Open banking: new open-ended compliance obligations for regulated entities

Open banking nears its launch, sets new business requirements on the banking industry under the rubric of open banking regulation
Ande Smith/NH Bar News,

Every year lawmakers and regulators seem to find a new domain for cyber regulation and another set of standards for industry to digest and apply. While regulation of water utilities seems a likely new entry this year, the one nearest to launch is that which sets new business requirements on the banking industry under the rubric of open banking regulation.

What is open banking?

Open banking is a concept that has been under consideration for a number of years and has seen uneven application and success, mainly in Europe and Australia. The idea is to empower consumers to control data that has been historically the domain of their banks. By controlling their data, the theory goes, consumers can move between banks and other service providers readily, and thereby enhance competition and the ability of banks and vendors to innovate. Whether and to what extent consumers are interested or find value in this terrific flexibility remains an open question, but the mandate to banks to put the groundwork in place likely is not.

Where does this regulation originate?

The rule derives from the now hoary Dodd-Frank Act, which directed the Consumer Financial Protection Board (CFPB) to adopt rules back in 2010. Never one to pass on regulatory authority, the CFPB chair referred to this provision of law as “dormant,” but found the energy to initiate rulemaking in fall 2023 with comments closing this past December. As of March, the adoption of the final rules may be bound-up in the complexity of the rule’s direction to better share information on the one hand and on the other enforce other financial regulations, such as anti-money laundering (AML) and know-the-customer rules. It is generally expected that the rule will be published as final as soon as practicable, especially in light of the possibility of a Congressional Review Act action following the 2024 elections.

What will the rule require of banks?

The CFPB rules have several main points, including:

  • Establishing the right of consumers to grant third parties access to information associated with their credit card and checking accounts, as well as some other information.
  • Establishing a regulatory category – data providers – who must share consumer information securely with others when directed, which generally will include banks and credit unions. There can be no fee or compensation due to these data providers for making the transmission infrastructure or data available to others.
  • Directing data providers to share the information from their systems using application programming interfaces (APIs) versus “screen scraping” of banking credentials.

What are the implications for compliance and regulation?

There are a number of challenges with adoption. Since the gist of the rule is that consumers can authorize third parties access to information and, in the reverse, have it shared with a bank or credit union, there is significant concern over fraudulent access to information and over AML, combatting the financing of terrorism and know-your-customer rules, which are generally highly audited and closely enforced by banking regulators. From a cybersecurity perspective, however, the idea that banks and credit unions, at their own cost, will now build API-based interfaces to share a wide variety of in-scope information required under the rule creates a series of potential headaches for them. These start with ensuring that information that is not subject to the rule remains private and unshared, the segregation of which from authorized “covered data” will be a nontrivial exercise for bank security officers and their teams.

The creation and management of APIs is also of significant concern. APIs provide standardized access between applications for sharing data. They are essentially very tailored software that provide windows or gateways into otherwise secured programs that banks and credit unions have traditionally kept very isolated. Secure API development is not a given and API hacks or compromises have been responsible for a range of high-profile compromises. These include such notables as the Equifax breach of 2017 and more recently the Australian telecom giant Optus in 2022.

The CFPB rule is vague on the security standards and requirements (ostensibly on purpose) to allow for the industry Open Banking: New Open-Ended Compliance Obligations for Regulated Entities to set standards. Unlike other industries, there’s no clear leader for establishing an enforceable API standard for the banking industry. That potentially leaves banks and credit unions on their own should the rule be launched with its aggressive implementation timeline. Generally, the security protocols for designing APIs are similar to general secure coding practices.

These include:

  • Strong encryption in data transmission.
  • Integrating coding standards like OWASP into development.
  • Vendor management and a software bill-of-materials.
  • Regular vulnerability and penetration testing.
  • Using strong authentication and authorization tooling.
  • Establishing data rate limiting and input validation.
  • Using web-application firewalls.

Security practices and traditional bank regulation have been cast in an uncertain light in this new CFPB initiative to transform the banking industry. For many of your clients, the work will create serious risk and pressures to meet requirements while maintaining the general security of exceptionally sensitive information. Careful and prudent advising and risk management will be an interesting and dynamic proposition for lawyers advising on compliance issues under these new rules.

This article originally appeared in the May 2024 issue of New Hampshire Bar News.

A member of the New Hampshire and Maine Bars, Ande Smith is president and founder of Deer Brook, an IT and cybersecurity consultancy. Deer Brook provides a range of cybersecurity services, including penetration testing and security program management, to many sectors of the SMB market. It can be found at deer-brook.com and Ande can be reached at asmith@deerbrook.com.

Categories: Banking and Finance, Cybersecurity, Law, News, Technology

More news from NHBR:

Several Real Estate Signs During Spring.
Banking and Finance, News, Real Estate & Construction

Would lower interest rates help NH’s real estate market?

As New Hampshire’s residential real estate market continues to trundle along — with an all-time high median price of $565,000 recorded in June for a single-family house — one spot of relief could be lower interest rates. That’s what President Donald Trump and officials in his administration are advocating. But Susan Cole, president of the New Hampshire Association of Realtors, cautions: Lower rates from the Fed isn’t a guarantee of lower mortgage rates.