Prepared Remarks of CFPB Director Rohit Chopra at the Financial Data Exchange Global Summit
March 14, 2024 / Source: CFPB
Today, I want to discuss the status of where we are on accelerating America’s shift to open banking, with a focus on the role of standard setters and standard-setting. I then want to discuss some of the dangers of how the standard-setting process can be weaponized in an anticompetitive way. I’ll close with how standard-setting organizations can anticipate becoming recognized by the Consumer Financial Protection Bureau (CFPB).
All of you in this room know that the United States has a clunky system when it comes to switching financial products. Moving to a new checking account with a better interest rate involves resetting direct deposits and recurring bill-paying, printing new checks, and obtaining a new card device. Mistakes can be costly. It’s no surprise that the largest banks in the country have barely budged on their rates, but still retain their depositor base.
Open banking involves less red tape and more seamless switching. Several months ago, the CFPB proposed rules that will serve as a key foundation in the shift to open banking. The rules rely on a dormant authority under Section 1033 of the Consumer Financial Protection Act, which gives consumers rights to access their data. The rules also seek to ensure that sensitive personal financial data is safe and private.
We are in the process of finalizing these rules, by reviewing feedback to our proposal, coordinating with our sister components within the Federal Reserve System, and thinking through enforcement with other financial regulators.
As part of this process, there is growing discussion about how to set relevant industry standards – including data standards and sharing protocols. These standards are very important to make sure the system is open and interoperable. The proposal we issued last year recognizes the important role standards and standard setting will play in open banking. However, the proposal also purposely avoids micromanaging or dictating prescriptive technical details.
We all probably recognize the importance of standard-setting. Electronics sold in the U.S. have a common set of plugs that fit into outlets installed in our homes and offices. Motor vehicles sold in the U.S. are designed to drive on the right side of the road. Standards can help create a common understanding for engineers and designers to build products and offerings.
Financial services are no different when it comes to the need for standards. Debit and credit cards generally follow a standard. American Express cards typically start with a “3,” Visa cards with a “4,” and Mastercard cards with a “5.” Certain digits give us a clue on the issuing bank and the account number, while others help quickly determine if it’s a valid number.
The physical card also has other attributes that allow it to be read using different types of readers, in order to be accepted by swiping the magnetic stripe, tapping, or inserting the chip. These standards are all developed by industry participants. While government has some involvement and varying degrees of oversight, I expect open banking will need the same type of standard-setting.
Some of this standard-setting might be technical in nature. For example, open banking would be easier and less reliant on intermediaries if developer interfaces always provided data in a standardized format. Other types of standard-setting might be more along the lines of best practices, such as norms for how data providers communicate and implement scheduled downtime or other disruptions that may interfere with consumers’ data access rights.
We learned a great deal from other jurisdictions’ efforts to implement open banking around the world. Specifically, we understand how important it is to strike a balance between regulations being too prescriptive – which can slow adoption and lock the market in to old technology, and regulations not being prescriptive enough – which can lead to messy or fragmented standards, or prevent standards from sufficiently developing.
We know that in some jurisdictions, such as Australia, regulators have gone to great lengths to prescribe detailed technical standards for data sharing in their open banking regimes. However, I’m less confident a similar approach would work in the U.S.
At the same time, we also know that in other jurisdictions, such as in the EU, regulators took an approach that led to fragmented or conflicting standards. This approach created complications for implementation and undermined interoperability.
Of course, we know dangers exist when more powerful players weaponize industry standards. We have to be vigilant that standard-setting does not skew to benefit dominant firms and their prevailing market power.
Importantly, weaponizing industry standards is not a new problem.
To take an example from the manufacturing industry, in Allied Tube & Conduit v. Indian Head, Inc., a 1988 Supreme Court case, the Court discussed how incumbent steel conduit producers used a standard-setting organization’s procedures to exclude an innovative, plastic-based conduit, locking the market in to old technology.
To take another Supreme Court example, in 1982 in American Society of Mechanical Engineers v. Hydrolevel Corp., the Court highlighted a situation wherein an official of a standard-setting organization conspired to release an interpretation of the organization’s code for water boiler safety devices that was unfavorable to a competitor of the official’s firm. That is, an official of a standard-setting organization used his position in that organization to lock a competitor, with a different approach, out of the market. It’s notable that in the case, the Court held the standard-setting organization could be held liable for the anticompetitive acts of the official.
In financial services, we’ve also seen how the owners of networks and financial plumbing can distort the rules in their favor.
We continue to hear reports about incumbents potentially coordinating efforts to limit consumers’ exercise of their rights to access data by forcing data sharing through a bank-owned venture.
Anti-competitive behavior by dominant firms or standard setters is not going to advance open banking. Banks can choose their own service providers to enable open banking, but we will be watching out to make sure that such service providers are not used to an anticompetitive effect.
Some of these anti-competitive tactics may also violate the law. The CFPB is in regular communication with the Department of Justice to flag potential self-dealing schemes that may run afoul of civil and criminal laws.
That’s why our proposed rule anticipated the CFPB setting rules around formal recognition of standard-setting organizations. This will prevent large incumbents from rigging standards in their favor.
Today, I want to share more detail about how we expect to recognize standard-setting organizations. Well before we finalize the Personal Financial Data Rights rule this fall, we intend to codify what attributes standard-setting organizations must demonstrate to be recognized under the rule. After we codify those attributes, we will invite standard-setting organizations to begin the process of seeking formal recognition from the CFPB. This will help us recognize standard setters as quickly as possible, which should help facilitate compliance. We plan to do this as soon as is practicable, before we finalize our Personal Financial Data Rights rule.
Based on the formal feedback we received in the proposed rule, I anticipate that the final rule we intend to issue this fall will identify the areas where standards are relevant to the requirements of the final rule.
The attributes we are considering for standard-setting organizations will not be a surprise to those who read our proposal. For example, we are considering whether standard-setting organizations should be balanced, such that no single entity or group of entities dominates decision making.
We will look closely at the makeup of the board or group that makes determinations with respect to the setting or modification of standards. We’ll be looking at your funding structure. If the composition suggests favoritism or if funding is dominated by one market participant, that will be a problem.
Additionally, if there is no meaningful way for consumer privacy interests or the interests of small firms to be considered, that might also be a problem. I urge all interested standard setters in this space to look hard at their practices and procedures to ensure your organization is not simply a puppet for a powerful player.
In terms of the process for maintaining recognition, we want to ensure that there are no bait-and-switches or any other mischief. I expect that CFPB recognition might be revocable or time-limited under certain circumstances.
While interoperability is an important component of a healthy open banking system, I would eventually like to recognize more than one standard to allow the market to develop without complete reliance on one set of protocols. I also recognize that not every standard setter might be ideally suited to create standards for every part of the open banking system, and new standard-setting organizations may need to emerge as the system evolves.
As I conclude, I want to emphasize that existing standard setters should not take their place in this market for granted. The CFPB’s strong preference remains for market-driven standards, but we will not be able to rely on such standards if they are structured to allow incumbents to maintain their market power to the detriment of open banking in the United States.
If we’re unable to identify standard-setting organizations, we will be prepared to step in with more detailed guidance. But we think the industry should be prepared to think critically about these issues now, to stand ready to engage with us, and to prepare for applying for recognition even before the main rule is finalized this fall.
Thank you.