WORKWEEK

This week, the Financial Data Exchange (FDX) – the preeminent open banking standards-setting organization in the U.S. – hosted its annual global summit. 

As I understand it, most of the event was a festival of gloriously nerdy developer talk, available only to FDX members (of which I am not).

However, I was able to attend one session — a speech and live Q&A with Rohit Chopra, the Director of the CFPB.

Director Chopra’s prepared remarks are available on the CFPB’s website, but his answers in the Q&A (facilitated by the magnificent Jane Barratt) aren’t. Fortunately, you have me … and I was taking good notes 🙂 

Here are my main takeaways from Director Chopra’s prepared remarks and answers during the Q&A session. 
Think of this as part 3 of my ongoing series chronicling the rollout of the CFPB’s rule on Dodd-Frank 1033 (here are part 1 and part 2, if you haven’t already seen them).

FDX isn’t the recognized standard-setting organization … yet.

The main thrust of the Director’s prepared remarks was the importance of standards and the characteristics of the organizations that set them. He made it abundantly clear that the CFPB has not and will not formally recognize any standard-setting organization for open banking that does not adhere to a specific set of attributes.

Given that his remarks were made in a room filled with the only group of people in the U.S. who have a realistic shot of becoming that formally recognized standards body, this felt both awkward and highly intentional. Director Chopra was sending FDX a message (or, more accurately, repeating a message that had already been delivered multiple times privately) – if you want to be formally recognized, you need to make some changes.

Now, I don’t know exactly what those changes are, but here are the attributes that Director Chopra listed when discussing what the bureau might look for in a standard-setting organization:

We are considering whether standard-setting organizations should be balanced, such that no single entity or group of entities dominates decision making.

We will look closely at the makeup of the board or group that makes determinations with respect to the setting or modification of standards. We’ll be looking at your funding structure. If the composition suggests favoritism or if funding is dominated by one market participant, that will be a problem.

Additionally, if there is no meaningful way for consumer privacy interests or the interests of small firms or firms that don’t yet exist to be considered, that’s going to be a problem.   

Two parts of that quote stand out to me:

1. “No single entity or group of entities dominates decision making.” My educated guess is that he’s referring to the banks, bank trade groups, and bank-owned consortiums, which collectively wield a lot of power within the current membership of FDX.
2. “Firms that don’t yet exist.” That part of the quote wasn’t in the CFPB’s official version of the Director’s remarks, but he referenced it several times throughout his remarks in the room. Curious. Who exactly was he referring to? Future fintech startups? And which organizations might best represent the interests of these future stakeholders? I can’t imagine Director Chopra wants a VC firm involved in FDX, but maybe he does!  

Regardless, Chopra was clearly trying to motivate FDX not to become complacent:

I want to emphasize that existing standard setters should not take their place in this market for granted.

The CFPB is keeping its options open.

Along those same lines, the Director made it very clear that he views competition, at a standards level, as being very important:

While interoperability is an important component of a healthy open banking system, I would eventually like to recognize more than one standard to allow the market to develop without complete reliance on one set of protocols. I also recognize that not every standard setter might be ideally suited to create standards for every part of the open banking system, and new standard-setting organizations may need to emerge as the system evolves.

When pressed on this point – which I think struck many in the room as a bit bizarre given that there is presently no other standards body in the U.S. that’s even close to FDX in terms of market participation and traction – during the Q&A, Chopra elaborated:  

We don’t want to be in a situation where you grant a monopoly. You want to create a space where if the market does move or if there are more specific use cases that can be covered, others have the opportunity to get that same regulatory treatment. … We just want to make sure that not all the eggs are in one basket.

He also offered this up, at the end of his prepared remarks:

If we’re unable to identify standard-setting organizations, we will be prepared to step in to do that work, but I imagine that will take a longer time, and we will not see the progress we want to see.

The CFPB directly setting the standards for open banking would, in a lot of ways, be the worst possible outcome for everyone in the ecosystem (including the bureau itself), so I found it fascinating that the Director was even willing to entertain the notion. 

A little gatekeeping is good, but a lot is very bad.

In both his prepared remarks and in the Q&A, Director Chopra tried to walk a fine line on the subject of gatekeeping.

When he was asked about the compliance requirements for third parties (i.e. fintech companies) under the CFPB’s proposed rule on 1033, Chopra made it clear that while he wants smaller players to be able to access consumer data (with consumers’ permission), he doesn’t want the open banking ecosystem to be the wild west:

We want to make the barriers to entry low for the small players, but when we look across sectors where there is this openness, we don’t want the scam artists taking the biggest share.

When you hear openness, sometimes you think ‘no gatekeeping’, but we live in a country that has anti-money laundering laws. … Policing for terrorism financing isn’t going to go away because we want open banking.

On the other hand, the Director was quick to emphasize that the bureau would not allow gatekeeping to be weaponized (his word) by incumbents to stifle competition. He had many examples.

Visa and Plaid:

A couple of years ago, Visa sought to buy Plaid. It was grossly illegal. The DOJ blocked it, but it showed a very clear way that both firms were trying to do something that would have fundamentally undermined the shift to open banking. I think both firms are better off that it was blocked, but I think we’re going to have to look at all of the ways in which major players are going to try to sculpt the system.   

NACHA:

If you rewind many years, a lot of the payments system is governed by rules by this group called NACHA. There have long been concerns that NACHA is just a tool of the very biggest banks. 

And finally, though he didn’t refer to them by their name in his prepared remarks, Akoya:

We continue to hear reports about incumbents potentially coordinating efforts to limit consumers’ exercise of their rights to access data by forcing data sharing through a bank-owned venture.

Anti-competitive behavior by dominant firms or standard setters is not going to advance open banking. Banks can choose their own service providers to enable open banking, but we will be watching out to make sure that such service providers are not used to an anticompetitive effect. 

Secondary Use

Perhaps the biggest area of policy coordination happening right now in D.C. around open banking is the work being done to convince the CFPB to change its stance on the secondary use of data.

If you’re not familiar with this particular corner of 1033, allow me to catch you up real quick. Here’s an excerpt from one of my prior essays on open banking:

The CFPB’s proposed rule includes a blanket prohibition on third parties processing covered data for secondary purposes – i.e., any collection or use beyond what it is “reasonably necessary” to deliver the product or service requested by the consumer. This includes selling the data to other parties (an obvious no-no), marketing or cross-selling additional products, and R&D for future product development. This prohibition would apply even if the data was de-identified.

Banks, which are deeply annoyed by the notion of building infrastructure for their competitors to freely use, pushed very hard in their comments to maintain or even strengthen these prohibitions on secondary use.

Fintech companies pushed back in their comments, arguing that most data privacy laws (including the Gramm-Leach-Bliley Act, which banks are subject to) do not go nearly as far as the CFPB’s proposed prohibition on secondary use but rather rely on disclosures and consumer opt-in/opt-out mechanisms to govern secondary use. They also strongly disagreed with banks on de-identified data, arguing that, by its very nature, de-identified data presents no risks to consumers and should be permitted for secondary uses like product development. 

Put simply, fintech companies (particularly aggregators) want more expansive options for secondary use, while banks are keen to restrict it.

Director Chopra was asked about secondary use specifically in the Q&A, and here’s what he said: 

We’re gonna try our best to be bright line. Everyone will always say there’s some gray area. That’s what adults end up doing when they determine which side of the line they want to be on and which risks they want to take. 

“That’s what adults end up doing”.

That’s regulator speak for fuck around and find out. Not exactly a ringing endorsement of expansive secondary use.

What data is next?

The CFPB’s proposed rule covers Regulation E accounts (deposit accounts), Regulation Z accounts (credit cards), and products or services that facilitate payments from a Regulation E account or a Regulation Z credit card (digital wallets).

When asked about what other types of data the bureau might look at in the future, Director Chopra focused on two specific areas:

I’m already thinking about the next set of data. … A big one relates to retail securities. We’re thinking about that in terms of how might someone get insight into the securities that they hold through their defined contribution plans and retail investing. I think that’s very valuable information. 

There’s great interest in knowing more details about people’s mortgages, auto loans, and other loans. A lot of that data will, of course, be able to be captured through their transaction accounts, but some additional data, like what rate they’re paying and how quickly they’re repaying their loans, will also be needed.

Loans make sense to me and would be my personal top choice for the next data set that needs to be covered. Retail securities (i.e. stocks, bonds, and other investment assets) was a bit of a surprise.

Open Payments

Perhaps the most surprising moment, to me, came at the end of the Q&A, when the Director was asked if there were any final thoughts that he wanted to leave the audience with, and instead of offering up some anodyne statement, Chopra went with something very specific and controversial – payments:

What I want to have everyone continue to think about is how does what we’re doing with this effort sync up with the future of payments? I think payments is going to be a very critical part of the future. I have been a little bit worried that the U.S. is behind on payments. We are obviously behind, but even how we’re thinking about it. Are we just kinda lurching to a world with different types of private currencies? I’m not even talking about anything crypto-related. I’m talking about what are we seeing on gaming platforms and emerging uses of payments there. What we are seeing with Apple requiring people to pay a toll for using Apple Pay at the point of sale. Open payments is going to be something we’re going to have to constantly be thinking about.

Pay-by-bank! The thing that JPMorgan Chase, in its 1033 comment letter, went out of its way to try to convince the CFPB to descope from its proposed rule.

The big banks, which have lucrative credit card franchises to protect, are terrified of the notion of pay-by-bank. Director Chopra appears to understand this very well, as he alluded to in the Q&A when discussing Zelle and its conspicuous inability to support point-of-sale transactions: 

Banks own Zelle through a joint venture. Zelle transactions don’t earn them interchange the way that swiping a card does. That’s going to impede their desire to have Zelle or any other real-time payment solution be there at the point of sale.

The CFPB vs. Prudential Regulators

Here’s a question that I’ve become fascinated by: Will the CFPB and the federal prudential bank regulators (the Fed, OCC, and FDIC) figure out how to work together?

The CFPB, which has only existed for about a dozen years, has a very different mandate (protect consumers and encourage competition) than the federal prudential bank regulators (ensure safety and soundness), and often, those mandates can conflict.

Open banking is a great example. Here’s a quote from Director Chopra on the impact of open banking on deposit flows and liquidity management:

We’re already thinking about the next set of issues that are going to arise. I’ll give you one example. If we are successful at creating a more vibrant open banking ecosystem you will potentially see way more account switching. There will, of course, be some real questions then about the speed of deposit flow, which will ultimately lead to thinking about the liquidity requirements that will need to be updated for insured banks in America … One can envision that there will be lots of different ways in which assumptions around retention of customers are going to change in a way that I think is totally good. 

And here’s a similar quote from the Acting Comptroller of the OCC, Michael Hsu, as reported by my fellow bank nerd Kiah Haslett: 

The initial promise of open banking is account portability. That’s probably better, all things being equal, for consumers. Banks have to work for the deposit. As long as they do that in a manner that’s safe, sound and fair: Great. I think that’s going to be a process, one that we’re going to watch carefully. And I think banks are probably thinking about that already.

The contrasting language is fascinating. Director Chopra thinks these changes will be “totally good,” while Acting Comptroller Hsu thinks they’re “probably better, all things being equal.”

Doesn’t sound like they’re on exactly the same page! Though according to Chopra, they’re working on it:  

We’re having lots of discussions with the Fed, the OCC, with bank regulators about how does this all work together. 

The CFPB is concerned about market concentration in AI.

This last one doesn’t have anything to do with open banking (at least not directly), but I wanted to mention it because Director Chopra went out of his way to mention it – the CFPB is deeply concerned about the growing market concentration of firms like OpenAI, Google, and Microsoft in generative AI: 

We have a lot of fears at the CFPB about the foundational AI models tipping towards three or four players and the extent to which they are vertically integrating into financial services in a way that will impede capital formation to invest in new ventures. 

We also worry about the extent to which there will be some layer of the system that then has so much control and the extent to which they start moving upstream or downstream. We see it in lots of parts of the economy. In any network-based or platform-based business.      

That is, I think, one of the clearest articulations of how Director Chopra views the market overall — as a series of layers that should never be dominated by a small number of companies.