With open banking fast becoming the backbone of today’s payments landscape, the need for an industry standard to ensure protection of consumer data is moving front and center.
In the United States, where no such standard currently exists, the payments industry is at odds over whether the country should adopt a standard already implemented elsewhere, even if it is a modified version, or develop a standard specific to the U.S.
At the heart of the push for an open-banking standard is the need to eliminate the practice of screen scraping, a process that allows the gathering of customers’ financial-transaction data from multiple sources and copying of data silos. In both instances, those data-gathering techniques make it difficult to control the data being gathered, says Chris McLellan, director of operations for the Data Collaboration Alliance, a Toronto-based non-profit that helps consumers and organizations control their information.
While screen scraping and data copying may have been acceptable practices when open banking was in its infancy, McLellan argues any open-banking standard should put the issue of data ownership front and center in discussions of how applications are designed. This, he says, will ensure protection by reducing the number of copies in existence.
“Data is the lifeblood of organizations, and to ensure data protection, open-banking apps need to be built differently,” McLellan says. “One of the most important ways we can accelerate major breakthroughs in the open-banking space is to embrace new data-management technologies, standards, and protocols that place data ownership at the forefront of digital design.”
Unfortunately, McLellan adds, that argument has “grown into a wall of friction between innovators and regulators.”
The flipside of McLellan’s position is that data protection in relation to open-banking apps is already being addressed through the development of a standard by the Financial Data Exchange.
“In the U.S., we have taken an industry-led approach to developing a technology standard through the Financial Data Exchange that addresses secure financial data access with explicit permission from the consumer,” Jess Turner, an executive vice president at Mastercard Inc., says by email. “Within FDX, the ecosystem has settled on a direct API approach with oAuth (tokenized) permissioning. The API model layers bank-level encrypted security protocols on top of speed and convenience.”
Despite the FDX standard, the Consumer Financial Protection Bureau, is also developing an open-banking standard, but has reportedly hit a speed bump over how to handle data protection and consumer privacy when it comes to Big Tech’s use of consumer data gathered through open-banking apps. The concerns stem from criticisms of how Big Tech already handles consumer data.
“One need only look at the ongoing ‘Privacy Shield 2.0’ negotiations between the US and Europe to gather this is one of the key challenges of our time,” McLellan says. “It’s fair to say that this issue is particularly poignant when the initiative in question concerns the sharing and use of highly sensitive information such as financial transactions.”
One solution to the standards issue in the U.S. could rely on rulemaking in Section 1033 of the Dodd Frank Act, says Plaid Inc., a financial-services company that has built a data-transfer network that powers open banking. That section, among other things, lays out rules for debit networks.
“We’ve seen governments across the world embrace open finance and establish rules to protect consumers’ rights to their own financial data – from the UK and the EU, to Brazil, Singapore, and Australia, among others,” a Plaid spokesperson says. “Canada also recently moved forward with plans to establish an open-finance regime. Now the U.S. is at a critical juncture to take action.”