Alkami Experts Provide Insight
By Roy Urrico
The development and increasing importance of digital banking to consumers, financial institutions and financial technology suppliers revolves around the emergence of regulations overseeing open banking systems. In the European Union (starting in 2018) and the United Kingdom (in 2020) rules direct the transition. On Oct. 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized a rule overseeing open banking in the U.S. designed to give consumers greater rights, privacy, and security over their personal financial data.
Two open banking experts from Plano, Texas-based digital banking solutions provider Alkami, Deep Varma, CTO of digital banking solutions; and Dennis Irwin, chief compliance officer, discussed the impact of the new CFPB rule on credit unions and other financial institutions with Finopotamus.
The CFPB rule requires financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free. In this way, consumers can more easily switch to providers with superior rates and services. Consumers will be able to retrieve, or authorize a third party to access data such as transactions, account balances, bill information and basic account verification information.
By fueling competition and consumer choice, the rule, according to the CFPB, will help lower prices on loans and improve customer service across payments, credit, and banking markets. “Too many Americans are stuck in financial products with lousy rates and service,” said CFPB Director Rohit Chopra, in making the announcement. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.”
“The good news for the United States is finally we have a ruling in place today. And that ruling clearly states what providers, the financial institutions, the fintechs and the third parties have to do to abide by open banking rules,” explained Varma. “It is a matter of opening the floodgates and getting the financial institutions and everyone ready to comply with those rulings.”
“There is an opportunity for financial institutions to really embrace this and implement this and improve their whole API (application programming interface) ecosystem,” Irwin told Finopotamus. “We are in a much better position across the U.S. because we already have a lot of connectivity – the banks and credit unions – with fintechs.”
The CFPB Open Banking Rule
The new open-banking rule is part of the CFPB’s efforts to activate Section 1033 of the Consumer Financial Protection Act, enacted by Congress in 2010. It ensures that third parties cannot use consumer data for other purposes that benefit the third party, but that consumers do not want. It also helps move the industry away from “screen scraping,” that typically involves consumers providing account passwords to third parties who use them to access data through online banking portals.
Two U.S. banking groups, the Bank Policy Institute and the Kentucky Bankers Association, filed a lawsuit in U.S. District Court challenging the new CFPB rule, arguing the regulator overstepped its authority. The groups asked the court to halt the rule from taking effect.
Assuming the new CFPB rule proceeds on schedule, it establishes staggered compliance deadlines based on the size and type of financial institution. The earliest deadline is for depository institutions with at least $250 billion in assets for calendar year 2023 and non-depository institutions with at least $10 billion in receipts for 2024. These must comply with the rule by April 1, 2026.
Consent Management Infrastructure
Whether it is a credit union, a regional community bank or any financial institution, “the ruling clearly states an empowerment has been given to the members of a credit union or the accountholders of the banks, that they can decide what data they want to share with the third parties or the fintechs,” Varma said, adding that data sharing has to be secure. Simultaneously, members can share this data to obtain benefit for themselves, better customer service or loan rates, or insights about their data.
The challenge for credit unions and other financial institutions becomes “how do credit unions allow the members to share the data?” said Varma. He explained the new CFPB rule requires explicit, informed consumer consent with clear disclosures. This means developing transparent and user-friendly consent management systems that allow consumers to authorize, track, and revoke access.
“You are going to have to work on consent management,” said Irwin. “Not only do we have to systemically manage those requests; if someone wants to revoke their consent, you have to do it immediately.”
If a credit union is using any digital banking platform provider, like Alkami, they need to understand if their platform is ready to scale the infrastructure, suggested Varma. That includes risk maintenance of the information. “It is very imperative to make sure that this data exchange is happening securely.”
As mentioned earlier, the practice of screen scraping, which are intended to identify elements in a user interface and extract data, needs addressing. “This (CFPB) ruling has clearly said, they want to ban all the screen scraping technologies,” said Varma. “For the credit unions, they need to start talking with their providers to see if they are ready with the infrastructure, security, and consent management.”
Building Awareness
“I saw when the CCPA (California Consumer Privacy Act) and the GDPR (European Union’s General Data Protection Regulation) ruling was passed (both in 2018), there was a lack of awareness because most of the financial institutions had no idea what it meant for them,” explained Varma. “This (CFPB) ruling impacts the credit union’s front office, mid office, (and) back office. Anyone who is touching these three areas needs to know about that ruling.”
Said Varma, “it is a matter of engaging the members and sharing with them the value. Because at the end of the day, members are looking for better interest rates. They are looking for the better customer service. They are looking into more insights into (their) transactions.”
“We have a strong API environment. The UK and the EU, whenever they enacted that regulation, were not near as mature as we are now. So, I think the transition is going to be relatively easy,” Irwin proposed. “But for those FIs that do not have a mature ecosystem where they are already developing APIs with their fintechs and offering services they are the ones that are going to face the bigger challenges.”
New Products and Security Protocols
The new CFPB guidance will enable credit unions and banks to offer different products, suggested Irwin. As an example, he mentioned cash flow loans, a type of unsecured borrowing. “It changes the way FIs are going to operate in their risk management teams and their underwriting teams.”
There are going to be some far-reaching implications as well, maintained Irwin. “The sooner the financial institutions adopt it, and not just being reactive to the regulation, but proactively consider improving their ecosystem, they are going to be able to create this top-of-wallet financial institution. With that strong ecosystem offering those (innovative) products and services; you will be able to create a sticky relationship with those customers.”
This regulation is going to require much stronger security protocols around APIs, pointed out Irwin. “There are obviously cybersecurity risks, whenever you are connecting like this. And the regulation ensures that each financial institution and fintech has to up their game. You are going to have a much stronger environment overall when it comes to that.”
Innovation and Development
Irwin acknowledged that credit unions and other financial institutions are concerned about the cost of development and losing account holders. “How are you going to prevent customers from switching and having a strong API ecostructure to where you can connect with fintechs and offer those additional services.”
Irwin foresees the development of innovations and products and the ability to connect seamlessly as critical. “In order to tap into that, one of the things you really need is strong third-party risk management as well.” This means bringing on fintechs who are trusted partners that financial institutions feel comfortable are meeting all of the required security protocols.
“(Alkami) already has a strong ecosystem when it comes to third party risk management. We have been investing in that for years,” said Irwin. “Because it is critical that we have that trust of our financial institutions. Varma described how Alkami provides a scalable and secure infrastructure with third-party risk management for safe data exchanges. “Plus building the creative and the innovative products on top of it, helping credit unions to offer much more creative ways to serve members.”