Hear from industry leaders on privacy in open banking and how to prepare your organization for the release of the CFPB rule related to Section 1033 of the Dodd-Frank Act.

For additional information on Akoya's answer to open banking, please visit our 1033 Compliance Solution page. 

 

 

Read the transcript.

July 19, 2024

 

Privacy in Open Banking Webinar

 

Courtney Robinson: Hello and thank you for joining us today. My name is Courtney Robinson, and I’m here to host Akoya's Privacy and Open Banking Webinar and Panel.

Just to give you a little bit of guidance on how things will work today, first I will introduce our panelists and experts. Then, I'll give some insight and background into how we got here and why we're talking about Open Banking and the Consumer Financial Protection Bureau's creation of Section 1033. And then we’ll get into right into our discussion.

So, with that, I’ll introduce our speakers.

Our first panelist is Zoe Strickland. Zoe is a senior fellow at the Future of Privacy Forum. Over a 20-year period, Zoe served as head of global privacy and other roles for Fortune 500 companies and agencies, including healthcare, banking, retail, and government.

Zoe's experience in multiple industry sectors has given her a unique perspective on the evolving world of privacy, information protection, and effective compliance structures. Welcome, Zoe.

Next, we have David Silberman. David is a senior advisor at the Financial Health Network and the former associate director for the Division of Research at the Consumer Financial Protection Bureau (CFPB).

David has been involved in consumer finance issues from a wide range of perspectives over three decades. Currently, David serves as a senior fellow at the Center for Responsible Lending and as an adjunct professor at Georgetown's Public Policy School and Harvard Law School.

And finally, we have Behram Panthaki. Behram is the Chief Operating Officer at Akoya and has more than 20 years of entrepreneurial and management experience from startups to enterprise companies, including building and scaling networks and deep domain knowledge around payments. Prior to joining Akoya, Behram served as the COO for Accounts World and was responsible for leading operations and growth.

Welcome to our panelists!

So, let's talk about how we got here. What is Open Banking about? What is Section 1033 and why are we discussing it?

The Consumer Financial Protection Bureau is one of our newest financial regulators that was created in the wake of the housing crisis. Housing crisis and as part of the now colloquially known as the Dodd Frank Wall Street Reform Act, and particularly one section called Section 1033 is the law itself, which is why we've referenced it that way, is about consumers’ rights to Open Banking and their own financial data.

So, what does it mean when we're talking about personal financial data rights? It means that the Consumer Financial Protection Bureau has been directed by statute and the Dodd Frank Reform Act to implement a framework for how consumers can take ownership over their financial data.

Along with that, there are obligations around how financial institutions and fintechs must collect and store the data, how banks and financial institutions must format that data when they share it to keep it safe on the consumer's behalf, how to empower consumers with their financial data, and just overall provide better access to financial products.

It seems like a given in the world that we're in now — with several banks, fintechs, and technologies working together to deliver powerful financial apps — that a consumer, an individual, owns their private financial data, but that's not necessarily the case.

You have an entire profile associated with your data. That includes not only your name but your account number, information about your bank accounts, and all these other areas your financial life. And the Dodd Frank Act and the Consumer Financial Protection Bureau, through the proposed 1033 rule, say that consumers should be able to take their data and use it how they wish for their preferred financial products and fintech apps.

Over the past decade, the Consumer Financial Protection Bureau put in a lot of work to get us where we are today. They've done research with consumers. They've held symposiums. They announced the proposed rule. They’ve held Small Business Review Panels. And now based on CFPB Director Chopra’s recent comments, we should be looking at a final rule around these consumer personal financial data rights sometime in October.

So, with that setting the framework for our discussion, I'd like to start with David and ask, with this rulemaking in 1033, what do you expect to come out of it, especially as it relates to privacy and data security issues? What do you see on the horizon?

David Silberman: Thanks, Courtney. Obviously, I don't have any crystal ball or unique insights into this. We have the CFPB’s proposal which indicates the direction they are thinking about going. And I would expect in general the final rule will follow the proposal.

So, in broad strokes, that means that data holders — which for this rule will be for checking accounts and credit cards, essentially — will be required to provide in addition to any kind of an online portal for their consumers to look at data through APIs essentially where the consumer can allow third parties to access their data and port it over.

The third parties will have obligations with respect to security and with respect what data they take. So, they only take the data they need, and they only use it for the purposes for which they have been authorized. What the rule is going to say about secondary uses by somebody who's been empowered to use the data I think is an open question.

And I think the 1033 rule will define the data elements that are provided, and that will likely include account number and routing number in a tokenized format. It will also enable consumers to pay by bank transactions without requiring the account numbers themselves to move through the ecosystem. So, at a high level what I'd expect to see.

Courtney Robinson: Zoe or Behram, anything you want to add about what you're expecting to see out of the rule?

Zoe Strickland: Yeah, I'll jump in. I thought there were a lot of well-regarded features to the proposed role, and you could tell it got that reaction from industry. It was a long time in coming and involved a lot of conversations as well the brief panels that you mentioned. You could tell that it was well received because it got a lot of support in the comments and several even commented about how they should widen the scope to include more products and to more consumers.

Obviously, there's several important areas that got a lot of attention as well. And there were several things that we thought were particularly valuable. The first is the 1033 ruling is very consumer centric. If you think about it, open banking really is kind of a business case for data portability. You know, how do people control what happens to their data and who gets it?

We thought it was very thoughtful about providing privacy and security obligations on all parties in the ecosystem, which is important as well. They have different regulatory backgrounds, but it's important that both the use of their data and the security of their data and their money is protected.

And then we see the phasing out of screen scraping, which we think was clearly not the right practice, I think that was supported. And then also was creating a role for industry standard setting, which we thought was a good development.

Oftentimes, industry is closer to technology user experiences and can best think through what that kind of standard looks like within a regulatory framework that the regulator directs and controls.

For us, we have some areas of focus in our working group. And yes, there are a lot of gray areas in this place because it has such a broad remit and covers so many parties, but now intersects with the consumers.

So, there are just three that I'll mention that are our top line focus areas.

One is around the granting or denial of access to the API is damn critical, because otherwise the data is not flowing and the data providers must perform that function, which I think was pretty expected in the standard today.

But the CFPB put a lot of thought into how you walk that line so that you've got both responsible and ready third parties as well, but you're at the same time not limiting innovation and the data flows. So, what does that look like?

And then second, the privacy obligations that David mentioned, they're new in the financial sector. So, what does it mean if it's reasonably necessary in terms of using it? What's going to happen with other uses of data or data by data, how that final rule plays out and collection and retention obligations, those will be important as well.

And then, again, rounding it out, what does standards look like in some industry? We're part of the FDX organization that is looking at the API standards. So, there's a lot more still to come as we both wait for the final rule and think through these implementations and public policies.

Behram Panthaki: I will add that this is the starting point of the journey with the CFPB and the rulemaking, and that there is a lot more to come in terms of other covered data elements.

And what's going to be interesting is how we figure out the ability for a consumer to consent to their data, figure out a way for them to revoke consent, and how that flows within the ecosystem is going to be very important as we navigate this rule.

And as Zoe said, that is one area where there is a little bit of gray, which the industry will have to work through.

Courtney Robinson: With these new standards and this new framework, what can we expect to see or what is the potential impact of the CFPB's rulemaking overall on privacy?

Zoe Strickland: Yes, I think it's a very thoughtful step forward in a very complex area that is highly regulated at least in terms of the financial institutions.

And again, a lot of different parties will have direct relationships with consumers, but they're not necessarily vendors. They have relationships, but you want to make sure that the right rules are being followed and consumers are being protected while they're exploring these new products and services. So, there were a lot of features to it that were very forward looking in privacy in terms of consumer control.

I think there are still some questions about it. Yes, if consumers are directing the use of their data, then they should be able to choose, perhaps, other uses of data. We'll see how that plays out. And so, there are some questions still to work through. However the final rule pans out, I agree with Behram, they're going to have more rulemaking. They've said that they need to, and that the ecosystem is not yet complete.

And I think there's a lot of features for industry to think through and work together and figure out the best way to accomplish. Because we're going to have consumers waiting for products and services, so we've got to figure out how best to fulfill that in a reasonable way that's protected.

Courtney Robinson: Right. So, it's important to get this all sorted out in the correct way so that there's no unforeseen or unintended impact to consumers as we're going into this new space.

David Silberman: It seems to me to ask the question, what's the impact on privacy? And I agree with what Zoe said, when I think about what's the status quo anti?

So, the status quo as we find it right now is banks are free to do anything they want with consumers’ data and share it with anybody they want, subject only to the right of consumers to opt out. That's the Gramm-Leach Bliley Act (GLB) and that is unchanged by the rule. So, to the extent that's a privacy issue that privacy issue remains.

The second part of the status quo is that it is in the bank's discretion whether they would allow consumers to move to port their data to someone else.

The largest banks have all agreed to do that and have created APIs and worked with aggregators to do that, like less true for smaller banks. So, the effect of the rule will be to broaden that to make that what's now exist as a matter of essentially grace and contract rights between banks and individual aggregators, a matter of legal right between consumers and their banks. And that's a big change.

One of the things that the rule does, I should have mentioned earlier, is the CFPB clearly doesn’t want to embed aggregators as a necessary element in moving data from data holders to end users to fintechs and the like. And so, it creates the right for a consumer to designate an individual fintech as the data user in the fintech to go directly to the bank. And that'll create a lot of complexities because that's not the way the world works today, even where the APIs exist.

Zoe Strickland: I thought it was so important that in the prior regimes, GLB is one of them, a lot of times the consumers were allowed to make an opt in or an opt out choice, affirmative or passive continuation of activities based on what the company wanted to do.

So, if the company wants to share data. Are you okay or not okay with that? So, it's really what the company was doing. And I think one thing that's been going on in privacy both here but also in other countries is a kind of modern privacy tenant. It's around this individual's rights. So, what does the individual want with the data?

And, of course, then it does have to be much more directed from them. It's not so much about that, but they're meant to oversee it. So, it's more of what does the consumer want? And how do we understand that? How do we best display it to them? How do we understand what the change management looks like? All sorts of parameters that go along with that. But I do think that's a shift in privacy that's important.

Behram Panthaki: I totally agree. I think the control is now getting handed back to the consumer. The consumer can define what data is shared, what bank accounts, what data elements, there's data minimization that can be opted into.

And then also there is the duration aspect of data sharing, which is how long do I want to share the data? And there is a requirement to at least periodically refresh that authorization so that if somebody has forgotten that they have opted into sharing data, they can sort of remind themselves and opt out.

And I also think the regime is changing a little bit where there will be multiple entities who will manage the consent. It could be the data recipient. It could also be the data provider. And so, the consumer will have multiple ways of getting around the sharing of that data and the revoking of consent, which is very important.

Courtney Robinson: You guys mentioned in talking about the way that this data sharing happens. You talked about current banks and financial institutions working with APIs for perhaps the uninitiated in the audience. Can you expound more upon how that works? Maybe not at a super technical level, but just what we're talking about in the different ways that this consumer data can be shared.

Behram Panthaki: Sure. Let me take a crack at that. If you think about the predominant way of sharing data today is through what is called screen scraping, where a consumer provides their credentials, their username and password to an entity. The entity holds the username and password, and then uses that to log in on behalf of the consumer and access the website and collects all the pieces of data that is relevant to that that performing of the function.

And so, the challenge is there is one, the consumers providing unfettered access to their bank information to the entity that is creating the data. The second is that they're sharing credentials, and those credentials are stored in a database somewhere. There's it's a secure database, but you know, it creates a honeypot of credentials, which is a dangerous environment to be in.

Then when you sort of walk into the API based model there, the consumer is not providing credentials. If they are going to their financial institution, they're authorizing access at the financial institution, and then the data recipient is using an identifier that goes and enables them to collect data on a periodic basis as required to perform the function that is mandated by the consumer.

So, the consumers have a lot more control and the API-based methodology is not just safer, but it's more reliable. There's no screen scraping where a one-time password gets popped up and the connection breaks or there's a change on the website and the connection breaks. So, there is a lot there that enables the consumer now to get better services by accessing and providing access to the data.

Zoe Strickland: Yeah, I can just say as a long-term privacy professional, and maybe doing legal compliance for way too long, the idea of sharing your password and credentials to your bank information is not a good practice.

I think that's widely understood. It's just a question of how quickly can we phase off it and what does the alternative look like? Because honestly, besides the privacy and security missteps that can happen, if you've got a bad actor, they're in there. So, it's a vulnerability for consumers and they are working to save it all.

David Silberman: I think the other thing that's important about APIs, as I understand them at least, is that the data that one can get is defined by the use case. And there'll be a different use cases and for each particular use cases, particular data elements.

So, if I'm trying to access data simply because I want to verify that there's money in account and account before I make a transfer, I can see the balance, but I can't see transactional history, other things like that.

If on the other hand, I'm a personal financial management app that's trying to help people know what expenses are coming due when I have access to transactional data, but the APIs will define use cases and data elements that go with each use case as opposed to in the screen scraping world where you can see anything that a consumer can see and that has privacy benefits.

There's also if the use cases are not defined well, and all the data elements are there. The consumer's desire to get a service could be frustrated because they're not getting all the data that really is needed. And so that becomes an important thing that gets fleshed out through data standards and the like.

Courtney Robinson: Nice. So, you all have given some good insight and background as to why consumers should care about this, how and why it will benefit them, and what the space is going to look like in a post 1033 or open banking world.

Now what about the financial institutions themselves that must comply with this rulemaking and facilitate the open sharing of data on the consumer's behalf?

Behram, what are some technical changes that fintechs and financial institutions may need to make to comply with Section 1033.

Behram Panthaki: So, if you think the rule, it spells the obligations of the data provider and the data recipient, and there are obligations on both parts of that ecosystem.

When you talk about data providers, I think the first step is that the data provider must furnish the data. And there are a set of data elements, which comprises the covered data, which must be enabled. And so financial institutions will have to figure out a way to ensure that they can provide that data out to an API.

And it must be timely data. And so all that is on the data side. The second is enabling the authorization of the consumer such that the consumer can get authorized, and that authorization then is transferred to the third party who can then come on a repeated basis and collect the data. So that is the second technology piece that needs to get done.

And then the third is they must manage the entire consent management, the revocation of consent, and that's on the technical side. But then on the sort of non-technical side, there is a lot that needs to be get done to enable a third party to access data. There's the safety and security and the risk reviews. They have contractual obligations that the integration, maintaining the sandbox maintaining data, ongoing monitoring of third parties. The list goes on and on and on.

And so, there are a fair number of obligations on the data provider around how will they be able to furnish this data to authorize third parties and then the authorized third parties on the other side must follow data minimization standards. They must ensure that they're getting informed consent from the consumer. They must ensure that they are retaining data as required, deleting data. So, the right to forget or to be forgotten is important to the consumer. If a consumer says, I no longer want to use your service, the data must be deleted.

And then there is always the security and safety of the data. How do you ensure that you are maintaining the data in a secure enclave such that no bad actor can access it? So those are some of the obligations on both sides, data provider and data recipient.

David Silberman: Now, I'm not sure I read the rule quite the same way on the data holder side. I must say that clearly the data holder has obligations to make data available, but whether the data holder, I believe, could say that if Plaid, for example, comes to me and says, this consumer has authorized me and I have gotten informed consent of data holder, I could say, look, I want to verify that, or they could accept that.

I don't think they have obligations on their own to independently manage consent or authorization, they have some rights if they want to, but not obligations in that regard. They're clear obligations on the data recipient. To make sure that before they get consent, they have provided various information, that they've made commitments to various security standards and the like. But the data holder has the right to question that, but not the obligation to do so.

Zoe Strickland: Yeah, it's funny because I was over the course of my career, I was both at healthcare and then at a bank, when screen scraping became a practice that the companies are paying attention to and concerns about destabilizing their websites and who are these folks who are getting access to data and how can we tell them apart from folks who are bad actors.

And the initial action answer was APIs. And I think that's right. APIs are a much better way to transfer data, but this conversation just shows there's a lot more questions besides APIs in terms of roles and responsibilities.

So, data providers under the role need to set up an API that meets the standards of the rule and they need to determine whether they grant or deny access to the API.

Two fundamental things before any data moves. But then there are a lot of other questions, and we're sort of talking about several of them, which is, okay, well, how do you make that decision? Because again their functions are very mature in the vendor side. Years and years and years of activity around how do I manage third parties and that's something that's not easy. Of course it's not. It's hard to manage another company.

But these are not vendors. Like, okay, well, what goes into that decision? How far does my oversight need to go? I can be a blocker, either. Maybe we have all these different parties that are interacting with the consumer. Who collects the consent? How does it get changed? Who revokes it? Who shares what with who? What if there's a customer service question? Where does it go? So, there's a ton of questions besides the API technical questions that again are getting a lot of attention from both the rulemaking entity as well as the companies themselves.

Courtney Robinson: So, what we've seen from the proposed rule, there are a lot of things that we know that financial institutions data providers and authorized third parties will have to do, but there's also a lot still up in the air in terms of those gray areas.

Zoe Strickland: Yeah, the details and implementation are important.

Courtney Robinson: Yeah, for sure. So, how do each of your organizations view 1033 in the broader context of supporting privacy and data access for consumers? And do you all believe the rule as drafted supports the overall goal of consumers owning their own data?

Behram Panthaki: I think this is a step in the right direction. We’re providing more control to the consumers and every entity in the ecosystem has a role to play. And Akoya is a data access network. We play two roles in the marketplace. We play a role of providing access to authorized third parties through our data access network, which is our gateway product.

We also act as a service provider to financial institutions where we provide them with services around hosting and building out their hosted developer interfaces and managing the hosted developer interfaces. And so, I think it's a step in the right direction.

There's more to be done, including figuring out a way to eliminate screen scraping. There's more to be done around adding to covered data. I know that Director Chopra has added that he's going to be working on mortgages next. And so, there are elements of data that will be added to the rule in the future to ensure that consumers get a more complete picture of their finances.

Zoe Strickland: Yes, I agree. A step in the right direction and sometimes multiple steps in the right direction. I’ve been thinking about a couple of questions surrounding privacy for a while. One is this whole question you teed up about ownership and that has a lot of other aspects to it, too. Are they third party beneficiaries of the contract? But I think the more central question, which the regulators and policymakers in many jurisdictions have been looking at, which is consumers have the right to understand their data, to direct their data, to control, even down to things like retention.

That was never something that was in older time periods of privacy. So, a lot more focus that people can, that companies and people can understand in terms of what is it that we need to be providing consumers and what are their rights? That includes redress as well, if they have questions or concerns or problems.

A second question that I’ve been kicking around in privacy for a while is to what extent, both in terms of how you disclose things to consumers, as well as the kind of consents and options you give them, at what point does it become fatiguing? People always say, well, we want the notices to be short and clear and simple and understandable, but they've got to be complete. It's got to cover all these things, even retention. That makes it hard to keep it short. So, if you do that through layered notices, what does that look like? And the same thing with consent.

And I think there's been some very good research done lately, which is where it's something that they care about, like this, and maybe other things, and the options are provided to them in a clear and simpler format.

They do like it. I think Behram mentioned, like, what are you talking about? We need to know that, right. And if so, what does that look like? And it’s very good for the privacy professional’s community to think through. Okay, things are evolving, and the younger generation is so savvy with digital and other technologies that there will be this greater sense of engagement and control from them. So, yeah, I'm going to say multiple steps.

David Silberman: Yeah, I certainly heard this as a step in the right direction. I think the area of question is that data holders, banks and credit unions, have legitimate interest in assuring that, yes, the consumer has in fact consented to this data flowing to this person that the entity is going to have, it's going to get the data, we'll keep the data secure and all those things.

Those are legitimate interests. But one can imagine processes being created to protect those interests that create a lot of friction in the system, or to use a term that Richard Thaler and Cass Sunstein use is “a lot of sludge,” that makes it difficult for consumers to vindicate that right. And that's an area where the rule’s sort of less clear about.

It says that if there's certain circumstances in which banks must provide access to the data, but the circumstances are defined sort of broadly and how much play in the joints and whether what emerges is a system that is frictionless while still protecting legitimate interests or is challenging for consumers to navigate is, I think, not yet a fully resolved question.

Courtney Robinson: So, what do you all believe will be Open Banking’s impact on equity? And I know that's broad. But what are the equity and accessibility implications of a post 1033 world? What will be different for a consumer who's using financial services? Or different for financial institutions to manage to manage their data and lives?

David Silberman: So potentially, at least one-use case for transactional data from checking accounts is to facilitate cash flow underwriting. Cash flow underwriting can indeed open access to people who do not have a credit score or credit record, or whose credit scores are lagging indicators of one's financial growth position and so people for whose credit scores may understate their current ability to handle credit.

So that's certainly one area in which it would expand financial inclusion, at least on the credit side. The data has the potential. This is not about financial inclusion, but Open Banking implies the ability to make to move from bank to bank, and it can to some extent facilitate account switching and perhaps create more competitive markets. The CFPB keeps talking about that. I'm skeptical as to how much really impact the rule have that direction, but that's at least a possibility.

And then certainly another use case is a person to that has been just uses personal financial management and helping people do a better job or be able to assist in managing their money, anticipating expenses, automated savings, those sorts of things, which can make for more financially healthier consumers. Whether they are currently included or excluded from the financial system.

Zoe Strickland: Yeah, I think that there's broad support in the nonprofit and consumer-based community that Open Banking will provide more benefits and services to underserved populations including managing their data and, and their accounts because financial health in the country about, you know, let me pay you to take paycheck to paycheck.

How do you help people understand that better? There were a lot of comments. I think people saw them relating to expanding Open Banking to EBT and to more government services. And I must admit, I was quite educated because their ability to understand how their accounts are being used and even what their balance is, I think that that's going to be a step that's going to be coming and I think that'll be enormously beneficial, too.

Behram Panthaki: And there is a lot of unknown here. We don't know how innovation is going to take place and how Open Banking is going to become that steppingstone to enable new models and new innovations in the industry. So, it's an exciting time were in. You know, we are all participating in the ability to sort of build this ecosystem out.

Courtney Robinson: David, you mentioned cash flow underwriting as one of the potential benefits we could see coming out of this space. Can you provide more detail on what cash flow underwriting is?

David Silberman: Sure. Cash flow underwriting means looking at one's checking account inflows and outflows to reach a judgment as to whether the individual can manage new credit.

Traditional credit underwriting credit scoring is looking at past payment history as the primary, as a primary driver of a credit score. The premise is the past is prologue, and if you’re somebody who's shown that you have been able to pay your bills without falling behind. That indicates you're a good candidate for more credit, at least so long as you're not heavily utilizing your existing credit and applying for lots of new credit.

But that means that if you were somebody who hit hard times and have recovered your credit score may be a lagging indicator. Conversely, if you're somebody who's just hit hard times, your credit score may overstate your actual financial capability. If I can see how your inflows compare to your outflow, everybody's inflows and outflows in some senses are in balance.

Otherwise, people would just be building bigger and bigger checking account balances. So you have to be able to distinguish money that's flowing out into a savings vehicle, an investment vehicle from money that's being used for consumption and figure out if this individual has this residual capacity to, to absorb a new obligation and it can either supplant credit scoring, particularly if people don't have a credit score, or it can be a supplement and enhance the predictiveness of existing models.

Courtney Robinson: Thank you for that. We have several questions coming in. I'm going to go ahead and start the transition to the audience Q&A. Thank you all again for submitting those questions. I see one question from an audience member that I think taps into some of what Zoe spoke about with different account types.

So, I'm going to direct this question at her and then open it up to anyone else to answer in the panel. What do you think will be the following account types that the CFPB will be mandating. So, suppose under the rule, what else might be captured under that umbrella in the future? And how soon do you think that will happen?

Zoe Strickland: So, the ones that were brought up in the comment letters a lot, and the CFPB has been open about mortgage, is likely payroll. I think other kinds of loans are likely, too, because if your goal is to have a good understanding of your money, those are pretty big things.

And so those have been brought up several times and the CFPB has talked about it and there's some question about when that rulemaking might occur, many people think next year. And I also think there will be some activity around some of the government products like EBT, like I mentioned, just because, even though it's a different animal and has some other issues to work through, it's important. So, I think we might see that as well.

David Silberman: Yeah, I expect that the rule that they release in October will cover that as they got a lot of comments on that. We don't know that, but that would be my guess, and I agree. So, and particularly today, the CFPB issued an interpretive rule, a proposal. So, only tangentially related here, but whether earned wage access products are covered by the Truth in Lending Act, and during that they intimated they would be providing access to payroll data as a next step in the 1033 journey.

The CFPB issues semiannually a regulatory agenda, which sets forth what they're planning to do. This last one, which was just issued a couple of weeks ago, puts it in the long-term category the next 1033 rule, which means they don't plan to start working on it for another 12 months.

Courtney Robinson: We have another audience question. I will read it and then see if anyone wants to jump in. Will open banking integrations help solve for the inequities that have always been a part of our credit reporting systems?

Zoe Strickland: So, to David's point, in its publication of upcoming rules, it's been expected for a while the CFPB is expected to do a Notice of Proposed Rulemaking (NPRM) on the Fair Credit Reporting Act, and I think they're looking at several ways to improve how that system, which has been around for a long time, works for consumers.

And there's a lot of intersection with 1033 as well. Some of the defined roles and things like that and the obligation with the third parties, particularly if data providers are being directed to share data, are they now a data provider? We hear about the recipient … what do they do in terms of engaging the provider in any dispute?

So, I think there's underlying themes in what the CFPB is doing in policy decision making to make it more transparent, to give the consumer more right to put more restrictions on the companies in terms of what they can do and the ramifications there. So, I think there's more to more to more to come in that space.

Behram Panthaki: And as David mentioned the ability to underwrite based on cash flow is going to help certain pockets of the population the no pin file, the no credit file individuals and enable them to enter and get credit where typically they would not be able to do with traditional credit reporting.

And so, that is a benefit. I think the ability to show that you are on time on your rent payments, which typically is not included in credit reporting, would be a benefit to consumers.

Zoe Strickland: And that comment was so strong in the comment letters. It'll be interesting to see how it plays out.

David Silberman: I agree with all this. On the other hand, the fundamental issue is that credit scores capture centuries of past discrimination. And that's going to be true of cash flow underwriting as well. There’s overwhelming evidence that people of color have on average lower credit scores than white individuals.

That reflects the fact that people of color have less income, less opportunity, and have been subject to massive amounts of discrimination. That's going to show up in cash flow data as well, I would predict.

And so, I think I wouldn't overstate the benefits of this from an equity perspective. We have a lot of things to do in this country to solve equity. This is maybe a small step, but only a very small step, in that direction.

Zoe Strickland: Courtney on that point about the small step. I want to make sure we do cover the identification secondary use just for folks here. The couple areas where I would say they were positive steps and sometimes many steps forward. But I was a little surprised that the proposed rule really said, well, we're not sure of secondary uses.

Which means, using the data besides the primary product or service, you know, they should be able to consent to that, and the same thing with the identified data. And I'm hopeful in the final rule that those get adjusted. I mean, first, because the whole point of open banking is to foster people's decisions and desires around how their data gets used.

And I understand the concern is that there were high risk uses of data they don't want people to just agree to. I'm like, well two things there. One if it is high risk, maybe it shouldn't be legal? I don't know. Or you must make sure people really understand it.

But again, this is meant to be what consumers want. And there's a whole lot of things that companies do with data. It's not just providing the service. Many people brought up, including us, product improvement, which your kind of expected to do if you're regulated. So, what does that look like?

I’m hoping to see some movement there. And de-identified data, same thing. There's a lot of benefits internally. FCRA is one example in terms of how companies understand their customers in a de identified way. And externally, a lot of groups work with de-identified data for research purposes.

I completely understand that the concerns about re-identification, they're real. And entities have gotten better and better at figuring out how to re-identify people. But you know, you could put controls in place. You could say, especially internally, that that risk is lower. And so, what does it look like to have those controls in place?

And even externally, when you're dealing with public interest groups, you could put some controls in place. They are some contract things to make sure they're using it properly, so you don't run those risks, but you still get the benefit both from a privacy perspective and security, too. Because your risk of data breaches goes way down when data has been stripped of a lot of identifying information, particularly sensitive data elements.

Courtney Robinson: Who are the winners and losers resulting from the rule? What are we going to see?

Behram Panthaki: I would say consumers are winners in this. They are going to get more protection. They are going to find that they can use the data in a safe and more secure fashion. So, consumers are winners.

Courtney Robinson: Zoe, David, did you want to add anything before I go to the next question?

David Silberman: No, I agree with that. If you think about if the status of Quantity is a world in which data holders have discretion, what they share when they share it. They are losers in the sense that now they're going to have obligations that they didn't previously have.

As you said at the start, Courtney, those are obligations that Congress created in 2010. And so, if what you're comparing to this is to what the statute says, then I don't think it's really thinking about them as losers. They're getting a system that will work reasonably well.

But if you think about this as a world in which this statute was not in effect, I suppose if I were a data holder, I'd rather be in a world where I have discretion as to who I share with and under what terms rather than where I have obligations.

Zoe Strickland: I would say losers are those folks who really stick their head in the sand about this. I think the ship has sailed. This is a new technology, a new approach. Consumers are expecting it and not just in the U.S. Many jurisdictions are doing Open Banking, Open Finance.

So, at some point, when the train is out of the station like it is here, it's better to get on board and figure out how it makes sense for you, for your company, for your relationship with other companies, with consumers, and try to figure out how it works for you.

I do think, to David's point, if people are really trying to hold on to their data, it won’t go well for them. You know, I think they'll be discovered and it's clear in the role of that that activity is disfavored. I get it that you must watch out for it. But I think the companies that are going to succeed are those who get on board this train.

Courtney Robinson: So, yeah, the U.S. is doing this, but we're not the first country in the world. So, this is a long-time coming sort of thing, and David, as you mentioned, Dodd-Frank has been more than 10 years now.

But the winners are consumers. Folks like folks like all of us, and perhaps the losers are the folks who did not do their homework and are waiting till the last minute to turn in the assignment.

So, Behram, I have a question that I'm going to direct to you.

What have you or perhaps others in industry been hearing from smaller financial institutions about their needs related to open banking?

Behram Panthaki: As you look at the ecosystem, the largest banks have worked through the chinks in the armor, which it's been almost a decade in the making for them. When you look at midsize and smaller banks, I think that's where a lot of the heavy lifting must happen.

And in that space, the actual technology is just a tip of the iceberg. There is a lot that needs to be done in terms of ensuring that you can operate a hosted developer interface at scale and ensure that you are providing the policies and procedures. You're providing the ability to create contracts, the ability to manage third parties.

All the, the administrivia is large at financial institutions, especially the midsize and smaller ones. And they are looking for either core providers or other providers in the market to help them build out 1033 compliance solutions versus doing everything themselves. So, we're seeing a good flavor of build versus buy decisions.

How do I get some help in enabling me to create this infrastructure that I am now mandated to do?

Courtney Robinson: Anyone else?

David Silberman: No, I’ll just go to the last sentence that the cores for the smaller institutions, they are going to be heavily, heavily dependent on their core processors. To back to manage their obligations under this regime. And I assume there'll be as is often the case that that's not going to come for free.

And who has who has the leverage of that kind of negotiations is interesting question.

Behram Panthaki: Yeah, I would add to that. It's the core processors and it's also the online banking providers, because some of the cores have a different online banking platform. So, it's going to be a little bit of the core and the online banking platform, the core for the data, online banking platform for the authorization and together, you know, it must be both working together to provide the actual capability to the financial institution.

Courtney Robinson: Thank you, guys. Another question. In addition to bank data, the EU and UK through PSD2, or Payment Services Directive II, also push banks to make available mechanisms to initiate payments on behalf of the consumer through APIs, which is something that's not currently in scope in the U.S. Do you think that that's something we will eventually see here?

So basically, expansion of our prior question on how this might end up growing and what we put under this umbrella. Do we think the U.S. will get there in terms of push payments? Will we get there? Are we still doing anyone focus on that?

Zoe Strickland: Yeah. So yeah, I would think eventually, I think there are concerns in every jurisdiction where this happened and, it takes a while. The UK has been working in this space for many years. You know, the pay by bank or push payment, can generate fraud. It's even more important that it's being done properly because what if that recipient won't return the money if it's done incorrectly.

So, I think it's on the roadmap and I think it's been a conversation amongst all the financial regulators in the U.S. and abroad about, well, okay, how do you enable some of these functionalities to create convenience to people, but do it in a way that doesn't create a lot of risk to them?

Particularly, I always say with privacy, obviously, people's data is important. We're talking about their money as well. So, I think that it is on the roadmap and how that plays out and how those controls are put in place will be important.

David Silberman: Because as I said earlier, I mean, the rule itself, the proposal requires that one of the data elements that be made available is either account and routing number or a tokenized version of that.

So that enables pay by bank through the ACH system. It's one of the issues where some commentators have objected strenuously and have argued that the CFPB lacks the authority to require that, that the statute says you, your personal financial data and your account number and routing number is not part of your personal financial data if this rule results in litigation. It wouldn't surprise me if one of these issues that gets litigated.

Zoe Strickland: Yeah, I agree with that. And it may well be that this gets pushed out a little bit longer. I don't know, but it's a very important point.

Courtney Robinson: I have one more question, and this is going to back us up a little bit into, to the broader space and not the intricacies of 1033 as we've been discussing.

But how does the Chevron deference ruling, so I guess the Loper case (Loper Bright Enterprises v. Raimondo), impact the CFPB broadly and the 1033 ruling specifically? What impact do you all see there, if any?

David Silberman: So let me jump in on that. At the risk of sounding like a broken record, it depends on what you compare and what you believe the status quo was before. If you believe that the courts that were called upon to review the CFPB jurisdictions were faithfully following Chevron, if there was an ambiguous question of law, they were deferring to the CFPB, this could have a significant impact.

I would argue that there's not a lot of evidence to support that view of the world as it existed. That the world as it has existed pre-Loper was that lawsuits were brought in Texas that CFPB lost. An appeal was filed to the Fifth Circuit, the CFPB lost. And if that's the world, the Loper case doesn't change things much at all.

That’s true in general. But it's certainly the case that in theory and in principle, 1033 is an example that the CFPB has interpreted what personal financial, what personal data means, what your financial data means, and what it means to provide access.

There are arguments that say that statute, if you're providing the consumer with the ability to download data into an Excel spreadsheet, that satisfies the statute. And that's a statutory question, which in theory would've been subject to the CFPBs’ reasonable interpretation previously and de novo for the courts. As I say, I don't think that in the real world that was ever the case.

Zoe Strickland: I definitely wanted the Harvard guy to go first on that one. I would say two things. One on the Texas case. It depends on what CFPB we're looking at, right? And the CFPB is known for pushing the envelope on its jurisdiction for the benefit of consumers.

They're known for that. And sometimes they might push a little farther than others. And those sorts of actions have some more pushback now. Things like 1033, clearly, they've got statutory authority. And they spent a lot of time on the rulemaking, going through their authorities and all the processes around, you know, the consultations and all the, all the rulemaking bells and whistles.

And there were some areas that people commented, and really did, like, there are a few of them, I did see some other things that really, perhaps, it wasn't in at least the, the black and white world of 1033, although you can make an argument, well, if you're access to data, it should be accurate data.

So, I think it depends on the rule making. I think all the agencies, if you'd be included or, you know, paying attention to that and, you know, what their authorities are while they're still trying to meet their, their mandates that they've received.

Courtney Robinson: Thank you, guys. So can I ask Zoe, then David, and then Behram to please give information on where they can find additional resources about your organizations and about 1033 Compliance and Implementation.

Zoe Strickland: Oh, sure. Thank you, Courtney. Yeah, look up Future of Privacy Forum on the web. We've got several work programs, Open Banking being one of them. And feel free to reach out to me as well. Connect with Zoe on LinkedIn.

David Silberman: Sure. So financialhealthnetwork.org is the website. We published a paper jointly with the FINRAG lab trying to compile all the laws that bear upon open data, Open Banking, how GLBA, Fair Credit Reporting Act Electronic Funds Transfer Act, all these things apply.

So, there's that resource. We did some survey research into consumers attitudes. And we filed comments with the CFPB, all of which are available on our website. Connect with David on LinkedIn.

Behram Panthaki: Akoya.com is the website for Akoya. You'll find our comment letter there as well. We have put some thoughts together around consumer privacy in that comment letter. And if anybody wants to reach out to chat, you can reach out to either Courtney or myself.

Courtney Robinson: Yes, you can reach out to me, too.

Connect with Courtney on LinkedIn. Connect with Behram on LinkedIn.

Thank you so much, Zoe, David, and Behram for joining me in this discussion today. You all are long-time experts and deep in the trenches on Section 1033 and the forthcoming ruling and are very well respected.

And of course, all our organizations are here to help you navigate through the Open Banking space. So again, thank you to the panelists and attendees and we will see you all.