TL;DR:
The Consumer Protection Financial Bureau (CFPB) expects to implement Section 1033 of the Dodd-Frank Act in the fall of 2024.1 What does this mean for community banks and credit unions and the future of open banking in the U.S.? Open banking regulations began globally, with Europe’s PSD2 in 2016 and a handful of countries following suit. Initially lacking a unified standard, the U.S. saw fragmented adoption driven by fintechs like Plaid. To address this, PortX developed ORCA (Open and Reusable Core API) to standardize banking core integrations. The Financial Data Exchange (FDX) has gained momentum, promoting secure APIs to replace screen scraping. With the CFPB’s upcoming rule, financial institutions (FIs) should now prepare for more stringent data-sharing regulations, emphasizing secure, user-permissioned APIs to stay compliant and remain competitive. This blog outlines the global journey of open banking regulations and shares insights on how FIs can strategically adapt to the upcoming U.S. regulatory changes.
The birth of open banking regulation and the initial U.S. response
In 2016, the European Union introduced PSD2, or the Second Payment Services Directive, a regulation implemented to enhance consumer rights, promote innovation, and increase competition in the financial services sector. The UK implemented its version through the Open Banking Standard in 2017 after a market investigation into retail banking. In 2021, the Central Bank of Brazil mandated that financial institutions share customer data with third-party providers upon consumer consent, advancing the role of the BCB “to foster a sound, efficient, and competitive financial system, and to promote the economic well-being of society.” Australia’s open banking regulations, part of the Consumer Data Right (CDR) framework introduced in 2020, allow consumers to securely share their financial data with accredited third parties, enhancing transparency and consumer control over personal financial information.
The common theme across these regulations is the enhancement of consumer rights and control over their financial data, the promotion of innovation, and increased competition within financial services.
The U.S. lacks a unified framework, leading to a piecemeal adoption where fintechs, primarily driven by companies like Plaid and MX, filled the gap.
The inception and evolution of ORCA (Open and Reusable Core APIs)
During these years, as PortX expanded connections between banking cores and our integration platform, Fintech Hub, we evaluated our strategy to maximize the value of reusable integrations for our customers. We examined several emerging industry standards like CUFX, BIAN, and ISO 20022 during this process. However, after determining that no single U.S. standard was sufficiently robust to meet the needs of our clients, we developed an open banking API for core integration, known as ORCA (Open and Reusable Core API).
ORCA, mainly based on the ISO 20022 standard (and facilitates the transformation into ISO format by converting the core types), ensures semantic compliance, simplifying data transformation and coverage. It provides a user-friendly, RESTful interface for common core use cases such as online banking, account opening, payments, loan origination, credit cards, and more. Fintechs and FIs utilize ORCA to connect to a single API instead of multiple core-specific connections, reducing the complexity and cost of building and maintaining various integrations.
Read more about ORCA: https://portx.io/open-banking-api-building-a-universal-data-model-for-fintech-integration-to-the-core/
Financial Data Exchange (FDX) gains momentum in the U.S.
Developing ORCA led our team to the Financial Data Exchange (FDX) Global Summit in the spring of 2023. FDX is a non-profit industry standards body operating in the U.S. and Canada, dedicated to unifying the financial services ecosystem around a common, interoperable, and royalty-free technical standard for user-permissioned financial data sharing, known as the FDX API.2
In spring 2023, FDX had gained a strong following from some of the major open banking fintechs such as Plaid and MX. A year later, however, it is apparent that FDX is emerging as a strong contender for establishing a unified open banking standard in the U.S. At the company’s Global Summit 2024 in Washington D.C., it had gained notable momentum since our original visit to the annual conference, aligning big industry players and growing significantly in the number of attending fintechs. Discussions and developments at the FDX conference indicated a significant shift towards formalizing FDX standards under the Dodd-Frank Act, suggesting a more regulated and structured future for open banking in the U.S.
Standardized APIs, FAPI, and the shift away from screen scraping
A focal point of FDX’s advocacy has been to move away from screen scraping, a practice fraught with security risks and privacy concerns. For example, one can easily observe the implications of this practice in budgeting applications such as CreditKarma or Simplifi. These apps allow the user to give permission to pull data from their various accounts. This provides a comprehensive view of the user’s financial position by integrating credit cards, bank accounts, and investment accounts, permitting the user to manage their financial goals.
Screen scraping involves code that simulates user actions, essentially taking screenshots and extracting text from those images to gather the necessary data. This approach poses significant security risks by storing user passwords and accessing accounts without restrictions. Although these companies are generally trustworthy, consumers need more control over what data is accessed and how it is used, raising major privacy concerns.
FDX addresses these issues by promoting secure APIs as a best practice. These APIs adhere to the FAPI (Financial-grade API) security standard, a set of standards designed to ensure the highest levels of security and privacy for APIs used in financial services. Developed by the OpenID Foundation, FAPI aims to protect sensitive financial data and transactions by providing specific guidelines and protocols for secure API interactions. This shift towards standardized APIs helps enhance security, control, and reliability in financial data sharing.
For FIs, FDX is just the beginning of supporting comprehensive financial operations
The FDX open banking APIs are designed to provide the minimal data necessary for specific use cases, ensuring security and privacy by only retrieving the data legitimately needed for a given scenario. For example, when applying for a loan, the system might request the user’s account numbers and credentials to access specific data needed for the application process. The FDX model ensures that users are informed about the data being accessed and must give explicit permission, thereby minimizing the data exposure and focusing only on the essential information for each scenario.
In tandem, ORCA aims to provide a universal API for banking cores, offering a broader scope than FDX. While there is overlap, ORCA’s goal is to support a wider range of financial operations, not limited to the minimal data sets required by FDX. As a result, ORCA functions as a superset with a more extensive range of capabilities. Despite this broader focus, we continue to align with FDX to ensure compatibility and comprehensive coverage of financial use cases.
Strategic implications for financial institutions
The U.S. is on the cusp of enacting open banking laws under the Consumer Protection Financial Bureau’s (CFPB) impending 2024 rule of Section 1033 of the Dodd-Frank Act. Known as the Personal Financial Data Rights rule, it will grant consumers the right to securely access and share their financial data. Designed to promote competition, enhance consumer protection, and shift away from insecure practices like screen scraping, the ruling forces FIs to prepare for a new banking era characterized by heightened regulatory expectations and data portability.
FIs must seriously consider partnerships and technologies that align with these new standards, ensuring they are equipped with secure, API-based data-sharing capabilities to meet regulatory demands and foster consumer trust.
ORCA’s alignment with FDX standards positions PortX customers ahead, ready to meet these new requirements efficiently. FIs using ORCA will benefit from an advanced state of compliance readiness, reducing the operational risks associated with adapting to this new regulation.
Navigating New Norms in Financial Services
As we reflect on the past three years, the evolution of open banking highlights a shift towards a more transparent, secure, and consumer-driven financial ecosystem. For FIs, embracing these changes means leveraging technologies like ORCA to ensure they remain competitive and compliant in a rapidly evolving market. The ongoing developments in regulatory frameworks and technology standards will continue to define the strategies and investments of FIs and fintechs, emphasizing the importance of adaptability and forward-thinking in governance.
Connect with our team today to learn more about how we designed ORCA to streamline core banking integrations and prepare FIs for upcoming open banking regulations.
- https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-on-the-proposed-personal-financial-data-rights-rule/
- https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-on-the-proposed-personal-financial-data-rights-rule/
