Re-published with permission from Alex Johnson, Fintech Takes.
Everyone talking about open banking right now is laser-focused on the fight over fees and cost recovery. However, there's another fight that is getting less attention, but is (perhaps) more important - the fight over liability and third-party risk management. We've made tremendous progress over the last decade in moving the open banking ecosystem away from screen scraping and towards APIs, with much of the heavy lifting being done by the technical standard-setting organization FDX. APIs reduce credential sharing, but a larger and thornier problem remains: when a consumer grants access to a third party, who's actually responsible when something breaks?
1. Data rights for consumers, risk and liability for banks – There's a contradiction at the heart of Section 1033. Consumers have the right to share their financial data wherever they want, yet when something goes wrong, it's still the bank that is on the hook for it. That leaves banks in the strange position of having their customers bring them third-party ‘vendors’ they've never heard of and insisting they work together. Under Reg E, banks must reimburse customers for unauthorized transactions even if the transactions are facilitated by a fintech company or data aggregator. And the rulebook they're told to use was written for a different world, when a ‘third-party vendor’ meant FIS or Jack Henry - versus a fintech app connecting to a bank's systems through APIs because a customer granted it access).
2. The infrastructure of trust – Under Section 1033 of Dodd-Frank, the CFPB's rulemaking aims to cement consumers' right to access and share their financial data. However, the CFPB is not responsible for ensuring that open banking doesn't jeopardize the safety and soundness of the U.S. financial system. That responsibility falls on the prudential bank regulators. It may make more sense to place some of the responsibility for integrating banks' open banking and risk management requirements on the banks themselves – but through the development of new, industry-wide standards and accreditation processes. Steve Smith and the team at Invela are trying to create a single, transparent accreditation process for third-party providers, a public registry of approved participants, and a dynamic risk score updated in real time.
3. Sharing the risk – Under Reg E and Reg Z, banks have to make the customer whole even when a failure by a third party (chosen by the customer) is what triggers the loss. To put it mildly, banks don’t love this. One solution that Invela is pursuing: what if accredited third parties could back their data access with a warranty-based risk-sharing product, essentially an insurance-style mechanism that covers losses their systems create? That coverage would give banks some assurance when things go wrong. The question, of course, is would the third parties (or the aggregators they use to access the data) be willing to pay for this? As we have seen with the debate over fees, the fintech side of the market is very accustomed to getting customers’ data for free, and getting them onboard with paying for insurance (in addition to paying for access to the data itself) may be a tough sell.
Open finance, covered.
