Open Banking Goes to Washington: Lessons from the EU on Data-Sharing Regimes
Abstract
Once the jurisdiction that most clearly embraced a market-led approach to open banking, the United States appears on the verge of shifting to a regulator-driven regime, with mandated sharing of financial data. More specifically, the U.S. Consumer Financial Protection Bureau (CFPB), relying on Section 1033 of the Dodd-Frank Act, recently proposed rules governing “personal financial data rights.” The rulemaking appears to follow the lead of the European Union (EU), which has long been at the forefront of government-led open banking. This paper seeks to analyze the CFPB proposal through the prism of the EU experience. A review of the EU’s regulatory framework, and particularly its implementation in the United Kingdom, may offer useful insights about the challenging tradeoffs posed by open banking, and thus permit an assessment of whether the CFPB proposal would add value, or simply represent an unnecessary regulatory burden
I. Introduction
Following instructions laid out by President Joe Biden in his 2021 executive order on “Promoting Competition in the American Economy,”[1] the U.S. Consumer Financial Protection Bureau (CFPB) in October 2023 promulgated a “Personal Financial Data Rights” rulemaking to facilitate the portability of consumer banking and financial data.[2] The proposal would activate a to-date dormant provision of Section 1033 (the Consumer Financial Protection Act) of the Wall Street Reform and Consumer Protection Act of 2010 that was intended to accelerate a shift toward so-called “open banking.”[3] Open banking—a term that, in the United States, is frequently used to encompass “open finance” more broadly—refers to a financial-services environment built on interoperability and data-driven services that allows customers to leverage their transaction and financial data, and imposes on financial institutions a duty to share such data, on customers’ request, with third-party providers (TPPs).
Under open banking, financial institutions’ customers gain effective control of their data, as well as the opportunity to benefit from more competitive services enabled by the application of technological innovation to banking and finance (“fintech”). Given access to, and the ability to process, large troves of data (including nonfinancial data—e.g., digital footprints), fintech-enabled products can serve to promote financial inclusion, mitigate consumers’ unwillingness or inability to switch among firms, and help financial consumers to make informed choices and to shop around for the most convenient deals.[4] Open banking is therefore broadly expected to generate substantial benefits for businesses, consumers, and the economy as a whole.
Alongside those opportunities, however, financial innovation also poses several new concerns about consumer protection. Notably, the systematic digitization of financial transactions introduces potential for discrimination, manipulation, and exploitation of vulnerable customers.[5] Considering both consumers’ generally low levels of digital and financial literacy, and the opaque nature of algorithmic decisionmaking, they could be forced to make exceedingly complex choices among tradeoffs, and may be exposed to novel privacy and security risks. Even in cases of truly informed consent, the consumer-welfare impact of the enhanced fintech competition enabled by data sharing could be ambiguous.[6] Further, the emergence of new participants in the delivery of banking and financial services may negatively affect both competition and the financial system’s stability.
For all these reasons, designing a regulatory framework fit for purpose requires sensitive policy decisions about common standards for customer data and technical interfaces; solutions to allow customers to manage data permissions; eligibility rules and requirements for third parties seeking access to data; and the role of data aggregators.
The EU and UK have been at the forefront of the open-banking movement, having inspired other countries to follow their direction (e.g., Australia, Brazil, India, Mexico, Singapore). Those two jurisdictions are also currently evaluating proposals to extend their open-banking regulatory frameworks to “open finance” more broadly. A comparative analysis of the approaches adopted and models developed the EU and UK would therefore aid U.S. policymakers looking to strike the proper balance in the promises and perils of open banking.[7] Among the notable lessons to draw from the EU and UK experience include how those jurisdictions have sought to adopt a harmonized application programming interface (API) standard; to facilitate data access and create incentives to develop high-quality APIs; to define a regulatory framework for access to financial-information data; and whether to make banking and financial data available to nonfinancial companies (in particular, to so-called “Big Tech” platforms).
By taking stock of the EU experience and focusing on those provisions most relevant to innovation and competition, this paper aims to assess the CFPB’s proposal by investigating open banking’s challenging tradeoffs, identifying key features for its effective functioning, and providing policy suggestions for the forthcoming U.S. implementation.
The paper is structured as follows: Section II illustrates the economic rationale and challenges of regulatory-driven open-banking processes. Section III provides an overview of the EU and UK frameworks, while also analyzing recent proposals to facilitate open finance. Section IV analyzes the U.S. proposal, drawing attention to relevant differences from the EU context. Section v concludes.
II. The Open Banking Conundrum: Rationale, Goals, and Challenges
Legislative initiatives to promote open banking belong to a more general wave of regulatory interventions intended to empower individuals with more control over data and to thereby unlock competition and innovation in both new and traditional markets.
The details vary from jurisdiction to jurisdiction and sector to sector, but data-sharing obligations generally include both data portability and interoperability. The former describes the ability to port from one platform to another any bulk data created through an individual’s use of a particular service. Data portability does not require systemic use of APIs, as it is accomplished via a one-time transfer at a specified point in time.[8] In contrast, open banking involves the creation of an in situ data right; i.e., rather than moving data among platforms, users are permitted to use their data within a given platform ecosystem and determine when and under what conditions third parties can access that in situ data.[9] Therefore, it represents a form of interoperability and, more specifically, belongs to the subcategory of data interoperability. Data interoperability refers to the ability to share and access data on a continuous and real-time basis, usually through APIs.[10]
Because market dynamics are shaped by consumer behavior, open-banking advocates assert that enhancing consumer engagement can play a crucial role in fostering effective competition. The fundamental policy objective of such data-sharing regulatory initiatives is to lower switching costs and avoid personal data lock-in by allowing consumers to switch smoothly or multi-home across platforms. In the case of open banking, this consumer empowerment is believed to strengthen their bargaining position with respect to banks. By gaining effective control of their own transaction data and allowing select TPPs to access such data, it is believed that consumers would be able to make informed choices among various banking and financial products and, with the help of data-driven tools, that they could receive personalized suggestions with the help of big-data analytics applied to their own economic behavior.
In summary, the goal of open banking is to increase competition, spur innovation, and make the market more contestable through data sharing. This is well-illustrated by the UK experience where, as we will see (infra Section III.C), the antitrust authority put forward data-sharing requirements as a regulatory remedy after a market investigation of the retail and business-banking sectors found weak competitive dynamics, including a high degree of market concentration and an extremely low switching rate.[11] UK authorities have even sought to measure the “loyalty penalty” that longstanding customers tend to pay for their inertia, estimating average annual gains they could realize from switching.[12]
Some open-banking proponents therefore seek to justify regulatory intervention on traditional market-failure grounds, noting that the banking sector in many countries suffers chronic deficiencies in its competitive dynamics. Without a legislative obligation to share date, banks may have valid reasons to decline access to or withhold sensitive information from TPPs, due to concerns about intellectual property, security, potential reputational risks, and liability issues.[13]
Nonetheless, it should also be noted that “open banking” does exist even where there is no regulatory mandate to share data. Indeed, even where banks are unwilling to collaborate with TPPs, third parties may gain access to customers’ accounts via screen scraping.[14] Screen scraping happens when consumers share their credentials with TPPs, who in turn impersonate the consumer, leaving them without control regarding what data is collected and how it is used and disclosed. The practice is known to increase the risks of inaccuracies, fraud, and data breaches. Indeed, the prevalence of screen-scraping practices may provide additional justification for open-banking regulations, as they represent a risky data-collection practice inconsistent with cyber-security best practices.
These concerns are further heightened by the fact that screen scraping allows TPPs access to all consumer data, rather than only those needed to provide payment and financial services. Therefore, open-banking proposals have also been advanced to guarantee consumer protection by providing a secure framework and ensuring a shift from screen scraping to developer interfaces (usually, credential-free APIs maintained by data providers or their service providers) as the most common means to access consumer data.[15] This would, it is argued, further enhance consumer trust in data sharing.
While there is consensus that developer interfaces should supplant screen scraping, significant disagreements have emerged around API standardization. Advocates particularly disagree about whether policymakers should mandate adoption of a common API standard or embrace a market-led approach that would leave banks free to develop their own interfaces or participate in privately led standardization initiatives.[16]
On the one hand, a common API standard could jeopardize dynamic competition among standards and undermine market incentives to innovate and develop high-quality interfaces. On the other hand, fragmented API standards could exacerbate the costs of interoperability, which in turn could translate into higher barriers for new entrants.[17] The unintended consequences that may arise from the absence of standardization are arguably worsened by conflicting interests among market participants—notably the lack of incentives for banks to grant access to TPPs.
Moreover, doubts have been expressed about how effective mandatory data sharing actually is in promoting competition. Growing concerns have emerged about financial-stability and monetary-policy risks generated by the entry of new players into the banking and financial-services industries.[18] Indeed, while open-banking regulations were intended primarily to create opportunities for fintech startups, whose services are otherwise constrained by lack of access to customer transaction data, the data-sharing obligations imposed on banks also tend to benefit unregulated financial-services players.
Notably, data-access rules have favored the entry of “Big Tech” firms, which initially entered the finance sector through payment services, but have swiftly diversified their offerings to include credit, insurance, and savings and investment products. While it remains unclear whether fintech startups will be able to compete effectively with legacy banks, rather than cooperate with them by providing complementary services,[19] Big Tech may represent a significant competitive threat to banks. The large tech platforms may be able to scale up quickly in financial markets by exploiting proprietary datasets derived from their non-financial operations (as well as analytical skills and advanced technologies) in order to provide consumers with personalized offers.[20] In this regard, from a competitive standpoint, there have also been questions about the asymmetric nature of data-sharing provisions that, in contrast with the goal of ensuring a level informational playing field, impose on banks a duty to grant access to TPPs without including a reciprocal obligation on the latter that would equally allow banks to enhance digital services.[21]
Further shortcomings and perils are associated with the role played by data aggregators (also known as API aggregators or API hubs). Emerging in response to the multiplicity of bank APIs available on the market, data aggregators act as intermediaries between banks and TPPs by integrating various APIs to offer a single implementation point for TPPs. From a technical perspective, data aggregators bring enhancements to the open-finance ecosystem. Indeed, providing a standardized API—irrespective of the specific APIs or services integrated—allows TPPs to seamlessly connect with various APIs without the need to handle the configuration and formatting intricacies of data and interfaces.
Data aggregators, however, also pose risks of market dominance.[22] Notably, due to their advantageous scale and extensive access to consumer financial data, the market might favor only a handful of major players. In other words, especially in a highly fragmented financial-services market, such as the United States, data aggregators may attract a critical mass of API-software developers that benefit from the same data-accumulation economics that may favor industry concentration and the entrenched dominant position of some Big Tech firms (i.e., strong economies of scale, scope, and network effects).[23] In addition, the API connection service delivered by aggregators can be viewed as a factor contributing to inefficiency, as it elongates transaction chains and introduces costs due to the fact that it is provided against compensation.
By and large, open banking’s rationale, aims, and tradeoffs suggest that one size does not fit all. Therefore, jurisdictions evaluating policy interventions to facilitate data sharing in banking and finance should adopt a tailored approach, taking stock of other countries’ experiences to carefully assess the benefits and drawbacks of market-led and regulatory-led regimes, respectively.
III. The EU Regulatory Framework and Its UK Implementation
From a regulatory perspective, the EU led the way in open banking by introducing a sector-specific data-access right in 2015. The jurisdiction is now on the verge of further extending its legal framework to embrace open finance. While based on the same framework, the UK adopted a different technological model for standardizing data-sharing interactions between banks and TPPs, which has become noteworthy as one of the most advanced examples of mandated interoperability. Further, the EU’s ongoing review of its regulatory regime may offer some useful insights about both the successes and shortcomings of open banking, as well as how it compares to the UK regime.
The EU and UK therefore represent useful benchmarks for U.S. policymakers interested in incorporating the lessons learned from those experiences. Recent proposals in both the EU and UK to go beyond payment-account data in order to promote access to financial data could be equally relevant to the United States, as the CFPB’s rulemaking aims to facilitate a form of open finance.
A. PSD2 and Its Reform
The EU’s 2015 Directive on Payment Services (PSD2) introduced the access-to-account rule (XS2A rule), which requires account-servicing payment-service providers (ASPSPs) to share, upon user request, real-time data on customers’ accounts with TPPs—both payment-initiation service providers (PISPs) and account-information service providers (AISPs)[24]—as well as to execute payment orders.[25] PSD2 enables access without need for a contractual relationship between the ASPSPs and TPPs, and thus without compensation.
While open banking existed in the EU prior to PSD2, the directive’s aim was to provide a secure regulatory framework. Previously, TPPs operated in a largely unregulated environment and accessed customers’ accounts primarily by screen scraping.[26]
Under PSD2, data access is facilitated either through APIs, or by granting TPPs direct access to payment data using the interface that banks employ for customer interactions (customer-facing interface). In order to safeguard business continuity for TPPs, PSD2 requires ASPSPs that opt for a dedicated interface (PSD2 API) to also provide an alternative interface to TPPs (a fallback interface) in the event of malfunction or other issues with the dedicated interface. To facilitate the objective of promoting competition and innovation, PSD2 and its implementing regulatory technical standards (RTSs) chose not to impose a unique API standard; nearly 10 years later, there is still no single pan-European open-banking API standard.
A recent evaluation report concluded that PSD2 has been successful in reducing fraud via the introduction of strong customer authentication (SCA), which involves two authentication factors based on either knowledge (e.g., a password), possession (e.g., a card) or inherence (e.g., a fingerprint).[27] The report, however, also found that PSD2 was only somewhat effective in achieving a level playing field, and was a mixed success in the uptake of open banking in the EU.[28] Indeed, there have been recurrent issues as regards TPPs lacking effective and efficient access to data held by ASPSPs, with a particular imbalance between bank and nonbank service providers.[29]
Notably, the review found that neither ASPSPs nor TPPs are fully satisfied with the current situation.[30] The latter regularly complain about the performance of data-access interfaces, reporting that they experience difficulties in providing basic services due to inadequate and low-quality PSD2 APIs.[31] TPPs also note that, as API standards are set by the industry, this fragmentation leaves them in the disadvantageous position of bearing the costs of developing separate solutions to access different banks’ APIs.[32]
For their part, ASPSPs also express dissatisfaction, reporting significant implementation costs to develop APIs, as well as objections that PSD2 precludes them from charging TPPs for access to customer data.[33] In other words, banks perceive open banking purely as a regulatory burden, and argue that the free access does not offer incentives to create the best possible APIs.[34] Banks are similarly dissatisfied with the low use of their APIs, raising complaints that API aggregators pass on user data to unregulated third parties.[35]
Despite these findings on the imperfect functioning of open banking in the EU, the European Commission has chosen not to pursue radical changes.[36]
With regard to TPPs’ complaints, while acknowledging that a different solution might offer better access to data, the Commission’s proposed amendments to PSD2 do not include imposing a fully standardized EU data-access interface, on belief that the costs of introducing a new single API standard would outweigh the benefits.[37] Indeed, the Commission notes that, despite the existence of different API standards in the EU, the existing PSD2 API standards have substantially converged over time toward two primary solutions (i.e., the Berlin Group standard and the STET standard).[38] In addition, even if not envisaged by PSD2, the emergence of API aggregators that offer a paid alternative to a PSD2 API standard has lowered frictions arising from fragmented API standards.[39]
Nonetheless, starting from the premise that screen scraping should be out of bounds,[40] the proposal suggests streamlining the regime by removing the two interface requirements (i.e., a principal interface and a fallback interface) and imposing, as a general rule, mandatory use of APIs designed and dedicated for open-banking purposes to provide data access to TPPs.[41] Moreover, to ensure TPPs’ business continuity and ability to provide high-quality services to clients, the proposal would grant them the right to benefit from “data parity,” with the customer interface provided by ASPSPs to their users.[42]
In the same way, in response to banks’ requests to modify the PSD2 to allow for compensation to facilitate access to data, the proposed amendments would safeguard the current regime (i.e., TPPs benefiting from the PSD2 baseline services without contractual agreement or charging) but would allow contractual relationships to be established, accompanied by compensation for services that go beyond those required by the PSD2.[43] This would allow the development of “premium” APIs to provide transaction information from other types of accounts (e.g., savings accounts) and allow the schedule of recurring payments.[44]
Finally, to increase trust in open banking and empower consumers to be in full control of their data, the proposal would require ASPSPs to make a dashboard available for customers to monitor data access granted to open-banking service providers, and to easily withdraw or re-establish that access.[45]
B. Open Finance Proposal
Alongside proposals to revise PSD2, the European Commission has also delivered a legislative proposal on data access to financial information (FIDA), which would complement the XS2A rule with an obligation to provide access to financial data.[46]
The FIDA proposal builds on the same rationale as PSD2—i.e., promoting competition and innovation in a data-driven ecosystem by entrusting customers of financial institutions (i.e., both consumers and firms) with effective control over their financial data to benefit from financial products and services tailored to their needs.[47] The wording of the aims section of the proposal clearly resembles PSD2. According to the proposal, the lack of personalized financial products hinders the potential for innovation, as it restricts the ability to provide a broader range of choices and financial services to consumers who could otherwise gain advantages from data-driven tools that help them make informed decisions, easily compare offerings, and switch to more favorable products aligning with their preferences based on their data.[48] A particular emphasis is placed on small players, as they are assumed to suffer most from existing barriers to business-data sharing.[49]
In addition, the FIDA proposal adopts the same approach as PSD2 (confirmed by its proposed revision) toward the lack of reciprocity in data-access obligations. As mentioned above, this approach has garnered criticism for being at-odds with the proclaimed goal of leveling the informational playing field. Against the risk of favoring Big Tech firms over financial incumbents and new fintech entrants, the Commission notes that the Digital Markets Act (DMA)[50] would ensure reciprocity in data access between financial-sector firms and large technology companies.[51] Indeed, under the DMA, gatekeeper platforms are required to ensure real-time access to data provided or generated on the platform by business users and consumers in the context of core platform services.
But to safeguard financial stability, market integrity, and consumer protection, the proposal lays down eligibility rules on access to customer data, establishing that the latter can be accessed only by regulated financial institutions or firms authorized as financial-information service providers (FISPs).[52] The provision applies the principle of “same activity, same risks, same rules,” according to which all financial-market participants that carry out the same activity and generate the same risks ought to be subject to the same standards for consumer protection and operational resilience.[53]
In a nutshell, the FIDA initiative is intended to extend the open-banking framework to open finance, and it proceeds from the same customer-centric approach, building on the lessons learned in the PSD2 review.[54] Therefore, while the FIDA proposal includes the same amendments related to data-access permission dashboards for customers,[55] it differs significantly from the proposed revision of PSD2 with regard to envisaged solutions against the risk of a low-quality and fragmented API landscape.
Notably, the FIDA proposal explicitly acknowledges that making data available via high-quality APIs is essential to facilitate seamless and effective access to data. Seeking to safeguard incentives for data holders to invest toward this aim, the proposal declares that is appropriate to allow them to request reasonable compensation from data users.[56] Such a solution would be in line with the principle recently introduced in the Data Act of a contractual data-sharing model.[57] Accordingly, under the FIDA proposal, a data holder may claim compensation only if the customer data is made available to a data user in accordance with the rules and modalities of a financial-data-sharing scheme.[58]
Moreover, as the consultation strongly indicated that the lack of standardization is a major obstacle to data sharing in finance,[59] the FIDA proposal imagines that market participants would be required to jointly develop common standards for customer data and interfaces as part of these financial-data-sharing schemes.[60] The option to empower European supervisory authorities to develop a single EU-wide standard for the entire financial sector was discarded because of its perceived drawbacks, complexity, and overall costs. More specifically, it was considered unlikely that a single standard would satisfy the diverse needs of data users in different segments of the financial-services industry, and that it would be challenging for public authorities to keep pace with technical developments by updating standards in a timely manner.[61]
The explanation proffered for this apparent discrepancy between open banking and open finance in the EU is simply one of path dependence. As open finance is an emerging market that would be regulated for the first time, it has no legacy compensation regime and no investments in APIs already made; therefore, it is believed there would be no risk of disruption.[62]
C. The UK Regime
Building on the same framework as PSD2, the UK opted for a more extensive and invasive implementation of the XS2A rule. Indeed, while PSD2 is technology-agnostic, the UK promoted a standardized model of open banking. Notably, the UK Competition and Markets Authority (CMA) required the nation’s nine largest banks (CMA9) to agree on common and open API standards, data formats, and security protocols that would allow TPPs to connect to customers’ bank accounts according to a single set of specifications.[63] Further, a special-purpose entity, funded by the CMA9, was created to oversee the rollout of API standards and support parties in the use of such standards.
The CMA decided to promulgate this remedy after a review of the retail-banking sector found perceived structural and longstanding competitive weaknesses.[64] In particular, the UK antitrust authority investigated whether there were barriers constraining banks’ ability to enter or expand competition in personal current accounts (PCAs), whether weak customer response was a result of lack of engagement and/or barriers to searching and switching that dampened banks’ incentives to compete, and whether the level of concentration had an adverse effect on customers. The investigation revealed that the market was concentrated and, despite variations among banks in prices and quality, market shares remained stable over time. Indeed, the four largest UK banks accounted for more than 70% of consumers’ primary PCAs and had collectively lost less than 5% market share since 2005.[65] Further, the market study found that a substantial proportion of customers were paying above-average prices for below-average service quality, thus suggesting they would be better off switching products.[66]
Despite these premises, customer engagement was low. The survey reported that more than a third of respondents had been with their primary PCA provider for more than 20 years, over a half for more than 10 years, and only 8% of customers had switched PCAs to a different bank over the past three years.[67] Such results were even more significant when compared to switching rates in other sectors.[68]
Seven years since its introduction, the UK celebrates the success of its open-banking model, claiming significant take-up and accelerating growth. Today, more than 7 million consumers and businesses (of which 750,000 are small to medium-sized enterprises) use open-banking-enabled products and services.[69] The data show that customers show positive sentiment toward open banking, believing they are in better control of their personal finances. Most TPPs likewise find that the API-standardized implementation has been particularly effective.[70] For these reasons, the UK Government has announced the launch of open finance—i.e., its intention to extend its open-banking model beyond payment accounts to a broader range of financial services and products.[71]
The perceived success of the UK version of open banking was confirmed when an identical model was adopted in Australia, where the Australian Competition and Consumer Commission required the four major banks to share product-reference data with accredited data recipients and mandated the adoption of a single set of API standards for data sharing.[72] Australia’s open-banking requirements are part of an ambitious legislative initiative to introduce an economy-wide data-sharing framework, tested initially in banking and energy, and expected to eventually be extended to telecommunications, pensions, insurance, and other areas.
IV. The CFPB’s Rulemaking on ‘Personal Financial Data Rights’
Once the jurisdiction that most clearly embraced a market-led approach to open banking and open finance, the United States appears on the verge of shifting toward the EU’s prescriptive and regulator-driven regime, with mandated sharing of financial data.
In 2021, the White House encouraged the CFPB to intervene in the banking market to “promote competition” consistent with the objectives stipulated in Section 1021 of the Dodd-Frank Act and, in particular, to consider commencing rulemaking under Section 1033 of the Dodd-Frank Act to facilitate the portability of consumer-financial-transaction data.[73] Section 1021 entrusts the CFPB with ensuring that all consumers have access to markets for consumer financial products and services, and that these be “fair, transparent, and competitive.” Section 1033 establishes that, subject to certain exceptions, any person that engages in offering or providing a consumer financial product or service shall make available to a consumer, upon request, information in its control concerning that product or service that the covered person obtained from said consumer. In addition, the CFPB shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information, including through the use of machine-readable files, to be made available to consumers under this section.
As a consequence of the White House’s 2021 executive order on competition, the CFPB in October 2023 proposed a Personal Financial Data Rights rule to activate the aforementioned provisions enacted by the U.S. Congress more than a decade ago.[74] Notably, in addition to ensuring that consumers can access covered data in electronic form from data providers, the proposed regulation would delineate the scope of data that TPPs can access on a consumer’s behalf, the terms on which data are made available, and the mechanics of data access.
First, the CFPB chose to prioritize certain types of consumer accounts. The scope of the rulemaking includes as covered entities those providing asset accounts subject to the Electronic Fund Transfer Act and Regulation E; credit cards subject to the Truth in Lending Act and Regulation Z; and related payment-facilitation products and services, and, as covered data, transaction information; account balances; information to initiate payment to or from a Regulation E account; terms and conditions; upcoming bill information; and basic account-verification information.[75]
The rulemaking also requires data providers to establish and maintain a developer interface for third parties to access consumer-authorized data under certain performance and security specifications.[76] In particular, the CFPB established that the performance of a developer interface cannot be commercially reasonable unless it has a response rate of at least 99.5 percent within 3.5 seconds. Despite the costs incurred to meet these requirements, the CFPB suggested forbidding data providers from imposing access caps and levying any direct fee for fulfilling a request.[77]
Further, the rulemaking seeks to promote standardization by supporting industry standards appropriately developed within a data-access framework (“qualified industry standard”).[78] Due to concerns about the pace of technological change,[79] rather than dictating technical standards, the CFPB suggested that indicia of compliance with certain provisions must include conformance to an applicable industry standard issued by a fair, open, and inclusive standard-setting body.[80]
A. Absence of Justifications for Regulatory Intervention
The CFPB’s rulemaking builds on Section 1033 of the Dodd-Frank Act. As noted by some scholars, however, Section 1033 is “silent” on the core principles of open banking.[81] Indeed, the provision creating a data-access right for consumers does not expressly impose on financial institutions a duty to share such data with third parties. Therefore, in contrast with the EU PSD2, it is far from clear whether there is a legislative mandate authorizing the CFPB to promote open banking via interoperability obligations. Indeed, the lack of a clear regulatory mandate is arguably what has allowed a market-driven approach to open banking to emerge in the United States over the last 14 years.
More importantly to the present analysis, the U.S. context differs significantly from the EU, raising questions about the justification for regulatory intervention. These doubts involve both the spread of poor technological-data-access solutions and the respective markets’ structural competitive weaknesses. Regarding the former, the CFPB proposal places significant emphasis on screen scraping. CFPB Director Rohit Chopra has described the current regime as “broken,” with consumer access based on a set of unstable and inconsistent norms across market participants and with many companies accessing consumer data through activities like screen scraping.[82] The proposal thus seeks to move the market away from these risky data-collection practices.[83]
But while acknowledging that screen scraping has allowed open banking to grow quickly in the United States,[84] the CFPB also reports that a large and growing number of consumers currently access their financial data through consumer-authorized third parties, and that the share of access attempts made through screen scraping has declined by a third since 2019.[85] According to the CFPB, the recent growth in traffic through credential-free APIs reflects the technology’s adoption by some of the largest data providers, covering tens of millions of covered accounts.[86] The bureau estimates that API use has grown substantially over the last five years, as the annual number of consumer-authorized access attempts approximately doubled from 2019 to 2022.[87] The U.S. market therefore already appears to be moving away from screen scraping and toward the use of APIs.
Moreover, the U.S. banking and financial-services sector is characterized by a large degree of fragmentation. As noted in the literature, such extreme fragmentation is “stark” when compared with the EU and other jurisdictions that have adopted open banking and open finance.[88] In response, U.S. financial institutions have undertaken initiatives to promote API standards, which already include private standard-setting bodies such as the Financial Data Exchange (FDX). The result has been a commingling of financial institutions, data aggregators, fintechs, payment networks, and consumer groups with the objective of “unifying the financial services ecosystem around a common, interoperable and royalty-free technical standard for user-permissioned financial data sharing.”[89]
But such efforts for industry-supported API standards have been controversial.[90] Indeed, an additional peculiar feature of the U.S. financial-services industry is the emergence of a relatively concentrated data-aggregation market, where a handful of players serve the entire sector.[91]
In summary, while the two primary rationales for regulator-driven open banking in other jurisdictions are chronic deficiencies in market contestability and the widespread use of screen scraping, neither of these features are present in the U.S. scenario. Since regulatory intervention is context-dependent and entails complex tradeoffs and sensitive choices (see supra Section II), the absence of these justifications raises doubts about the potential added value of the CFPB’s initiative—specifically, whether any benefits to innovation, competition, and consumer choice will outweigh regulatory costs.
B. Insights from the EU’s Shortcomings
While the marked differences between the U.S. and EU landscapes raise questions about the rationale for a U.S. shift toward regulator-led open banking, a glance at the EU’s recent review of its open-banking regime underscores the degree to which the proposed CFPB framework may represent an unnecessary regulatory burden. In particular, there should be significant doubts about the competitive implications of the proposed rules, and particularly about the degree to which they would serve to ensure quality data-sharing and a level informational playing field.
Indeed, the CFPB’s primary justification for top-down intervention is to outlaw screen scraping, which is unanimously considered worrisome for data privacy, security, and accuracy.[92] The EU FIDA proposal highlights data accuracy as especially key for competition, noting that making data available via high-quality APIs is essential to facilitate effective access.[93] The CFPB proposal likewise assumes that the quality of data provided through open-banking APIs is greater than that collected through screen scraping.
But the recent review of the EU PSD2 noted TPPs’ dissatisfaction with the performance of data-access interfaces.[94] Notably, many TPPs complained that, despite the high costs of implementation, APIs are implemented differently and don’t always work.[95] At the same time, banks complain about the costs of PSD2 compliance, arguing that the mandated free access leaves them no incentive to offer the best possible APIs.[96] Given the significant implementation costs to develop high-quality APIs, the European Commission has supported a proposal to allow data holders to request reasonable compensation from data users.[97] More generally, the EU Data Act affirms that it is desirable to provide remuneration for data under fair, reasonable, and non-discriminatory (FRAND) terms in order to promote investment and safeguard appropriate incentives to develop high-quality interfaces.[98] Such compensation might include not only the costs incurred to make the data available, but also a margin to account for such factors as the volume, format, or nature of the data. By contrast, the CFPB proposal would impose performance specifications for the developer interface while forbidding any fee or charge in connection with establishing the required interface or receiving requests to make covered data available.[99]
Other CFPB provisions are inconsistent with open banking’s procompetitive goal of levelling the informational playing field. Notably, the CFPB replicates the asymmetric treatment imposed on financial institutions by the PSD2 (as well as by the current EU proposals), under which banks and other lenders have a duty to share account data, while no reciprocal obligation is imposed on data recipients. Restricting access and use of data may serve to hinder development of innovative products or services, and a bidirectional access-to-data-account rule in PSD2 could have been used to enhance digital-payment services. A system in which all eligible entities participate would be more dynamic and promote greater competition. Therefore, in principle, there is good reason to establish that accredited data recipients in a designated sector should also be obliged to provide equivalent data in an equivalent format, in response to a consumer request.[100] Further, an unbalanced data-sharing burden risks over-empowering new players (i.e., fintechs, Big Tech, and data aggregators) relative to legacy banks.
In a similar vein, the CFPB’s blanket prohibition on secondary data use could yield further anticompetitive shortcomings by imposing limits on data flows—namely on the use of covered data for targeted advertising and cross-marketing, even when those data are de-identified.[101] Indeed, such restrictions are at odds with core open-banking principles. As open banking is consumer-centric and aims to promote consumer empowerment to spur innovation and competition, it should abandon purely paternalistic approaches focused only on consumers’ vulnerabilities. Instead, open-banking principles inherently endorse a proactive strategy based on consumers’ ability to manage their data and choose which parties should use it to offer new products and services.[102] An outright ban on targeted advertising and cross-marketing instead reduces consumer choices and their opportunities to discover new products and services. By further hindering the level informational playing field, such a prohibition would favor incumbents over newcomers and challengers.
Finally, following the EU, the CFPB would adopt an open-banking regime with mandatory data sharing, but without regulator-supplied technical standards. Similar to EU policymakers—and in contrast with UK and Australian regulators—the CFPB argues that detailed technical standards are too complex and unsuited to the pace of technological change, even though they would be particularly well-suited to the excessively fragmented U.S. market.[103] In supporting the development of common standards through standard-setting organizations, the CFPB’s proposal is similar to the European FIDA proposal, although the latter mandates participation by financial institutions, data holders, and data users in data-sharing schemes. Indeed, under the FIDA proposal, data that falls within the scope of the sharing obligation would only be available to members of a financial-data-sharing scheme.
The concerns about whether such an invasive intervention will be “future proof” are compelling, especially given the size of the U.S. financial market. But a UK-style remedy would at least be effective against the only potential risk of market dominance—that of a small handful of data aggregators emerging as a response to the peculiar fragmentation of the U.S. market. In this regard, there should be doubts about whether it will be effective to entrust standard-setting bodies to develop “qualified” standards within the CFPB’s framework.[104] In particular, it is unclear what value would be added relative to the way that market-led open banking is currently delivered in the United States, as it already includes industry standard-setting initiatives (e.g., FDX). Subjecting standard-setting organizations to CFPB vetting regarding their fairness, openness, and inclusiveness does not seem like a game changer. On the contrary, it appears to be just another unnecessary regulatory burden, apparently unfit to address the purported risks of standards controlled by dominant incumbents or intermediaries, thus “enabl[ing] rent-extraction and cost increases for smaller participants.”[105]
V. Conclusion: Does the CFPB’s Open Banking Fall Short?
Following the EU and the UK, about 80 countries have recently engaged in government-led open-banking initiatives.[106] The United States is on the brink of joining the club. But even without a regulatory framework to mandate data sharing, open banking is already flourishing in the U.S. market. Therefore, it’s important to understand why the country that has been at the forefront of market-driven open banking would shift to a compulsory regime, as well as what model inspired this change.
The EU’s regulator-driven open-banking regime relies on the twofold rationale of promoting fintech competition and safeguarding consumers from screen-scraping practices. But the EU’s background differs significantly from the U.S. scenario. Rather than being highly concentrated, the U.S. market seems paradoxically to suffer from the opposite problem—namely, excessive fragmentation. As a result, the competitive issue that has emerged in the United States is one of market concentration at the intermediary level (i.e., data aggregators), rather than upstream (i.e., banks). Moreover, as the CFPB acknowledges, the U.S. market has already been moving away from screen scraping, as testified by the exponential increase in the number of consumer-authorized access attempts in recent years.
The state of the U.S. open-banking ecosystem also flies in the fact of the traditional market-failure justification for regulatory intervention. In disregarding the peculiar features of the U.S. context, the CFPB’s proposal may miss badly in selecting effective technical solutions. Indeed, by replicating the EU approach, rather than the UK implementation, the CFPB discards the option of imposing single U.S.-wide standard because of its cost, complexity, and dynamic innovation shortcomings. While these concerns are well-founded, at the very least, an invasive technological solution would address the only potential competitive issue in the U.S. market, which is the role of data aggregators. Moreover, the CFPB ignores some useful insights from the recent review of the EU experience, which recommends allowing incentives to develop high-quality APIs by compensating banks for their efforts.
For all these reasons, there should be significant concerns about whether the CFPB’s initiative is needed and to extent to which such a top-down intervention would add value in the U.S. market.
Despite the ambiguous effects and challenging tradeoffs of open banking, it has been trendy of late and the government-led version has become widespread around the world. It is worth remembering, however, that regulatory models do not work in a vacuum. They are context-dependent and can be more or less effective depending on the particular features of the markets and countries involved. More importantly, regulation is not inherently preferable to market-led solutions. Regulation is just a pill for a disease—ideally, the cure for a market failure. If the latter is missing or is not properly detected, consumers effectively be asked to pay the price for an unneeded dress, however stylish it might be.
[1] Executive Order on Promoting Competition in the American Economy, White House (Jul. 9, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/07/09/executive-order-on-promoting-competition-in-the-american-economy.
[2] Required Rulemaking on Personal Financial Data Rights, Docket No. 2023-CFPB-0052, U.S. Consumer Financial Protection Bureau (Oct. 19, 2023), https://www.consumerfinance.gov/rules-policy/notice-opportunities-comment/open-notices/required-rulemaking-on-personal-financial-data-rights.
[3] Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, 12 USC 53 (2010), §1033.
[4] See, e.g., Tania Babina, Saleem Bahaj, Greg Buchak, Filippo De Marco, Angus Foulis, Will Gornall, Francesco Mazzola, & Tong Yu, Customer Data Access and Fintech Entry: Early Evidence from Open Banking (NBER Working Paper 32089, Jan. 2024), http://www.nber.org/papers/w32089; Tobias Berg, Valentin Burg, Ana Gombovic, & Manju Puri, On the Rise of Fintechs: Credit Scoring Using Digital Footprints, 33 Rev. Financ. Stud. 2845 (Sep. 12, 2019); Thomas Philippon, On Fintech and Financial Inclusion (NBER Working Paper No. 26330, Sep. 2019), https://www.nber.org/papers/w26330.
[5] See, e.g., Access to Finance for Inclusive and Social Entrepreneurship. What Role Can Fintech and Financial Literacy Play? (OECD Local Economic and Employment Development (LEED) Papers, 2022), https://www.oecd-ilibrary.org/industry-and-services/policy-brief-on-access-to-finance-for-inclusive-and-social-entrepreneurship_77a15208-en; Isil Erel & Jack Liebersohn, Can Fintech Reduce Disparities in Access to Finance? Evidence from the Paycheck Protection Program, 146 J. Financ. Econ. 90 (Oct. 2022); Yoke Wang Tok & Dyna Heng, Fintech: Financial Inclusion or Exclusion? (IMF Working Paper No. 80, May 6, 2022), https://www.imf.org/en/Publications/WP/Issues/2022/05/06/Fintech-Financial-Inclusion-or-Exclusion-517619.
[6] See, e.g., Zhiguo He, Jing Huang, & Jidong Zhou, Open Banking: Credit Market Competition When Borrowers Own the Data, 147 J. Financ. Econ. 449 (Feb. 2023); Christine A. Parlour, Uday Rajan, & Haoxiang Zhu, When FinTech Competes for Payment Flows, 35 Rev. Financ. Stud. 4985 (Apr. 27, 2022).
[7] For an overview of the international landscape, see Babina et al., supra note 4; Shifting from Open Banking to Open Finance: Results from the 2022 OECD Survey on Data Sharing Frameworks (OECD Business and Finance Policy Papers, 2023), https://doi.org/10.1787/9f881c0c-en.
[8] Daniel Schnurr, Switching and Interoperability Between Data Processing Services in the Proposed Data Act, Centre on Regulation in Europe (Dec. 2022), 11, available at https://cerre.eu/wp-content/uploads/2022/12/Data_Act_Cloud_Switching.pdf.
[9] Bertin Martens, Geoffrey Parker, Georgios Petropoulos, & Marshall van Alstyne, Towards Efficient Information Sharing in Network Markets (Bruegel Working Paper No. 12, Nov. 10, 2021), https://www.bruegel.org/2021/11/towards-efficient-information-sharing-in-network-markets.
[10] On the various degrees of interoperability, see Jacques Cre?mer, Yves-Alexandre de Montjoye, & Heike Schweitzer, Competition Policy for the Digital Era, European Commission Directorate-General for Competition (2019), 58-59, https://op.europa.eu/en/publication-detail/-/publication/21dc175c-7b76-11e9-9f05-01aa75ed71a1/language-en.
[11] The Retail Banking Market Investigation Order 2017, UK Competition and Markets Authority (Feb. 2, 2017), https://www.gov.uk/government/publications/retail-banking-market-investigation-order-2017.
[12] See Oscar Borgogno & Giuseppe Colangelo, Consumer Inertia and Competition-Sensitive Data Governance: The Case of Open Banking, 9 EuCML 143 (2020).
[13] Impact Assessment Accompanying the Proposal for a Directive on Payment Service in the Internal Market, European Commission (Staff Working Document, 288 final, 2013), 137.
[14] Report on the Review of Directive 2015/2366/EU of the European Parliament and of the Council on Payment Services in the Internal Market, European Commission (COM(2023) 365 final), 4.
[15] See, e.g., Screen Scraping – Policy and Regulatory Implications, Australian Government – The Treasury (2023), https://treasury.gov.au/consultation/c2023-436961.
[16] For a literature review on the different modes of the standardization process, see Dize Dinçkol, Pinar Ozcan, & Markos Zachariadis, Regulatory Standards and Consequences for Industry Architecture: The Case of UK Open Banking, 52 Res. Policy 104760 (Jul. 2023).
[17] See, e.g., OECD, supra note 7, 32; Press Release, Final Report on the Sector Inquiry into Financial Technologies, Hellenic Competition Commission (Dec. 27, 2022), https://epant.gr/en/enimerosi/press-releases/item/2460-press-release-publication-of-the-final-report-of-the-fintech-sector-inquiry.html; Opinion on the Sector of New Technologies Applied to Payment Activities, French Competition Authority (Apr. 29, 2021), https://www.autoritedelaconcurrence.fr/en/opinion/sector-new-technologies-applied-payment-activities.
[18] See, e.g., Giulio Cornelli, Fiorella De Fiore, Leonardo Gambacorta, & Cristina Manea, Fintech vs Bank Credit: How Do They React to Monetary Policy?, 234 Econ. Lett. 111475 (Jan. 2024); Karen Croxson, Jon Frost, Leonardo Gambacorta, & Tommaso Valletti, Platform-Based Business Models and Financial Inclusion: Policy Trade-Offs and Approaches, 19 J. Compet. Law Econ. 75 (Mar. 2023); Claudio Borio, Stijn Claessens, & Nikola Tarashev, Entity-Based vs Activity-Based Regulation: A Framework and Applications to Traditional Financial Firms and Big Techs (FSI Occasional Paper No. 19, Aug. 3, 2022), https://www.bis.org/fsi/fsipapers19.htm; Johannes Ehrentraud, Jamie Lloyd Evans, Amelie Monteil, & Fernando Restoy, Big Tech Regulation: In Search of a New Framework (FSI Occasional Paper No. 20, Oct. 3, 2022), https://www.bis.org/fsi/fsipapers20.htm; Raihan Zamil & Aidan Lawson, Gatekeeping the Gatekeepers: When Big Techs and Fintechs Own Banks – Benefits, Risks and Policy Options (FSI Insights No. 39, Jan. 20, 2022), https://www.bis.org/fsi/publ/insights39.htm.
[19] See, e.g., Oskar Kowalewski & Pawel Pisany, The Rise of Fintech: A Cross-Country Perspective, 122 Technovation 102642 (Apr. 2023); Emma Li, Mike Qinghao Mao, Hong Feng Zhang, & Hao Zheng, Banks’ Investments in Fintech Ventures, 149 J. Bank. Financ. 106754 (Apr. 2023); Victor Murinde, Efthymios Rizopoulos, & Markos Zachariadis, The Impact of Fintech Revolution on the Future of Banking: Opportunities and Risks, 81 Int. Rev. Financ. Anal. 102103 (May 2022); Arnoud Boot, Peter Hoffmann, Luc Laeven, & Lev Ratnovski, Fintech: What’s Old, What’s New?, 53 J. Financ. Stab. 100836 (Apr. 2021); Luca Enriques & Wolf-Georg Ringe, Bank-Fintech Partnerships, Outsourcing Arrangements and the Case for a Mentorship Regime, 15 Cap. Mark. Law J. 374 (Jul. 31, 2020); Anjan v. Thakor, Fintech and Banking: What Do We Know?, 41 J. Financ. Intermed. 100833 (Jan. 2020); Aluma Zernik, The (Unfulfilled) Fintech Potential, 1 Notre Dame J. Emerging Tech 352 (Oct. 1, 2018); Rene? M. Stulz, FinTech, BigTech, and the Future of Banks, 31 J. Appl. Corp. Finance 86 (Sep. 2019); Xavier Vives, Digital Disruption in Banking, 11 Annu. Rev. Financ. Econ. 243 (Nov. 2019).
[20] For analysis of the debate on competitive opportunities and concerns coming from Big Tech’s entry into banking and financial markets, see Oscar Borgogno & Giuseppe Colangelo, The Data Sharing Paradox: BigTechs in Finance, 16 Eur. Compet. J. 492 (May 28, 2020).
[21] Miguel de la Mano & Jorge Padilla, Big Tech Banking, 14 J. Compet. Law Econ. 494, 503 (Dec. 4, 2018).
[22] Open Finance Policy Considerations (OECD Business and Finance Policy Papers, 2023), 30-31, https://doi.org/10.1787/19ef3608-en.
[23] See Dan Awrey & Joshua Macey, The Promise and Perils of Open Finance, 40 Yale J. on Reg. 1 (Feb. 28, 2022); Julian Alcazar & Fumiko Hayashi, Data Aggregators: The Connective Tissue for Open Banking, Fed. Res. Bank Kansas City (Aug. 24, 2022), https://www.kansascityfed.org/research/payments-system-research-briefings/data-aggregators-the-connective-tissue-for-open-banking.
[24] Account-information services and payment-initiation services are those that allow a payment-service provider access to a payment-service user’s data data where the provider neither holds the user’s account funds nor does it directly service his or her payment account. Account-information services allow for the aggregation in a single location of user data held by multiple account-servicing payment-service providers; payment-initiation services allow a payment to be initiated from a user’s account in a way that is convenient for both user and payee and without need for a payment instrument, such as a payment card.
[25] Directive 2015/2366 on Payment Services in the Internal Market, (2015) OJ L 337/35, Articles 64-68. For analysis of the XS2A rule, see Oscar Borgogno & Giuseppe Colangelo, Data, Innovation and Competition in Finance: The Case of the Access to Account Rule, 31 Eur. Bus. Law Rev. 573 (Apr. 15, 2019).
[26] European Commission, supra note 14, 4.
[27] Id., 3.
[28] Id.
[29] Id., 4.
[30] European Commission, supra note 13, 16.
[31] Id., 13-14.
[32] Id., 120.
[33] Id., 15.
[34] Id.
[35] Id.
[36] The legislative amendments to PSD2 are set out in two proposals that would separate the rules governing payment services’ conduct from rules on authorization and supervision of payment institutions. On the former, see, Proposal for a Regulation on Payment Services in the Internal Market and Amending Regulation (EU) No 1093/2010, European Commission, COM(2023) 367 final; on the latter, see, Proposal for a Directive on Payment Services and Electronic Money Services in the Internal Market Amending Directive 98/26/EC and Repealing Directives 2015/2366/EU and 2009/110/EC, European Commission, COM(2023) 366 final.
[37] European Commission, supra note 14, 4-5. See also European Commission, supra note 13, 42-43, stating that “[r]equiring a new standard would render the work done on all existing standards wasted. More fundamentally, imposing a single standard would mean abandoning the principle of technology neutrality and could risk being inflexible, not future-proof and hinder innovation, since new better standards for interfaces may arise in future.”
[38] European Commission, supra note 14, 4-5, reporting that the Berlin Group standard claims to account for 80% of the PSD2 APIs.
[39] Id.
[40] European Commission, Proposal for a Regulation on Payment Services, supra note 36, Recital 61.
[41] Id., Recital 57. Exemptions are allowed for cases of failure/unavailability of the dedicated interfaces and small ASPSPs for which a dedicated interface would be disproportionately burdensome (Recital 62).
[42] Id., Recital 59.
[43] Id., Recital 56.
[44] In a similar vein, see, Principles for Commercial Frameworks for Premium APIs, UK Joint Regulatory Oversight Committee (2023), available at https://www.fca.org.uk/publication/corporate/jroc-principles-commercial-frameworks-premium-apis.pdf.
[45] European Commission, Proposal for a Regulation on Payment Services, supra note 36, Recital 65.
[46] Proposal for a Regulation on a Framework for Financial Data Access and Amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554, European Commission, COM(2023) 360 final. In particular, the access provision would apply to the following selected categories of customer data: mortgage-credit agreements, loans, and accounts; savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate, and other related financial assets, as well as the economic benefits derived from such assets; pension rights in occupational-pension schemes; pension rights on the provision of pan-European personal-pension products; non-life insurance products; data which forms part of a firm’s creditworthiness assessment and that is collected as part of a loan-application process or a request for a credit rating.
[47] Id., Recital 2.
[48] Id., Recital 6.
[49] Id.
[50] Regulation (EU) 2022/1925 on Contestable and Fair Markets in the Digital Sector and Amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act), (2022) OJ L 265/1.
[51] Impact Assessment Report accompanying the Proposal for a Regulation on a Framework for Financial Data Access, European Commission, SWD(2023) 224 final, 113.
[52] European Commission, supra note 46, Recital 31.
[53] Report on Open Finance, Expert Group on European Financial Data Space (2022), 35, https://finance.ec.europa.eu/publications/report-open-finance_en.
[54] European Commission, supra note 46, Recital 49.
[55] Id., Recital 21.
[56] Id., Recitals 7 and 29. See also European Commission, supra note 51, 21; Expert Group on European Financial Data Space, supra note 53, 11.
[57] Regulation (EU) 2023/2854 on Harmonized Rules on Fair Access to and Use of Data and Amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act), (2023) OJ L1, Article 9.
[58] European Commission, supra note 46, Articles 5, 9-11.
[59] European Commission, supra note 56, 19.
[60] European Commission, supra note 46, Articles 9 and 10, Recital 25.
[61] European Commission, supra note 56, 55.
[62] European Commission, Proposal for a Regulation on Payment Services, supra note 36, Recital 55; European Commission, supra note 13, 47.
[63] UK Competition and Markets Authority, supra note 11. For further analysis, see Dinçkol, Ozcan, & Zachariadis, supra note 16; Borgogno & Colangelo, supra note 12.
[64] Retail Banking Market Investigation – Final Report, UK Competition and Markets Authority (2016), https://www.gov.uk/cma-cases/review-of-banking-for-small-and-medium-sized-businesses-smes-in-the-uk#final-report.
[65] Id., §46.
[66] Id., §54.
[67] Id., §65.
[68] Id., §66.
[69] Recommendations for the Next Phase of Open Banking in the UK, UK Joint Regulatory Oversight Committee (2023), available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1150988/JROC_report_recommendations_and_actions_paper_April_2023.pdf; Joint Statement by HM Treasury, the CMA, the FCA and the PSR on the Future of Open Banking, UK Government (2022), https://www.gov.uk/government/publications/joint-statement-by-hm-treasury-the-cma-the-fca-and-the-psr-on-the-future-of-open-banking.
[70] European Commission, supra note 13, 195-196.
[71] UK Government, supra note 69. See also, Open Finance – Feedback Statement, Financial Conduct Authority (2021), available at https://www.fca.org.uk/publication/feedback/fs21-7.pdf.
[72] Competition and Consumer (Consumer Data Right) Rules 2020.
[73] White House, supra note 1.
[74] Consumer Financial Protection Bureau, supra note 2.
[75] Id., §§1033.111 and 1033.211.
[76] Id., §1033.311(c)(1).
[77] Id., §1033.301(c) and §1033.311(c)(2).
[78] Id., 21.
[79] Id., arguing that “[c]omprehensive and detailed technical standards mandated by Federal regulation could not address the full range of technical issues in the open banking system in a manner that keeps pace with changes in the market and technology. A rule with very granular coding and data requirements risks becoming obsolete almost immediately, which means the CFPB and regulated entities would experience constant regulatory amendment, or worse, the rule would lock in 2023 technology, and associated business practices, potentially for decades. In developing the proposal, the CFPB is mindful of these limitations and the risk that they may adversely impact the development and efficient evolution of technical standards over time.”
[80] Id., §§1033.131 and §1033.141.
[81] Awrey & Macey, supra note 23, 20. See also He, Huang, & Zhou, supra note 6, noting that open banking’s core principles do not stop at customer ownership of their own data.
[82] Rohit Chopra, Remarks at Money 20/20 (Oct. 25, 2022), https://www.consumerfinance.gov/about-us/newsroom/director-chopra-prepared-remarks-at-money-20-20.
[83] Press Release, CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking, U.S. Consumer Financial Protection Bureau (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking.
[84] Consumer Financial Protection Bureau, supra note 2, 7.
[85] Id., 185 and 213.
[86] Id., 187.
[87] Id., 185-186. Notably, the CFPB estimates that there were between 50 billion and 100 billion total consumer-authorized access attempts in 2022.
[88] See Awrey & Macey, supra note 23, 19 and 35-37, arguing that the U “is home to the world’s largest, most fragmented, and most diverse financial services industry.”
[89] About FDX – Our Mission, Financial Data Exchange, https://financialdataexchange.org/FDX/FDX/About/About-FDX.aspx?hkey=dffb9a93-fc7d-4f65-840c-f2cfbe7fe8a6 (last accessed Jun. 9, 2024).
[90] Consumer Financial Protection Bureau, supra note 2, 9.
[91] Awrey & Macey, supra note 23, 37. See also Consumer Financial Protection Bureau, supra note 2, 16.
[92] Consumer Financial Protection Bureau, supra note 2, 14-15.
[93] European Commission, supra note 46, Recital 7.
[94] European Commission, supra note 13, 14.
[95] Id., 191. See also, A Study on the Application and Impact of Directive (EU) 2015/2366 on Payment Services (PSD2), VVA & CEPS (2023), https://op.europa.eu/en/publication-detail/-/publication/f6f80336-a3aa-11ed-b508-01aa75ed71a1/language-en, estimating that TPPs spent €35 million on problems linked to accessing APIs and €140 million on maintaining legacy systems due to APIs not working properly.
[96] See VVA & CEPS, supra note 95, estimating €2.2 billion in total (one-off) costs for all ASPSPs for setting up of PSD2 APIs.
[97] European Commission, supra note 36, Recital 56; European Commission, supra note 56, Recital 29.
[98] Data Act, supra note 57, Recitals 46 and 47, and Article 9.
[99] Consumer Financial Protection Bureau, supra note 2, §1033.301(c).
[100] See, Review into Open Banking: Giving Customers Choice, Convenience and Confidence, Australian Government (2018), 44, https://treasury.gov.au/consultation/c2018-t247313, acknowledging that determining equivalent data for data recipients whose primary business is not financial services can be complex, and therefore recommending that, as part of the accreditation process for non-bank data recipients, the competition regulator should determine what constitutes equivalent data for the purposes of participating in open banking.
[101] Consumer Financial Protection Bureau, supra note 2, §1033.421(a)(2).
[102] Giuseppe Colangelo & Mariateresa Maggiolino, From Fragile to Smart Consumers: Shifting Paradigm for the Digital Era, 35 Comput. Law Secur. Rev. 173 (Apr. 2019).
[103] Consumer Financial Protection Bureau, supra note 2, 21. See also Rohit Chopra, Remarks at the Financial Data Exchange Global Summit, U.S. Consumer Financial Protection Bureau (Mar. 13, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-financial-data-exchange-global-summit, acknowledging that the EU approach led to fragmented or conflicting standards, which created complications for open-banking implementation and undermined interoperability, but simultaneously arguing that the opposite approach promoted in other jurisdictions to prescribe detailed technical standards for data sharing would not work in the United States.
[104] Consumer Financial Protection Bureau, supra note 2, §1033.131 and 1033.141. But see also Chopra, supra note 103, announcing that, before finalizing the Personal Financial Data Rights rule, the CFPB would “codify” what attributes standard-setting organizations must demonstrate to be recognized under the rule.
[105] Consumer Financial Protection Bureau, supra note 2, 22.
[106] Babina et al., supra note 4; OECD, supra note 7.