Conversely, Title II provides the FCC with pervasive regulatory authority over the traditional telephone network, from pricing decisions to decisions over what services to offer and even what furniture to buy for meeting rooms.[10] Starting in the late 1990s, the FCC argued that internet service was best treated under Title I. The 9th Circuit Court of Appeals subsequently determined that internet service was better understood as a Title II service. The FCC disagreed and, in Brand X the Supreme Court held that the FCC’s determination takes precedence over that of the federal courts.

Thus, understanding of how internet services would be classified went from Title I, to Title II, and back to Title I over a period of seven years: The battle for classification had begun. That continued in the 2010 and 2015 Orders (in which the FCC relied on Title I and then Title II, respectively).

In 2010, the agency issued its Preserving the Open Internet Order, prohibiting blocking and unreasonable discrimination as well as mandating providers disclose the network management practices, performance characteristics, and terms and conditions of their broadband services.[11] In separate 2010 and 2014 cases, The DC Circuit Court of Appeals struck down the 2010 Order’s net neutrality requirements.[12] The courts noted that, because broadband providers were regulated under Title I as information services, they were not common carriers and could not be subject to net neutrality’s common carriage rules. A little more than a year after the court’s 2014 decision, in 2015, the FCC adopted the Open Internet Order, that reclassified broadband internet as a Title II common carrier telecommunication service and adopted new net neutrality rules prohibiting blocking, throttling, and paid prioritization.[13] The order also imposed a “general conduct” rule that prohibited broadband providers from “unreasonably interfer[ing] or unreasonably disadvantag[ing]” users from accessing the content or services of their choice.

In 2017, the FCC reversed course and repealed the 2015 Order with its Restoring Internet Freedom Order.[14] The order (again) reclassified broadband as a Title I information service, thereby eliminating net neutrality and general conduct rules. The order also preempted any state or local laws “that would effectively impose rules or requirements that [the FCC] repealed or decided to refrain from imposing,” or that would impose “more stringent requirements for any aspect of broadband service” addressed by the 2017 Order. In 2019, an appeals court upheld much of the order, but vacated the order’s preemption of state and local laws.[15]

Until recently, much of the debate was over whether net neutrality was necessary and how it would affect continued investment by ISPs’ in their networks. Advocates for federal intervention claimed it was necessary for the FCC to preserve or foster the “open internet” by mandating net neutrality. Opponents countered that such intervention was (1) unnecessary because providers were not engaging in widespread practices contrary to net neutrality, and (2) harmful because the prohibitions were so tight that they would stifle investment and innovation in new business models.

Something happened along the way from then to now: No one seems to care much about net neutrality anymore.[16] One reason is because most people are happy with their internet service. Since 2021, more households are connected to the internet, broadband speeds have increased while prices have declined, more households are served by more than a single provider, and new technologies — such as satellite and 5G — have expanded internet access and intermodal competition among providers.[17] Another reason is a shift in perception of who is blocking or throttling content. Much of that ire has turned towards websites, apps, and device providers.[18] Much of the public no longer sees broadband providers as the bogeymen.

The FCC itself seems to have downgraded “net neutrality” as a justification for heavy handed Title II regulation in favor of other reasons. For example, “national security” was mentioned only three times in the 2015 Order, but 181 times in the 2024 Order. The 2015 Order makes no mention of China, Russia, Iran, North Korea, or “data security;” in the 2024 Order China is mentioned 140 times and “data security” 15 times. Cybersecurity got a single mention in the 2015 Order, but 73 in the 2024 Order. This is a pretty clear indication that the FCC intends to do much more with its expansive Title II powers than merely prevent blocking, throttling, and paid prioritization.

III. Title II Is Much More than Net Neutrality

Net neutrality is often used as the hook for regulating broadband providers as common carriers. But Title II is an expansive provision in the Communications Act. Among its many provisions, Title II allows federal rate regulation of broadband, as well as Section 214 “certificate of convenience and necessity” regulations requiring providers to obtain the FCC’s approval before constructing new networks, offering new services, discontinuing outdated offerings, or transferring control of licenses. The Commission’s order forbears rate regulation and grants “blanket” Section 214 authority to all current broadband providers, with the exception of five Chinese providers.

The 2024 Order’s “general conduct standard” provides the FCC with unlimited discretion to intervene in innovative business models. The order states the general conduct standard “prohibits unreasonable interference or unreasonable disadvantage to consumers or edge providers” that serves as a “catch-all backstop” to allow the FCC to intervene when it finds that an ISP’s conduct could harm consumers or content providers.

The FCC has a history of invoking the general conduct standard to scrutinize two common practices:

1. Zero-rating; and
2. So-called “data caps” and usage-based pricing.

Zero-rating is the practice of excluding certain online content or applications from a subscriber’s allowed data usage. For example, when AT&T owned HBO, it exempted HBO Max content from AT&T users’ data allowance.

Zero-rating can make some popular services more accessible and affordable for lower-income users, who may have limited data plans. Zero-rating also allows ISPs to offer value-added services and to differentiate their offerings, spurring competition and innovation in the broadband market.

In December 2016, the FCC sent letters to both AT&T and Verizon Communications, warning their zero-rating programs could harm competition and consumers.[19] In the last days of the Obama administration, the FCC released a staff review of sponsored data and zero-rating practices in the mobile-broadband market concluding such practices “may harm consumers and competition… by unreasonably discriminating in favor of select downstream providers.”[20] Less than a month later, in the early days of the Trump administration, the FCC retracted the report.[21]

We can expect that under the 2024 Order — identical in most ways to the 2015 Order under which these practices were investigated — the Commission will once again use its powers to scrutinize zero-rating practices with an eye toward prohibiting them. Indeed, the 2024 Order characterizes, “sponsored-data programs as the type of practices that may raise concerns under the general conduct standard” that will be subject to a “case-by-case review.”

Usage-based pricing can be thought of as a “pay-as-you-go” plan in which consumers pay in advance for a certain amount of data per month. If they exceed that amount (what some would call a “cap”), then the consumer has the option to purchase more data. Some consumer groups claim that data caps and usage-based pricing are little more than a “money grab” by providers who derive additional revenue from overage charges or by upgrading users to a tier with a larger data allowance.[22] On the other hand, providers say that usage-based pricing is no different from nearly every other consumer product in which consumers pay for what they use. They argue that, without usage-based pricing, modest users of data would subsidize those who use copious amounts of data.[23]

In June 2023, FCC Chair Jessica Rosenworcel announced that she would ask her fellow commissioners to support a formal notice of inquiry to learn more about how broadband providers use data caps on consumer plans.[24] That same day, the FCC launched a “Data Caps Stories Portal” for “consumers to share how data caps affect them.” The 2024 Order indicates “providers can implement data caps in ways that harm consumers or the open Internet” and the FCC will “evaluate individual data cap practices under the general conduct standard.”

If, however, sponsored-data, zero-rating, data caps, and usage-based pricing practices harm competition or consumers, these concerns can be addressed with a straightforward application of existing antitrust and consumer-protection laws. Antitrust enforcers and courts assess such practices under the rule of reason — an approach that avoids a presumptive condemnation because they only rarely result in actual anticompetitive harm. Under a rule-of-reason approach, the effects of potentially harmful conduct are typically evaluated and weighed against the various aims that competition law seeks to promote. Only following that review is it determined whether particular conduct is harmful and, if so, whether there are procompetitive benefits that outweigh the harm.

Consumer protection is the purview of the Federal Trade Commission. Section 5 of the FTC Act prohibits “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” The FTC has a long history of using its authority, such as recent actions to protect the privacy of consumers’ health records.[25] But, the FTC has no Section 5 authority over “common carriers subject to the Acts to regulate commerce,” which includes, according to the FTC Act, the “Communications Act of 1934 and all Acts amendatory thereof and supplementary thereto.” Thus, by classifying broadband providers as Title II common carriers, the FCC has stripped the FTC of its authority to protect consumers using Section 5.

IV. Commoditizing Broadband and the Elusive Search for Perfect Competition

In its Notice of Proposed Rulemaking, the Commission argued that broadband internet access services are “[n]ot unlike other essential utilities, such as electricity and water” and that high-speed internet “was essential or important to 90 percent of U.S. adults during the COVID-19 pandemic.”[26] The Commission argues that broadband internet is therefore an essential public utility and should be regulated as such.

But many essentials to human survival — shelter, food, clothing — are not subject to common-carrier regulations, because they are provided by multiple suppliers in competitive markets. Utilities are considered distinct because they tend to have such significant economies of scale that (1) a single monopoly provider can provide the goods or services at a lower cost than multiple competing firms, and/or (2) market demand is insufficient to support more than a single supplier.[27] Water, sewer, electricity distribution, and natural gas are typically considered “natural” monopolies under this definition.[28] In many cases, not only are these industries treated as monopolies, but their monopoly status is codified by laws forbidding competition. At one time, local and long-distance telephone services were considered — and treated as — natural monopolies, as was cable television.[29]

Over time, innovations have eroded the “natural” monopolies in telephone and cable.[30] In 2000, 94 percent of U.S. households had a landline telephone, and only 42 percent had a mobile phone.[31] By 2018, those numbers flipped.[32] In 2015, 73 percent of households subscribed to cable or satellite-television services.[33] Today, fewer than half of U.S. households subscribe.[34] Much of that transition is due to the enormous improvements in broadband speed, reliability, and affordability. Similarly, entry and intermodal competition from 5G, fixed wireless, and satellite has meant that more than 94 percent of the country can now access highspeed broadband from three or more providers, thereby eroding the already tenuous claims that broadband-internet service is akin to a utility.

Much of the FCC’s motivation in its recent regulatory push — Title II, digital discrimination, and broadband “nutrition labels” — seems to be driven by a misplaced notion of perfect competition, as described in introductory economics textbooks. Under perfect competition, prices paid by consumers equal the marginal cost of production, that cost is the minimum average cost, and firms earn zero economic profits. Perfect competition is too perfect. While perfection can be sought, it can never be achieved in the real world because the real world is a messy place.

Perhaps the messiest assumption of perfect competition is that each firm produces undifferentiated commodity products.[35] Broadband internet service is not a commodity. Providers use different technologies (e.g. fiber, 5G, copper wire) with different performance characteristics (e.g. speed and latency). Providers offer different service agreements. Some have early termination fees, while others don’t; some have “all-you-can-eat” data usage, while other have usage-based billing; some may have zero-rating while other don’t. With so much variation in services both across and within providers, some have argued that most consumers are not well-informed — if not confused — about their broadband options.

As a first step to commoditizing broadband, at the direction of the 2021 bipartisan infrastructure bill, the FCC adopted its broadband “nutrition label” rules.[36] Providers must display a nutrition label for each plan it offers. Consumers can then use the labels as an “apples to apples” comparison across plans and providers. Despite the cost to produce the labels, the uncertainty whether consumers will find the labels useful, and whether the full force of the federal government is necessary to display the labels, it’s difficult to argue that consumers are worse off by having easy-to-use information readily available.

With the FCC’s recent digital discrimination rules, the agency took another step toward commoditizing broadband. The infrastructure act required the Commission to adopt final rules “preventing digital discrimination of access based on income level, race, ethnicity, color, religion, or national origin.”[37] The FCC could have issued a narrow rule to outlaw intentional discrimination by broadband providers in deployment decisions, in a way that would treat a person or group of persons less favorably than others because of a listed protected trait. This rule would be workable, leaving the FCC to focus its attention on cases where broadband providers fail to invest in deploying networks due to animus against those groups.

Instead, the FCC’s final order creates an expansive regulatory scheme that gives it essentially unlimited discretion over anything that would affect the adoption of broadband. It did this by adopting a differential impact standard that applies not only to broadband providers, but to anyone that could “otherwise affect consumer access to broadband internet access service.”[38] The order spans nearly every aspect of broadband deployment, including, but not limited to network infrastructure deployment, network reliability, network upgrades, and network maintenance. In addition, the order covers a wide range of policies and practices that while not directly related to deployment, affect the profitability of deployment investments, such as pricing, discounts, credit checks, marketing or advertising, service suspension, and account termination. Most troubling, the order considers price among the “comparable terms and conditions” subject to its digital discrimination rules.[39] Taken together, with these rules, the FCC gave itself nearly unlimited authority over broadband providers, and even a great deal of authority over other entities that can affect broadband access, including other federal agencies, state and local governments, nonprofit organizations, and apartment owners.

Because the infrastructure act included income level as a protected trait, the FCC opened a Pandora’s Box in which nearly any organization’s policies and practices can be scrutinized as discriminatory.[40] For example many providers offer plans explicitly targeted at low-income consumers, such as Xfinity’s Internet Essentials program.[41] These programs are at risk of scrutiny under the digital discrimination rules. Moreover, the rules will likely stifle new deployment or upgrades out of fear of alleged disparate effects. If they don’t upgrade everyone, they could be accused of discrimination. At the extreme, providers will be faced with the choice to upgrade everyone or upgrade no one. Because they cannot afford to upgrade everyone, then they will upgrade no one.

While unintentional, the digital discrimination rules are another step toward commoditization. Providers must offer comparable speeds, capacities, latency, and other quality of service metrics in a given area, for comparable terms and conditions, including price, thereby erasing many of the dimensions across which providers compete.

Lastly under Title II and its net neutrality provisions, the FCC is erasing more competitive dimensions. Banning paid prioritization forces all data to be treated equally, even if customers or services would benefit from differentiated offerings. Without flexibility in how services are delivered and priced, companies lose incentives to develop better networks and new innovations for specific use cases like high-bandwidth video streaming or remote medical services. A ban on data throttling removes essential network-management tools that could prevent congestion and improve overall customer experience. If — as expected — the FCC moves to ban zero-rating and usage-based billing, consumers will have even fewer choices among broadband internet services. In the extreme, providers will simply be providing “dumb pipes” with standardized service. While such efforts may mimic perfect competition’s commodity condition, it’s not clear that consumers will benefit from one-size-fits-all broadband.

V. Conclusion

As we have recounted above, discussion about net neutrality concerns grew out of the era in which telecommunications services were provided by regulated, natural, monopoly carriers. In that era, there was legitimate need for pervasive regulation of these carriers. But these discussions also started concurrent with changing competitive dynamics in these markets. This historical context centered net neutrality in debates over the ongoing basis for the FCC’s own authority: Whether the regulatory structure of Title II, long central to the FCC’s mission, is still fit to task in contemporary markets. Looking at the comprehensive regulatory framework contemplated by Title II, the answer is clear: Regulation is driving internet services toward increasingly commodity services, reducing consumer choice in the process. Much like the Model T, Title II may have been necessary in the past, but it is now an artifact of a bygone era and should be allowed to slip into history.

[1] Declaratory Ruling, Order, Report and Order, and Order on Reconsideration, In the Matter of Safeguarding and Securing the Open Internet; Restoring Internet Freedom, WC Docket No. 23-320, WC Docket No. 17-108 (Apr. 25, 2024) [hereinafter “2024 Order”].

[2] Tim Wu, Network Neutrality, Broadband Discrimination, 2 J. Telecomm. & High Tech. L. 141, 142 (2003) [emphasis in original].

[3] Tim Wu & Lawrence Lessig, Ex Parte Submission, Appropriate Regulatory Treatment for Broadband Access to the Internet Over Cable Facilities, CS Docket No. 02-52 (Aug. 22, 2003), available at https://web.archive.org/web/20041204012743/http://faculty.virginia.edu/timwu/wu_lessig_fcc.pdf (“When consumers buy a new toaster made by General Electric they need not worry that it won’t work because the utility company makes a competing product.”).

[4] Wu, supra note 2 at 150.

[5] Lawrence Lessig, Voice-Over-IP’s Unlikely Hero, Wired (May 1, 2005), https://www.wired.com/2005/05/voice-over-ips-unlikely-hero.

[6] Declan McCullagh, FCC Formally Rules Comcast’s Throttling of Bittorrent Was Illegal, CNet (Aug. 20, 2008), https://www.cnet.com/tech/tech-industry/fcc-formally-rules-comcasts-throttling-of-bittorrent-was-illegal.

[7] Chao Liu & Cooper Quintin, Internet Service Providers Plan to Subvert Net Neutrality. Don’t Let Them, Elec. Frontier Found. (Apr. 19, 2024), https://www.eff.org/deeplinks/2024/04/internet-service-providers-plan-subvert-net-neutrality-dont-let-them.

[8] Michael Powell, Preserving Internet Freedom: Guiding Principles for the Industry, 3 J. Telecomm. & High Tech. L. 5 (2004).

[9] Appropriate Framework for Broadband Access to the Internet over Wireline Facilities, 20 FCC Rcd. 14,986, 14,987-88 (2005).

[10] 47 CFR § 32.2000.

[11] Report and Order, In the Matter of Preserving the Open Internet; Broadband Industry Practices, GN Docket No. 09-191, WC Docket No. 07-52 (Dec. 21, 2010) [hereinafter “2010 Order”].

[12] For a more thorough summary, see Chris D. Linebaugh, Cong. Research Serv. LSB10693, ACA Connects v. Bonta: Ninth Circuit Upholds California’s Net Neutrality Law in Preemption Challenge (Feb. 2, 2022), available at https://crsreports.congress.gov/product/pdf/LSB/LSB10693.

[13] Report and Order on Remand, Declaratory Ruling, and Order, In the Matter of Protecting and Promoting the Open Internet, GN Docket No. 14-28 (Mar. 15, 2015) [hereinafter “2015 Order”].

[14] Declaratory Ruling, Report and Order, and Order, In the Matter of Restoring Internet Freedom, WC Docket No. 17-108 (Dec. 14, 2017) [hereinafter “2017 Order”].

[15] Mozilla Corp. v. FCC, 940 F.3d 1 (D.C. Cir., 2019)

[16] See, e.g. FCC reinstates net neutrality policies after 6 years, NPR Weekend Edition Saturday (May 4, 2024), available at https://www.npr.org/2024/05/04/1249166941/fcc-reinstates-net-neutrality-policies-after-6-years (noting that “Net neutrality was once the biggest controversy about the internet . . . .” and concluding “I think that net neutrality may be one of the most overhyped regulations on both sides.”).

[17] Eric Fruits, Ben Sperry, & Kristian Stout, ICLE Comments to FCC on Title II NPRM, Int’l Ctr. for L & Econ. (Dec. 14, 2023), https://laweconcenter.org/wp-content/uploads/2023/12/ICLE-Comments-on-2023-FCC-Title-II-NPRM.pdf\.

[18] See, for example, Oral Dissent of Brendan Carr, In the Matter of Safeguarding and Securing the Open Internet; Restoring Internet Freedom, WC Docket No. 23-320, WC Docket No. 17-108 (Apr. 25, 2024), https://youtu.be/W0CFV9DNSLU?si=dmS4MAnSvnEu-P-J (“After 2017 it wasn’t the ISPs that abuse their positions in the internet ecosystem. It was not the ISPs that blocked links to the New York Post’s Hunter Biden laptop story. Twitter did that. It wasn’t the ISPs that just one day after lobbying this FCC on this order, blocked all posts from a newspaper and removed the links to the outlet after it published a critical article. Facebook did that. It wasn’t the ISPs that earlier this month blocked links to a California-based news organization from showing up in search results to protest a state law. Google did that. It wasn’t the ISPs that blocked Beeper Mini, an app that allowed interoperability between iOS and messaging. Apple did that. Since 2017, we have learned that the real abusers of gatekeeper power were not ISPs operating at the physical layer, but big tech companies at the applications layer.”).

[19] Thomas Gryta, FCC Raises Fresh Concerns Over “Zero-Rating” by AT&T, Verizon, Wall St. J. (Dec. 2, 2016), https://www.wsj.com/articles/fcc-raises-fresh-concerns-over-zero-rating-by-at-t-verizon-1480695463.

[20] Policy Review of Mobile Broadband Operators’ Sponsored Data Offerings for Zero-Rated Content and Services (Jan. 11, 2017), https://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0111/DOC-342987A1.pdf.

[21] Order, In the Matter of Wireless Telecommunications Bureau Report: Policy Review of Mobile Broadband Operators’ Sponsored Data Offerings for Zero Rated Content and Services (Feb. 3, 2017), https://docs.fcc.gov/public/attachments/DA-17-127A1.pdf.

[22] Jon Brodkin, Comcast Disabled Throttling System, Proving Data Cap Is Just a Money Grab, Ars Technica (Jun. 13, 2018), https://arstechnica.com/tech-policy/2018/06/comcast-says-it-doesnt-throttle-heaviest-internet-users-anymore.

[23] Brian C. Albrecht & Jonathan W. Williams, Net Neutrality Is an Idea That Should Have Stayed Dead, Boston Globe (May 6, 2024), https://www.bostonglobe.com/2024/05/06/opinion/net-neutrality-data-caps. See also, Eric Fruits, The Curious Case of the Missing Data Caps Investigation, Truth on the Market (Feb. 5, 2024), https://truthonthemarket.com/2024/02/05/the-curious-case-of-the-missing-data-caps-investigation.

[24] Chairwoman Rosenworcel Proposes to Investigate How Data Caps Affect Consumers and Competition (Jun. 15, 2023), https://docs.fcc.gov/public/attachments/DOC-394416A1.pdf.

[25] Elisa Jillson, Protecting the Privacy of Health Information: A Baker’s Dozen Takeaways from FTC Cases (Jul. 25, 2023), https://www.ftc.gov/business-guidance/blog/2023/07/protecting-privacy-health-information-bakers-dozen-takeaways-ftc-cases.

[26] Notice of Proposed Rulemaking, In the Matter of Safeguarding and Securing the Open Internet, WC Docket No. 23-320 (Sep. 28, 2023), available at https://docs.fcc.gov/public/attachments/DOC-397309A1.pdf.

[27] See Paul Krugman & Robin Wells, Economics 389 (4th ed. 2015) (“So the natural monopolist has increasing returns to scale over the entire range of output for which any firm would want to remain in the industry—the range of output at which the firm would at least break even in the long run. The source of this condition is large fixed costs: when large fixed costs are required to operate, a given quantity of output is produced at lower average total cost by one large firm than by two or more smaller firms.”).

[28] Id. (“The most visible natural monopolies in the modern economy are local utilities—water, gas, and sometimes electricity. As we’ll see, natural monopolies pose a special challenge to public policy.”).

[29] See Richard H. K. Vietor, Contrived Competition 167 (1994) (“[I]n the early part of the twentieth century, American Telephone and Telegraph (AT&T) set itself the goal of providing universal telephone services through an end-to-end national monopoly. … By [the 1960s], however, the distortions of regulatory cross-subsidy had diverged too far from the economics of technological change.”); see also Thomas W. Hazlett, Cable TV Franchises as Barriers to Video Competition, 2 Va. J.L. & Tech. 1, 1 (2007) (“Traditionally, municipal cable TV franchises were advanced as consumer protection to counter “natural monopoly” video providers. … Now, marketplace changes render even this weak traditional case moot. … [V]ideo rivalry has proven viable, with inter-modal competition from satellite TV and local exchange carriers (LECs) offering “triple play” services.”).

[30] See id. at 59-73.

[31] Share of United States Households Using Specific Technologies, Our World in Data (n.d.), https://ourworldindata.org/grapher/technology-adoption-by-households-in-the-united-states.

[32] Id. (showing household usage of landlines and mobile phones in 2018 at 42.7 and 95 percent, respectively).

[33] Edward Carlson, Cutting the Cord: NTIA Data Show Shift to Streaming Video as Consumers Drop Pay-TV, NTIA (2019), https://www.ntia.gov/blog/2019/cutting-cord-ntia-data-show-shift-streaming-video-consumers-drop-pay-tv.

[34] Karl Bode, A New Low: Just 46% of U.S. Households Subscribe to Traditional Cable TV, TechDirt (Sep. 18, 2023), https://www.techdirt.com/2023/09/18/a-new-low-just-46-of-u-s-households-subscribe-to-traditional-cable-tv. See also, Shira Ovide, Cable TV Is the New Landline, N.Y. Times (Jan. 6, 2022), https://www.nytimes.com/2022/01/06/technology/cable-tv.html.

[35] Krugman & Wells, supra note 28 at 360 (“A perfectly competitive industry must produce a standardized product.”), 359 (“a standardized product, which is a product that consumers regard as the same good even when it comes from different producers, sometimes known as a commodity”) [emphasis in original].

[36] Order, In the Matter of Empowering Broadband Consumers Through Transparency, CG Docket No. 22-2 (Jul. 18, 2023), available at https://docs.fcc.gov/public/attachments/DA-23-617A1.pdf.

[37] Pub. L. No. 117-58, § 60506(b)(1), 135 Stat. 429, 1246.

[38] See 47 CFR §16.2 (definition of “Covered entity” and “Covered elements of service”).

[39] Report and Order and Further Notice of Proposed Rulemaking, In the Matter of Implementing the Infrastructure Investment and Jobs Act: Prevention and Elimination of Digital Discrimination, GN Docket No. 22-69 (Oct. 25, 2023), available at https://docs.fcc.gov/public/attachments/DOC-397997A1.pdf (“Indeed, pricing is often the most important term that consumers consider when purchasing goods and services… this is no less true with respect to broadband internet access ser-vices.”).

[40] Eric Fruits, Everyone Discriminates Under the FCC’s Proposed New Rules, Truth on the Market (Oct. 30, 2023), https://truthonthemarket.com/2023/10/30/everyone-discriminates-under-the-fccs-proposed-new-rules.

[41] Internet Essentials, (2024), https://www.xfinity.com/learn/internet-service/internet-essentials.

ICLE Chief Economist Brian Albrecht was a participant in a virtual debate hosted by the American Bar Association’s Antitrust Law Section on the economics of noncompete agreements, and whether the evidence justifies the Federal Trade Commission’s sweeping ban. Video of the full event is embedded below.