What’s going on in Open Banking?

The open banking regulatory space has been in flux for some time. In 2023, CFPB’s first proposal to implement Section 1033 signalled that some clarity may be on the horizon. But even then, the rifts between banks and fintechs was clear: Fintechs saw CFPB’s move as a positive step forward for competition. Banks, on the other hand, characterized the rulemaking as short-sighted, a law that was likely to move the brunt of responsibility on the bank if things went wrong. 

The following years have not helped matters, however. In this article we break down twists and turns the regulations have taken and how recent partnerships are likely to impact the industry. 

The administration change

Under the Biden administration, the CFPB was moving aggressively against big banks. Ever since the Trump administration gutted and restructured the Bureau, however, the CFPB has backtracked on multiple lawsuits against big banks, including one against JPMorgan Chase, Wells Fargo, and Bank of America over allegations of fraud involving the Zelle P2P payments network. 

This theme carries over to the Open Banking rulemaking as well. The CFPB under Trump retracted the proposed rulemaking and deemed it “unlawful”. It gave the following reasons for doing so:

1. Neither precedent nor law gave the CFPB any right to regulate the entire banking system. 
2. While the rule would require data providers (banks) to create and maintain API systems that would enable data sharing, the rule also prohibits banks from charging fees that would ease the burden of building and maintaining such systems. 
3. 1033 would expand the limits of what data can and should be shared with fintechs, widening the aperture of risk for consumer privacy and security. 
4. The rulemaking set deadlines that did not take into account time taken to build consensus in industry standards. 

These reasons very closely echo the statements made by Lindsey Johnson, CEO of the Consumers Bankers Association, while speaking to Tearsheet in 2023: “There are real questions about whether the Bureau and this particular rulemaking are best positioned to carry out something as big and hefty and complex as open banking.”

On the other hand, trade groups representing fintechs like the FTA are up in arms about the retraction: “Vacating the 1033 rule is a handout to Wall Street banks, who are trying to limit competition and debank Americans from digital financial services. Americans must have the right to control their financial lives, not the nation’s biggest banks,” said Penny Lee, CEO of the FTA. 

Having retracted the previous rulemaking, the CFPB is now in the process of creating a new rule and has published an Advance Notice of Proposed Rulemaking that seeks to analyze the costs of a data sharing request, and the possibility of data security and privacy risks for consumers. 

The tide has clearly shifted in favor of the banks. And this change in the regulatory climate is also impacting industry partnerships between some of the biggest banks and fintechs. 

JPMC and Plaid affirm ties but for a cost

In July, JPMC started sending out notices to major data aggregators saying that it will now impose fees on data sharing and access requests, when previously these transfers had been free. 

Reports around these notices revealed that Plaid would be expected to pay $300 million a year in data access fees, (an amount that accounted for 75% of its 2024 revenue) with the heaviest fees incurring on payments-related data transfers. 

However, this month, JPMC and Plaid have announced a renewal of their data access agreement, with an undisclosed pricing structure attached. It is likely that Plaid has negotiated the pricing structure down, as Plaid spokesperson Freya Petersen stated that the new agreement is “very custom”.

Translation: JPMC is not backing down from its fee imposition but Plaid has been able to leverage its position in the industry as well as its relationship with the bank to bring down the fees it has to pay – a move other data and payments players like MX, Finicity, and Stripe are unlikely to benefit from. 

What this means for the industry

JPMC isn’t the only big bank in America, and its move to introduce fee structures despite the absence of any rulemaking that explicitly allows for this sets a precedent for other big banks.

Smaller institutions, however, do not have the same bargaining power as TBTF firms, and in the absence of a rule that formalizes pricing around data structure, these firms may not be able to benefit from any fees any time soon.

The impetus that drove smaller banks to allow data aggregators to access consumer data the first time around still holds true today.

Whether or not institutions are able to benefit from fees, building API interfaces that allow for data sharing remains of the utmost priority: At the best small banks will tap into a new income stream, at worst they will be complying with regulatory bodies that make API-enabled data sharing mandatory. 

For data aggregators, the cost of doing business is likely to rise substantially and may impact how they provide services, to whom, and at what cost – impacting relationships with fintechs as well as consumers. 

For the biggest players, Plaid’s move may be a sign that they need to strike their own “custom deals” with the biggest banks, but it may also make market entry and growth for new players much harder than it was before. 

Given the new thrust of the CFPB, it is becoming likely that consumer privacy and security concerns like the practice of screen scraping will come under greater scrutiny and for once industry participants will have to more explicitly state what processes they are using to access consumer data as well as what technology they are using to secure it – a point that was missing from the Biden era rendition of this rule.