Letter to the CFPB on US Open Banking

Published May 17, 2024

The Honorable Rohit Chopra
Director
Consumer Financial Protection Bureau 
1700 G St NW
Washington, DC 20552 

rohit.chopra@cfpb.gov

May 16, 2024

Director Chopra,

The OpenID Foundation is a non-profit organization whose mission is to lead the global community in creating open standards that are secure, interoperable and privacy-preserving. As part of that mission, we have worked closely with many ecosystems to advance Open Banking and consumer financial data sharing globally. We hope to be of service to the CFPB as we are to many other government partners. 

We are writing to follow up on our letter submitted on December 29, 2023 in response to the CFPB’s NPRM on Personal Financial Data Rights.  This letter is written in light of submissions by other commenters and subsequent discussions with parties in the ecosystem.  

As detailed in our original letter, the OpenID Foundation believes that the final rule should include reference to a Qualified Industry Standard (QIS) for a Communication Protocol.  More specifically, we believe this QIS should be required and separate from the QIS for “data in a standardized format” (“Data Format”) as proposed in §1033.311(b). We appreciate that such a change will have an impact to the definitions of 1033.131 and 1033.141(a). We respect the baseline included in 1033.421(e), however as security and implementation experts, we believe it would be suitable to address the security and interoperability risks more completely within this ecosystem as advised in this letter. Since the Gramm–Leach–Bliley Act was passed in 1999, the domain of cloud based services, the related security risks, and the global standards to address those risks have evolved substantially.

Specifications for a Data Format and a Communication Protocol are critical to the developer interface required in §1033.301(a), as the standards serve two different purposes. A Data Format standard should prescribe, among other things, naming conventions, standard codes and formatting, data models and schema. A standardized Data Format promotes business interoperability, by allowing third-parties to aggregate and analyze high-quality data with ease.

In contrast, a standardized Communication Protocol ensures that data is shared in a manner that ensures security, and enables privacy and technical interoperability.  Technical interoperability is a key element to achieve scale in the development and implementation of an Open Banking ecosystem - in particular to ensure that small or new market entrants wishing to receive data are able to easily participate.  As mentioned in our original letter, the OpenID Foundation global community has developed a Communication Protocol that has become a de-facto industry standard for API ecosystems in general, and Open Banking / Open Data ecosystems in particular: FAPI - a profile of OAuth 2.0 and OpenID Connect.

The FAPI profile has been selected by multiple leading private and public Open Banking ecosystems. The FAPI profile is a security and interoperability enhanced version of OAuth 2.0 which closes critical security gaps that OAuth 2.0 alone does not address. Current global ecosystem adoption of FAPI include: 

 

 

Selected FAPI

Mandated FAPI

Deployed FAPI

United Kingdom - Open Banking

Australian Treasury & Data Standards Body

Australian ConnectID

Brazilian Open Finance

Saudi Arabian Monetary Authority

United Arab Emirates Government

2024 launch

Chilean Ministry of Finance

 

Colombian Government

Expected 2024

 

Norwegian HelseID (Health)

  

German Verimi

Canadian Open Banking 

Expected

  

US FDX 

Recommended

  

Beyond the 12 countries above and their milestones, we are seeing tangible growth: 

  • Billions of successful FAPI API calls, with secure, interoperable and consent-based movement of user data or payments 
  • 2,800 FAPI implementations certified globally (https://openid.net/certification/)
  • 44 million active users in Brazil (20% of the population)
  • 6.5 million active users in the UK (15% of the UK population)

Given the critical role FAPI is playing in the US and abroad, hope is that the CFPB will explicitly add a requirement for a Communication Protocol and that the OIDF’s FAPI profile will in due course be selected as a QIS to fulfil the proposed requirement for a Communication Protocol. 

Through the rulemaking docket and other discussions, we understand that the Financial Data Exchange (FDX) intends to apply to be a standard setting body (SSB) under proposed §1033.141, and that they would meet the requirements for the Data Format. Were FDX to be designated an SSB, it could select the FAPI profile as a QIS for the Communication Protocol to complete their market offering and help offer a scalable and interoperable solution – this would be the preferred outcome for the OIDF.  Alternatively, if FDX were to choose not to specify a Communication Protocol that delivers interoperability and security to the level required for a financial services ecosystem, the OIDF would consider applying to be an SSB so that the FAPI profile could be used as a QIS for the Communication Protocol enabling US ecosystems conform to this critical requirement.

We would also like to make very clear the nature of the risks that arise should the CFPB not modify the requirements to explicitly require a Communications Protocol. These risks are broken down into four categories.

US Ecosystem Interoperability Risks:

  • There will be a diverse set of Communication Protocol variants delivered by data providers as no consistent standard is required. As a result there will be significantly greater complexity for authorized third parties to deal with when integrating with the developer interfaces delivered by the in scope data providers. This results in an increased cost burden on the authorized third parties, and they will be unlikely to all implement to all available interfaces..
  • This increased cost burden is likely to reduce the likelihood of organisations choosing to become authorized third parties at all, reducing competition and choice for consumers.
  • If authorised third parties cannot easily implement to all data providers, they will build first to the interfaces of the largest data holders. This means consumers with smaller data holders will have reduced choice and services from authorized third party services.
  • The overall result is that the US would end up with one of the world’s worst and most inconsistent user experiences amongst all the current global deployments of Open Banking and Open Data deployed to date.

Time to Market Risks:

  • While it is clear that the CFPB is extremely keen to have an Open Banking ecosystem established in the US market there is a difference between banks having delivered compliant developer interfaces, and authorized third parties and consumers adopting Open Banking. If there is not a defined Communication Protocol market adoption will be slow. A Communication Protocol makes it easier for authorized third parties to deploy by reducing cost and complexity of developing and delivering new product offerings for consumers, and in turn their time to market to deploy and scale.   This enhances the ability of the ecosystem to offer fair access to financial services, and treat customers fairly. 
  • While adding a Communication Protocol requirement to the rule may seem to make it harder for data providers to deliver compliance on a timely basis, it actually makes it easier because it reduces the optionality available to implementers. In addition, FAPI conformance tests are freely available to implementors to use, software is deployed at scale in other markets, and many service organisations have deployment experience. By leveraging these capabilities, Saudi Arabia deployed FAPI across their ecosystem in less than 12 months, and UAE is likely to launch in less than 12 months later this year. 

US Ecosystem Security Risks:

  • It is very likely that many US data providers will take the lowest cost approach to compliance with the regulation (as has been seen in other previous contexts) contributing to undesirable diversity in US implementations.
  • These implementations are unlikely to have all been subject to thorough security assessment, and real “battle testing” that a standardized Communication Protocol like the FAPI security profile has had.  This means implementations will not be consistently secure by default.
  • Implementations that have not deployed and certified to the highest security profiles are at risk of being the “weakest links” amongst not just US but global Open Banking and Open Data deployments. That will make the US and these specific implementations attractive to sophisticated attackers, putting US consumers at higher risk.
  • These concerns introduce safety and soundness concerns to Open Banking participants and consumers.

International Interoperability Risks:

  • The diversity of implementations will set-back the US market in its ability to interoperate with other Open Banking implementations around the world. The majority of global ecosystems to date have selected FAPI, explicitly naming it in their regulations, and requiring certification to FAPI. 
  • If the US does not choose a Communication Protocol that facilitates global interoperability by default, only the largest entities will have the compliance and technology resources to conduct cross border Open Banking transactions. Small and medium sizes data holders and third party service providers will not have the resources to enable global interoperability at all, or they will be forced to pay premiums to intermediaries that facilitate cross border services. Ultimately this impedes the ability to provide fair access to financial services, and treat customers fairly in the global marketplace. 

Presuming that the mission of the CFPB is to protect the interests of American consumers, we strongly encourage the CFPB to reconsider the details and conformance criteria related to QIS, and to consult with NIST on benefits of defining a Communication Protocol as we advise. We also encourage the CFPB to move with speed so that the first data holders (those obliged to be compliant in spring 2025) must update their systems to global standards for a Communications Protocol, like FAPI. If the changes are not put into effect now, it will become materially more difficult to course correct later. 

We also understand from your comments at the recent FDX conference that you are concerned about the governance model of standards bodies and certification providers. The OIDF believes our governance model will meet the CFPB requirements, and if necessary, we would work in good faith to close any gaps.  

We understand that this letter will be submitted into the public docket for further consideration and would welcome meeting with you or your staff to discuss our recommendation in further detail. 

Signed 

 

Gail Hodges
Executive Director
OpenID Foundation
On behalf of the Board of the OpenID Foundation

CC: NIST - Director Laurie E. Locascio(laurie.locascio@nist.gov)



Tagged