The CFPB Formally Proposes 1033 Open Banking Rule

The CFPB Formally Proposes 1033 Open Banking Rule

The U.S. Consumer Financial Protection Bureau (CFPB) took a step in the direction of formalizing open banking regulation today. The agency proposed a rule that would shift the financial services industry toward open banking, giving consumers control over their financial data.

The rule proposed today marks the CFPB’s first proposal to implement Section 1033 of the Consumer Financial Protection Act. Under Section 1033, the CFPB is charged with implementing personal financial data sharing standards and protections.

For the 100 million consumers that have authorized a third party to access their account data, this is welcome news. The rule would require banks to share consumer data (with the consumer’s permission, of course) with third parties in order to promote competition. It would also prevent companies from misusing or wrongfully monetizing consumers’ personal financial data.

“With the right consumer protections in place, a shift toward open and decentralized banking can supercharge competition, improve financial products and services, and discourage junk fees,” said CFPB Director Rohit Chopra. “Today, we are proposing a rule to give consumers the power to walk away from bad service and choose the financial institutions that offer the best products and prices.”

The rule would also benefit the financial services industry as a whole by providing detailed technical standards on how consumer data sharing should work. The standards will contain safeguards to ensure industry standards are fair, open, and inclusive.

“Today, we’re celebrating a moment that our members – and millions of consumers across the country – have been waiting for: the CFPB’s release of its proposed rule creating a legally binding consumer financial data right,” said Financial Data and Technology Association Executive Director Steve Boms. “We strongly support the proposed rule, which will put consumers in full control of their financial data and empower them to choose the financial provider best suited to meet their unique needs. The proposed rule will create more competition and choice in the financial services marketplace, ultimately leading to better consumer outcomes.”

Not everyone in the industry sees the Section 1033 rule making proposal in a positive light, however. A handful of large incumbent institutions have long been of the opinion that their consumers’ financial data belongs to them and should not be shared with third parties. When banks offer third parties access to consumer data, they see it as losing out to competition.

The move comes two years after the CFPB first touched on the topic of open banking by issuing an advanced notice of proposed rule making to create formal regulation around open banking in the U.S. And while it is exciting to see the CFPB move in the direction of open banking, the formalization of rules around the topic becomes technical and complicated, given the range in size of the players involved. The agency is currently accepting comments on its proposal until December 29, 2023.

Photo by takahiro taguchi on Unsplash

The CA Consumer Privacy Act Went into Effect While You Were on Vacation

The CA Consumer Privacy Act Went into Effect While You Were on Vacation

If you’re unfamiliar with the California Consumer Privacy Act (CCPA), you might want to stop catching up on email you missed over the holiday and focus on this new regulation. Here are a few highlights of California’s new law, which went into effect yesterday.

CCPA grants California residents new rights when it comes to their data and privacy. Essentially, this group of consumers are now entitled to know what data businesses collect about them, where they received it, how they plan to use it, who they have shared it with, and if it will be sold.

Here’s are some take-aways of what fintechs need to know now that the new rule has taken hold:

What’s required of you

Essentially, California consumers have the right to receive a report of their personal information that a business has collected on them for the past year, the right to have that data deleted, and the right to limit the sale of their data to third parties.

All of this means that in addition to tracking consumer data, businesses are also responsible for reporting where the data came from and where it’s going.

CCPA may not apply to you

The state of California has almost 40 million residents, and if you’re conducing business in the U.S., you likely have clients there. And even if you don’t, CCPA grants the new privacy rights to all California residents as defined by income tax, even if they are not currently living in the Sunshine State. In contrast, those living in California but paying income tax in another state are not covered by CCPA.

That said, there’s still a chance CCPA won’t apply to you. Businesses with gross annual revenues less than $25 million, or those that deal with personal information of fewer than 50,000 consumers, or businesses that generate less than 50% of their annual revenue from selling consumers’ personal information are exempt.

Heads up: you could be sued

Data breaches are generally always costly, and CCPA will add to the expense. If a consumer notifies a business that it has improperly handled their data and the business doesn’t rectify the issue within 30 days, the consumer has a right to sue for damages in the amount of $100 to $750 per incident, injunctive or declaratory relief, or another option deemed suitable by the court.

On top of that, if a business experiences a data breach, sells consumer data without permission, or retains data after the consumer requested it to be deleted, the Attorney General has a right to charge violators $2500 to $7500 for each consumer data file involved.

CCPA may go federal

As you plan out methodologies to document data collection, usage, and distribution, don’t limit your systems to Californians. The privacy act may eventually be escalated to the federal level so plan your data protocol around all of your U.S. clients.

Just because you’re GDPR compliant doesn’t mean you comply with CCPA

The U.K.’s General Data Protection Regulations (GDPR) went into effect in May of 2018. But just because you’ve mastered your compliance strategy for GDPR doesn’t mean you can rest easy when it comes to CCPA.

On the contrary, there are a handful of differences between the two, as outlined by Pillsbury Law:

  • The coverage group
  • The privacy policy disclosures
  • The breadth of disclosure rights
  • The data disclosures and deadlines
  • The right to opt-out
  • The explicit protection against discrimination

For a more in-depth look into the differences, I highly recommend taking a look at Pillsbury Law’s piece.

Identity verification may be an issue

A user may request access to all of his data, but how do you ensure he is indeed who he says he is and not a criminal? Furthermore, how do you ensure he is a California resident?

According to IDology COO Christina Luttrell, “If GDPR is an indicator of how CCPA will unfold, then businesses need to consider how criminals can and will exploit subject access requests.”

Luttrell went on to explain, “The organizations that will be well positioned to complete CCPA-related requests are the ones that understand the facets of CCPA identity verification (IDV) and adopt IDV systems that scale and automate, are secure and easily integrated, and have multiple IDV methods that will satisfy consumer needs.”

You may be late but you’re not too late

In the event a business violates the CCPA, it has additional time before fines and enforcement take hold due to the 30 day period to cure noncompliance.

If a business can fix a problem with its privacy compliance and follow the procedures set forth in the law to do so, then they haven’t violated the law and will not be subject to a lawsuit for the failure to comply.

Join the Next Wave of RegTech Innovators

Join the Next Wave of RegTech Innovators

Call for Demos at RegTech Rising 1 & 2 November 2017 London.

RegTech Rising is the first large scale event in Europe dedicated to RegTech.  We’re bringing together the entire ecosystem – regulators; financial institutions; RegTech providers; industry advisers – to debate how to collaborate in order to accelerate innovation and capture the RegTech opportunity.

The financial crisis of 2008 resulted in a tranche of new regulations for the financial services sector and these reforms dramatically increased costs and complexity for the financial services sector relating to compliance, supervisory and reporting requirements.  Many financial services providers have legacy systems that are just not capable of delivering the breadth of functionality required to take the pain out of regulatory compliance. RegTech could be a real breakthrough but there are real challenges in bringing new technology into the institution and integrating it with legacy systems.

RegTech Rising will address all these issues and more.

On 31 October our New Tech For RegTech Lab will examine the new technologies which are driving change and explore applications of artificial intelligence; machine learning; open APIs and distributed ledger technology for regulatory compliance.

On 1 & 2 November the RegTech Rising Conference will explore key strategic issues as well as offering deep dive sessions into specific regulatory areas.  Hear from regulators spearheading the RegTech initiative; those leading the charge for change within financial institutions and the providers who are creating the innovative solutions.

Visit to see the latest agenda and the speaker list.

If you wish to demo your RegTech solution to Heads of Innovation; Heads of Digital Innovations; Heads of Regulatory Change; Chief Compliance Officers; Chief Technology Officers; Chief Risk Officers; Chief Operating Officers, please contact

Rise of the Robots; Rise of RegTech

Rise of the Robots; Rise of RegTech

by Husayn Kassai, CEO and Co-Founder of Onfido Background Checks. First published on FinTech Futures.

Robo advisers are democratizing access to financial services by offering expert financial advice, and with it RegTech is growing. We have seen this trend start in the US, and spread to the rest of the world. With Wealthfront and Betterment already household names and companies like Scalable Capital launching in both the UK and Germany, the market for robo advice is growing, and growing fast.

In its simplest form, the technology essentially involves replacing traditional, face-to-face savings and investment advice with automated, online guidance. Its capabilities extend much further than simply offering advice however; based on complex sets of algorithms, robo advisers can also execute on instruction and even invest money on your behalf.

The advantages of the technology are many, not least its democratization of access to investment and subsequent opening up of wealth management to the masses.

In particular, the need for remote, robust identity verification – ensuring a person is who they claim to be – will be paramount. As access to investment advice becomes more widely available, with many more users looking to sign up in a frictionless way in the comfort of their own home, the challenge of identity verification and the risks that come with it increase, as there may be more bad actors entering the system. It’s reduction of this risk that Regtech like Onfido offers.

Unfortunately, there’s often a tension between necessary compliance and fraud measures and a seamless, easy on-boarding process. It’s a difficult issue to resolve – while rigorous KYC & AML processes might put off honest applicants, making the user experience easier could make it easier for fraudsters to cheat the system. At Onfido, we’re evolving with the needs of the FinTech community to increase conversion and reduce fraud at the same time. With our SDK, it’s as easy as holding your ID document up to your smartphone or computer and taking a selfie. You can do it in seconds, and from the comfort of your own home, avoiding the long, complicated and fallible process of going in branch or even sending documents by mail.

Robo advice is growing to rapid prominence, and recent acquisitions of robo advice platforms FutureAdvisor and AnlageFinger by global banking giants BlackRock and Deutsche Bank respectively shows how seriously the new tech is being taken.

There’s still a long way to go, however. Regtech like Onfido’s has gone from improving financial services to opening FinTech to thin-files. The next phase will be to push financial inclusion even further and tackle the world’s 2 billion currently unbanked individuals. The technology already exists to enable this companies like Payjoy, for instance, can safely and seamlessly on-board users within seconds and at just a fraction of the considerable time and cost it would previously have taken.

Beyond that, penetration into other verticals is inevitable. A handful of companies in the UK and the US are already taking aim at the mortgage market, and many more look set to follow suit. The Robo market is undoubtedly on the rise, and Regtech is coming with it.

RegTech: providing a step up the financial services pyramid

RegTech: providing a step up the financial services pyramid

by Lisa Moyle, Brand Strategy Director, Fintech Futures. First published on FinTech Futures.

There was an interesting discussion at the recent Finance Disrupted event in London, organised by The Economist, that highlighted the opportunity for regtech to support financial inclusion.

Jo Hill, director of market intelligence, data and analysis/strategy and competition (whew…) at the Financial Conduct Authority (FCA), noted the potential for regtech to make day-to-day banking operations more efficient and effective, ultimately resulting in better experiences for consumers and enabling access to financial services more broadly.

Following an overview of the ways in which Tinkoff Bank and Kreditech were opening up both access and offering improved products and services across Russia and a range of developing markets, a key question was raised with regards to the ideal role of the regulator. Is innovation best supported by a helpful regulator or is the most helpful move they can make to simply stay out of the way? Hill noted the convening power of the regulator and the ways in which the FCA TechSprints, for example, enabled cross organisational teams to come together and create innovative ideas and ways of working.

The link between regtech and financial inclusion may not be as clear as providing a payments app where nothing existed previously. The barriers that regulatory compliance and risk management can throw up when trying to serve the non-textbook consumer, can result in financial institutions simply deeming some customer segments too costly or risky to serve.

Regtech, by driving down the cost of regulatory compliance – estimated to take $270 billion a year and around 10% of operating costs – creating stronger and more robust systems for identifying certain risks, can make more customers more economically feasible to serve and serve well.

As Bank of England Governor Mark Carney noted in his recent speech at the Deutsche Bundesbank G20 conference on digitising finance, financial inclusion and financial literacy, “the twin imperatives of greater inclusion and more competition point to the value of digital identities. Billions of people are still under- or unbanked across advanced and emerging economies”.

Regtech can underpin solutions not simply by creating innovative products but also by enabling financial services institutions to serve more customers without fear of falling foul of existing regulatory frameworks.

CFPB Sets Sights on Data-Security Practices

CFPB Sets Sights on Data-Security Practices


Guest post by Erica A.N. Kramer and Justin B. Hosie*

caution_signIt’s hard to imagine that the Consumer Financial Protection Bureau (CFPB), which is not tasked with enforcing information-safeguarding (Congress left that with the FTC), would impose civil fines on a company for safeguarding representations, when the company in question didn’t have a data breach.

It’s even harder to imagine such an action when the very same agency announced a policy to encourage consumer-friendly financial innovations just a few weeks before imposing the fines. However, we now live in an age when the CFPB seeks to encourage financial innovation one day and stifle it in the next, even when no consumer harm appears to exist.

What happened
Earlier this month, the CFPB announced a consent order in its “first data-security action.” The announcement sends a clear message that the CFPB now has its sights on data-security practices. This enforcement action clearly shows that the CFPB is once again stretching its authority by simply labeling a representation as deceptive and blurring the lines between federal agencies’ jurisdictions. Consequently, we’re likely to see a significant increase of regulatory scrutiny in the data-security arena in the upcoming months.

DwollaLogo2015The action targeted Dwolla, a Finovate alum operating a digital payment network that allows members to send and receive money. It has more than 650,000 members and transfers as much as $5 million per day. The CFPB alleged that Dwolla misrepresented its data-security practices by describing its network as “safe” and “secure” and its data-security practices as exceeding industry standards. While there appears to have been no consumer harm whatsoever, according to the CFPB’s unilateral assertions, Dwolla’s data-security practices did not live up to its claims and the representations constituted deceptive acts and practices. As a result, the CFPB imposed restrictions on Dwolla’s future conduct and ordered Dwolla to pay $100,000 into the CFPB Civil Penalty Fund.

Imposing civil penalties on innovative companies like Dwolla seems particularly heavy-handed when you consider the lack of evidence of consumer harm. Despite the extremely high volume of money and personal information moving through its network, Dwolla never experienced a data breach or received a consumer complaint regarding its data-security policies.

As Dwolla explained in its blog on March 2, “Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time we may not have chosen the best language and comparisons to describe some of our capabilities.” Dwolla also explained that it is continually learning, growing, and adjusting its data-security practices to ensure members are provided with the security they expect. Unfortunately, the CFPB’s order demonstrates little tolerance for the growing pains and adjustments often accompanied by developing new technologies.

Given the CFPB’s none-too-subtle foreshadowing that more data-security-enforcement actions are on the horizon, we urge Fintech companies to consider several important factors:

  • Understate, don’t exaggerate: The CFPB has little tolerance for puffery when it comes to data security. Make sure your claims match your practices.
  • Act, don’t react: Address potential data-security vulnerabilities as soon as they come to your attention. Don’t wait for a problem to arise.
  • Evolve your practices and your claims: Make sure that your data-security practices are growing and changing in lockstep with your product’s development.
  • Follow the rules: Make compliance your top priority. Institute and follow a robust compliance management system that includes regular oversight and input by your company’s management and board.

Since there’s no way to avoid regulatory scrutiny, make sure your data-security practices are above reproach before the CFPB set its sights on your company.


*Justin B. Hosie is a partner at Hudson Cook LLP, licensed to practice law in Florida and Tennessee. Erica A.N. Kramer is an associate at Hudson Cook LLP, licensed to practice law in Florida. You can contact Justin for more information at 423-490-7560 or