Building Momentum: The Path To Open Finance through Open Banking

We commend the CFPB for its work to foster a transparent and accessible Open Banking market through Section 1033 of the Dodd-Frank Act. As 2023 came to a close, Trustly filed its comment letter with the CFPB with our suggestions to further augment this groundbreaking proposal. 

Since our founding in 2008, Trustly has redefined the speed, simplicity, and security of payments through Open Banking. We currently connect to over 8,000 banks and financial institutions in the US. We have over 8,300 global merchants relying on our products and services to power their payments solutions. With our long history as leaders in payments and Open Banking, we are delighted to see progress on much-needed and much-awaited regulation. 

We agree with the CFPB’s efforts to shift the market to developer portals, prohibit data providers and their captive intermediaries from charging fees, and requiring data recipients to obtain formal authorization to access consumer data. However, we also believe the proposal has the opportunity to better reflect the current market and future opportunities for Open Banking Payments. We believe the CFPB must revisit these areas and address them in a final rule if the Bureau is to achieve its twin policy goals of empowering consumers and promoting competition in the financial services sector.

Align Data-Sharing Duration with Consumer Expectations

In its proposal, the CFPB suggests the final rule should require all Open Banking use cases to have consumers reauthorize their data sharing every 12 months. However, when consumers sign up for recurring payments, such as for their cellular service or internet provider, they expect to be able to set their payment methods and not have to revisit them again. This is a key area where the CFPB’s proposal is aimed at pure Open Banking data use cases and misses the mark when Open Banking is used for payments. The issues compound when banks issue substitute and revocable payment account numbers that disappear when consumers revoke their data-sharing authorizations.  

The Bureau has a chance to address these issues by creating a dormancy concept in the final rule. Under this concept, certain use cases like recurring payments would serve as a sign the consumer has reauthorized their data sharing until the consumer affirmatively revokes such authorization, changes his or her payment method, or cancels the service. This would help address some of the technical issues consumers and merchants would face if they had to re-authorize their open banking payments every 12 months, as well as help blunt the competitive issues that come from certain banks injecting anti-payments technologies into their Open Banking environments.   

Balance Security and Practicality

The CFPB’s proposal also allows banks to substitute a consumer’s actual ACH account and routing number with substitute numbers referred to as Tokenized Account Numbers (TANs)”. At first glance, the Bureau’s logic seems sound. Some banks claim that TANs provide consumer benefits, so why not allow those banks to offer what is supposedly a beneficial and pro-consumer technology?

Unfortunately, Trustly and our merchants have not seen TANs deliver increased security.  Instead of creating consumer benefits, we have seen TANs serve as a new tool for fraudsters, increase merchant and customer confusion, and increase decline rates with lower transaction limits. All of these are real-world, unintended consequences of TANs in the market today.

We hope the staff working on the final rule recognize that TANs, in their current state, are not ready for prime-time and that they defer any further consideration of TANs to a separate rule on payments security and fraud.

Foster Innovation through Safe, Pro-Consumer Secondary Data Usage

The CFPB’s Proposal would tightly restrict how companies can use Open Banking data outside of the consumer’s permissioned use case. While this sounds like a reasonable limitation, the effect of this will be to freeze the Open Banking market in time and prevent pro-consumer, pro-competitive innovations from coming to market.

Today, banks can use consumer data to develop new products and services largely because of the Clinton-era Gramm-Leach-Bliley Act, which imposes certain privacy restrictions and data security requirements on banks. Under federal law, your bank cannot share your data without disclosing it to you and allowing you to opt-out. There are even some state laws that require the bank to obtain your opt-in before they can share your data. However, the law does not prevent banks from using your data to see if you might be a good fit for new products or services. In theory, this should allow banks an advantage in bringing the best, lowest cost, and most innovative new products to market.

In practice, banks have tended not to be innovators or drivers of new low-cost financial services.  Instead, that role has fallen to non-banks, who have used the last decade to drive mass adoption of free peer-to-peer transactions, early payroll access, and low-cost buy now pay later methods. Importantly, many of these products and related pro-consumer services have been developed by non-bank companies using consumer data in a safe and controlled manner for new product development.  

We agree with the CFPB that Open Banking data should not be misused by companies, nor should it be sold or abused in the way certain unregulated data brokers misuse consumer data today. However, Trustly and others in the market feel it would be a mistake to limit pro-consumer secondary data uses.  We believe the CFPB has a chance to revise its current proposal so that companies holding Open Banking data can safely use the data to develop new lower-cost and pro-consumer services. Without these changes, the CFPB risks limiting the consumer benefits of Section 1033 and dampening the pro-competitive effects of the final rule.

Elevate Consumer Experience

As Trustly and other market participants have moved to bank-hosted APIs for data sharing, we have noticed that the consumer experience has suffered. We believe the final rule should address this regressive trend by allowing data recipients and data access companies — and those parties alone — to collect and confirm the consumer’s Section 1033 authorization.  We also recommend the Bureau take several pro-consumer measures to keep banks and other data providers from cluttering their authentication user interfaces. This would ensure smoother onboarding processes and better consumer experiences linked to controlled screens from financial institutions. 

Once a consumer has provided their authorization, they still need to authenticate their identity and control of the account with their bank. We also urge the CFPB to use the final rule to mandate app-to-app authentication, which solves many of the consumer experience issues currently present in the market while simultaneously providing better data security protections for consumers. We have heard many banks would like to offer this feature, but it regularly gets deprioritized because it is not required by law and does not directly increase bank revenue. The Bureau has a chance to massively improve consumer experience and data security by mandating all data providers offer app-to-app authentication.

Advancing API Standards and Fallback Options

We appreciate and agree with the CFPB’s efforts to set minimum technical standards for banks.  However, our own experiences with bank-provided APIs show that the Bureau’s standards need more definition and nuance to support Open Banking at scale.

To enhance the efficiency of Open Banking, we propose refined API standards. Specifically, we advocate for improved response times and availability, providing a more seamless and reliable experience for both consumers and developers. To be clear, Trustly fully supports shifting the market to developer portals, but the data needs to be obtainable in real-time on a 24x7 basis. 

We also believe the final rule’s API standards need strong teeth. While the CFPB will have a right to bring enforcement actions against banks and data providers that fail to meet the final rule’s technical standards, these processes will move too slowly for data providers that wish to use their outsized market power to limit certain Open Banking use cases or diminish competition.  

To address this risk, Trustly believes market participants need the right to retrieve data via tokenized legacy connection methods if such data is not available through the API. We believe a final rule that preserves these connections as a fallback data access method will act as a sufficient incentive to help banks maintain proper API response time and reliability. Not only is this our theory — but it's how regulators had to address banks' attempts to skirt API response time and reliability standards in Europe. There is precedent for this being an appropriate tool to ensure the proper functioning of bank-provided APIs.

Our Final Thoughts on Section 1033 

The CFPB's proposal marks a significant stride for Open Banking and Open Finance in the United States. As a global pioneer in Open Banking, Trustly is proud to participate and help pave the way to advance Open Banking for all. We are committed to redefining the speed, simplicity, and security of payments, leveraging Open Banking. We look forward to actively participating in the ongoing market and regulatory dialogues to shape a future that benefits consumers, fosters innovation, and promotes fair competition.

‍