orrick regfi podcast | implementing the 1033 rule: ssos, apis and data security
Listen on Apple
Listen on Spotify

RegFi Episode 55: Implementing the 1033 Rule: SSOs, APIs and Data Security
 32 min listen

Jane Barratt, Financial Data Exchange (FDX) co-board chair, joins RegFi co-hosts Jerry Buckley and Sasha Leonhardt to share the role FDX will play as the first standard setting organization (SSO) approved by the CFPB pursuant to the 1033 Rule. The conversation explores the benefits of token-based APIs over screen scraping, the interdependence between digital identity, fraud prevention and data security, and the promise that secure data sharing holds for consumers and financial services providers alike.

Links:

 

 

  • Jerry Buckley:

    Hello, this is Jerry Buckley, and I am here with RegFi co-host Sasha Leonhardt. We’re joined today by Jane Barratt, Chief Advocacy Officer at MX, an industry leader in open finance. Last October, Jane was selected to serve as the co-board chair of the Financial Data Exchange, or FDX. So welcome and thanks for joining us, Jane.
    Jane Barratt:  Thank you, Jerry. It’s great to be here. 
    Jerry: Let’s set the table for our listeners. Could you explain in your own words what open banking is and the role that companies like MX play in this process? And if you could, spend a little bit of time talking about screen scraping and what it is and why players in the open banking space have developed different ways for consumers to share access to their financial data. 
    Jane:  Great, so very happy to do this. So, if you think of open banking as consumer permission data sharing, right? In other markets, it goes by different names. It’s not called open banking. Like in Canada, it’s called consumer-driven banking. In Australia, it is a consumer data right, which actually transcends just banking and into other industries as well. But while they’re all slightly different in approaches, thinking of open banking as like both the technical and regulatory framework that enables that consumer permission data sharing.

    So, it’s obviously more than that on a technical level. So, it is open banking, think of it as like structured and secure consumer-permissioned sharing of data via open banking APIs. And we will get back to that. And that data sharing happens between financial services providers. I think there was a misnomer that it was taking data from a bank or a covered institution and giving it to a fintech. Open banking is much broader than that. I think the biggest use case of it is actually bank-to-bank data sharing. There is a lot of fintech-to-fintech data sharing and then obviously a lot of fintech-back-to-bank data sharing. So, it’s not a one-directional thing.

    This is something that’s been around for a long time. It is not a new concept in terms of consumer permission data sharing. Like how old was Mint? 20 years ago? Maybe more? Mint.com was built, as were many early fintechs, upon infrastructure that was based on screen scraping. And so, if you think of screen scraping, it is when you will have machines read what you’re seeing. So, if you log into your bank or your payment account with your username and password, when screen scraping happens, basically a company can pull what is on your screen and then make it readable to someone else. So, that was how, again, early budgeting apps was stood up through screen scraping.

    And there’s a number of problems with screen scraping. I think the industry has worked really well together to move away from it. But basically, it’s a pretty crappy experience, right? Connections break all of the time. Like if a website gets redesigned, that screen scrape connection may no longer work. One of the biggest security factors was that people would need to share their username and password to enable this access, which is obviously not a great privacy or security practice. And there really wasn’t visibility in terms of where that data would go with screen scraping.

    So, companies like MX, we have been working hard with the whole industry to make sure that as an intermediary, we are using the latest and greatest technology to again, move away from screen scraping and make sure that when people do securely share their data, it is being done again through these open banking APIs.

    And just to give some context for the size of this, when you look at other regimes, again, I can speak parochially as an Australian, but if you’ve got five big banks or like nine in the UK or a handful in Canada, it’s nowhere near as complex as the U.S., which has thousands of covered institutions and thousands of fintechs. And so, the role of MX, beyond what we will do in terms of providing software solutions, we do data enhancement, like that really is — neither of those things work without good connectivity to data. So, that’s why we have invested so much into the space is to make sure that this many-to-many ecosystem can thrive in the U.S. in a safe and secure way.

    And I think the last thought around this sort of these direct connections in the many-to-many world, you think of credentials when people were sharing their username and password, they’re being replaced with tokens. And I think tokens will be one of those things, just from a data literacy perspective, that will become more commonplace and people understanding what that actually means. But the APIs working with token-based access will enable, again, better security, much faster and more consistent connections, and just better end-to-end completion rates.
    Jerry:  How does a token work, Jane?
    Jane:  So, if you just think of it as literally — almost like an old-school cookie, but instead of the cookie being shared — stored on your computer and tracking you, it is being shared from one to another.

    And a way that I like to explain it is in the old days of screen scraping, you would see everything. Is Jerry Jerry and does he live at this address? And you would get all of that. Here’s your social, here’s your address, here’s your bank balance. If you were applying for a loan using a token, it wouldn’t say here’s all of the stuff necessarily. It will just say, yes, Jerry is who he says he is, and yes, he qualifies for this loan.

    So, you can minimize the amount of data that is being shared. So, data minimization is one of the core concepts of these open banking APIs. Just to make sure, again, and there’s still a lot of innovation that can happen in the token space, but that’s kind of a good way to think about it is it’s more of a signaling of data versus a passing everything over.
    Jerry:  And if I could just ask one other question. Looking at MX, and I know this program is not about MX, but you are at MX. What is the volume of business that a company like MX does?
    Jane:  I mean, we work with a couple of thousand institutions, and we build their — many of their connectivity in terms of if someone’s opening an account, right? If they’re applying for a loan, we do an enormous volume of business, even in just account verification. Going back to the token, is Jerry who he says he is? Yes. Now you don’t need to do a micro deposit to make sure that you’re good for whatever payment you’re going to make.

    Probably a third — if you were to think of just how our business is split, probably a third of our business is still in data enhancement. So, once that data is shared across the ecosystem, it is still just machine readable, right? I don’t know who you bank with, Jerry, but sometimes when you see your transactions on your statement, you’re like, what even is that? SBX175-43.
    Jerry:  Yeah.
    Jane:  What we do is we turn that into “Starbucks” and we put the Starbucks logo and we put the address where you went or the URL if you’re born online. So that sort of data enrichment, data enhancement, is a very big part of our business.

    And then we have software solutions that are built on both connectivity and data enhancement, including white label mobile apps. So, we are a mobile banking provider. We have like digital money management tools and a lot of insights as well. So, using that data to give you personalized insight within your tools. So, we do a pretty vast volume of business across those three segments.
    Jerry:  Thank you, Jane. That’s very helpful. Sasha?
    Sasha Leonhardt:  Jane, welcome. We’ve been talking about having you on for quite a while now, and it’s such a timely episode. And I want to shift briefly from MX to FDX, your position there as well. It’s notable that we’re recording this in the middle of January, and last week the CFPB designated FDX as the first standard-setting body to craft data-sharing conventions under the 1033 Rule. 
    We’ve talked about the 1033 Rule several times here, but for those who aren’t frequent listeners, it requires financial institutions to provide consumers with information related to their accounts and also allows consumers to direct that information to be shared with third parties.

    Now, with the 1033 standard sharing designation for FDX, could you share your insights on what you believe should be the agenda for the organization over the next year? What are some of the goals and outcomes that you and FDX will be striving for?
    Jane:  Thank you, Sasha. I mean, it’s a great summary, but if I can give just a little more context for sort of the core goals and how they are going to relate to FDX.

    So, obviously at the core of 1033 is this idea that consumers should be able to enable the secure sharing of their data. We should move away from screen scraping. How do you improve consumer choice and competition? What is the reasonably necessary secondary data use? Which we could have a whole separate podcast on that. But one thing that the CFPB called out was the implementation of an industry standard around data interoperability, and that’s where FDX comes in. We applied for formal recognition in the fall and was recognized, as you say, Sasha, last week for that.

    So, one thing that the — well, many things that the CFPB recognition will help with is just to make sure that our members, it is much clearer around what 1033 obligations are. And I’m not going to overtly correct you, but you did say financial institutions have to. It’s actually financial providers, right? So, large fintechs actually come under this first tranche of compliance that’s coming up. So, it isn’t just a financial institution obligation. The obligations go through the whole ecosystem.

    And I think that’s been one of the core pushes recently is just to make sure that it’s not seen as a bank problem. Yet another compliance framework for banks to deal with. Obviously, at MX, we’re going to have obligations. And for third parties, there’s obligations in terms of how consent is gathered, record retention requirements and things like that.

    So, the key thing to understand is FDX has been around for a while now, like seven plus years. And actually, no, I’m sorry, 10 years we’re coming on. It’s like seven years before I joined the board. And the way that the standard has evolved — like there is a standard. It’s been in market for many years. It is much broader than what the covered data within 1033 says, right? The covered data is Reg E, Reg Z, so just sort of core retail. But what is in the current FDX standard is many other lending products and mortgages, there’s investment products, there’s rewards points, there’s a lot of things that people want to access and share that isn’t necessarily in this first tranche of 1033.

    So, we intend to continue to evolve to make sure that the industry is being served. But in the short term, issuing a consensus standard that now it’s clear what — we have a final rule. We know what data is actually required. So, issuing a consensus standard for compliance to the standard, but also just around data format as it’s described in the rule, because it’s one thing that we’ve observed as MX. As we have coded up to different APIs as they become available, they’re all slightly different, and sometimes they’re wildly different. So, it is incredibly expensive for us to invest in an API-by-API approach. We need to get engineering resources, we need to adjust our systems, we need to make sure data can flow.

    So, having a more consistent, but data format consensus standard, is incredibly important, again, for the healthy flow of data around the ecosystem.
    Sasha:  That’s incredibly helpful, and I appreciate your correction. You’re exactly right. It’s broader than just traditional financial institutions under the GLB and bank holding company.

    So, I appreciate that clarification. With over 200 members, FDX is certainly a formidable organization. But I assume that you’ll also be seeking the views of nonmembers as to how data can be shared securely and fairly. From a pure procedural standpoint, will you be considering the views of data scientists, smaller financial institutions, financial providers, and members of the public? And how’s that going to work in practice?
    Jane: So, a lot of the output of FDX is public, right? For people who want to dig into how the standard works, what some of our core, like the core principles are, our different working groups, what they’re working on, focus. But one of the things that has been very, just from purely — and again, you’re, I’m guessing, all attorneys, there are intellectual property challenges in terms of making the spec itself public.

    So, anyone who wants to participate in the actual standard-setting process, including whether that’s joining meetings or proposing changes to the FDX standard, they do need to become FDX members. We have a fairly flexible fee schedule, and we’re looking to evolve that again now that things have been finalized. But we do encourage anyone who isn’t a member to consider joining to be able to share perspectives in a more fulsome way and just making sure that we’re defining standards that support the industry as a whole.

    I think one of the key changes that’s been made recently — and this was evidenced in our SSO application that we put it in the fall — is shining a light on the established and new councils that we’re standing up that incorporate more diverse feedback. And so, whether it’s a noncommercial council, whether it’s smaller institutions councils, smaller third-party councils, just making sure that, and again, I was previously a fintech founder. I was involved in industry groups. It’s really challenging as a small team to be able to show up and participate in a fulsome way when you’re also running a company and serving customers and trying to get things done.

    So, the industry has evolved from larger institutions. We do have some very active nonprofit, noncommercial members who do get involved, but we do want to see more of those. And so, standing up these councils is a way to make sure there’s both board representation, as well as more active participation within key working groups. 
    So, I think for anyone listening, and this does include — we have actually had a number of law firms looking to participate more. I think it is a great place to start is just by joining as a member.
    Jerry: That’s great. Jane, I imagine that 200 will be a much larger number in the not-too-distant future.

    In our last podcast episode, we engaged in kind of a thought experiment. Our premise was that the current nearly 50-year-old consumer protection laws, originally paper-based, may be out-of-date. We tried to imagine how AI-enabled financial agents might be able to access all of the consumer’s financial records per 1033, query the consumer as to what financial product she or he was looking for, search all available options, not just those that are advertised, recommend a provider, answer any questions, and handle the transaction for the consumer in an efficient way.

    Kind of like having a financial butler. Rich people have people that do this for them. Can we make that available to everybody? The human agent might be a banker and could serve as an intermediary between the consumer and the AI-powered agent and be able to answer questions or provide support and envision community banks providing a service like that.

    It seems this model would be more efficient and more painless than our current model where consumers are presented with a dense and hard-to-understand federally mandated disclosures and then told to shop for themselves. And that said, it would seem that the new regulatory model would be required to charter or license providers of AI-enabled financial advisors, establish their duty of loyalty and care to their customers, and supervise and monitor the offerings of such services to avoid abuses such as hidden referral arrangements or inappropriate sharing of personal data. Underlying such a new paradigm for consumer empowerment would of course be AI-enabled agents’ access to the consumer’s financial data, which is where FDX comes in.

    Secure access to data is one thing, but looking down the road, I’d be interested in your observations on our thought experiment. How long do you think it will be before technology-empowered consumers will be able to act in the way I’ve described? Or are they already able to?
    Jane:  I’ll start with a personal story. I mentioned I started a company, it was a digital advisory company. So, we had to do SEC registration, like FINRA’s Series 65 exams for me personally to become a registered investment advisor. When I think of how much we had to invest even 10 plus years ago to ensure that just basic algorithmic advice was compliant under relevant statutes and fiduciary standard, right, we have got infinitely more complex since then in terms of sort of AI-enabled advice. So, from an MX perspective, we’re seeing just the enormous value that this better use of data can have on outcomes — outcomes for people and outcomes for the companies that are serving them.

    And when you think of things like nontraditional data sources being used in new ways, like rental receipts being used for credit underwriting or mortgage application. There is — we’re still in this, I would say, earlier stage of being able to provide — agentic advice is still multiple steps down the road, but we’re in the early steps, the early years of getting there.

    I think one of our predictions, an MX prediction for 2025, was that financial providers need to prioritize their data strategy, right? If you don’t have a data strategy in place and know where you’re getting your data from — is it clean, is it accurate, or is it up-to-date — then you can’t really apply that data with software solutions, like even basic software solutions, like credit applications or budgeting apps. And then kind of AI applications sit on top of those two, right?

    So, we’ve been beating this drum for a long time in terms of investing in a data strategy isn’t just outsourcing storage to a data lake or getting a team of data scientists in. It is about having a data strategy that transcends the whole organization because AI is only as good as the data that powers it. And that is something that is sometimes underappreciated. So that the data that comes into the AI application definitely dictates the data that goes out.

    And basically, too much data can have unintended consequences because there has been this, like, data is the new oil. The more we get, the better. And I spent my first career in the data-driven and digital marketing world, right? And when you see the amount of data exhaust that is thrown off into, say, ad tech providers, right? We should all be looking at that just as much as any financial application because they will know more about you than your spouse sometimes.

    So, having the ability to reduce data exhaust to have — which we’re getting towards now — a better sort of data rights legal framework, and then what are the technology applications on top of that and how do they work with privacy laws? These are all the things that need to be figured out in order to move this industry forward.

    But I do love the thought experiment. I love the idea of having a human between the output and a customer. But again, humans don’t scale. And like you said, rich people will be the beneficiaries of that because the money follows where the money is. And as a former registered investment advisor, this will be massively useful to be able to get insight into someone’s true financial picture, not what they’re just choosing to share with you.

    So, how long was the question? I don’t know. I think what is the cliche that we overestimate the short-term and underestimate the long-term impact? I think this is exactly where AI is now. What I do know — I spend a lot of time at conferences — there’s a lot of AI solutions out there. We are nowhere near close to a silver bullet in terms of like, “Give your data to this AI and they will do things for you.“

    But it is very much a shared vision for the industry. It’s been a big part of self-driving money or bot-to-bot negotiations. Things like that have been very much on the MX roadmap as we think of what we’re building and where it could go.
    Jerry:  Thank you, Jane. That’s very helpful insight from a person who’s closer to it than almost anyone. 
    Sasha:  No, agreed. Fascinating. To switch gears slightly to something perhaps a little more mundane and tangible for now, Jerry and I and our colleagues at Orrick both advise numerous financial services clients on data security. And we know that this is a critical area for regulators, consumers in the industry. And not to loop back entirely, but data security is one part of what the Bureau expects with its 1033 Rule. You really can’t have privacy without security. Privacy assumes some level of exclusion. So, if data is not secure, there’s no privacy.

    To that end, can you share a little bit about how FDX and its members think about data security? What do you see as emerging issues in this space, and how do you think the industry and regulators will address this in 2025 and beyond?
    Jane: So, it’s definitely an evolving landscape here. The primary impact that FDX aims to have is just making access easier for financial services provider, or for consumers first, but also making it easier for the providers to build the APIs that are inherently more secure than credential-based access methods. So, the APIs are a great leap forward from where we were even three, but definitely five years ago, when the vast majority of data being shared was through screen scraping.

    Now, I think there may be some misconceptions that things like screen scraping are easy. This is an enormously complex and expensive world that we’re evolving from. So, there is a lot of shared incentive, not just from financial services providers to make their customers’ data more private and secure, but by the whole ecosystem. It does function better when these APIs are being used.

    So, I think beyond just the elimination of password or credential sharing, there’s elements of what FDX does in terms of having consent working groups. How do you make consent more consistent across the ecosystem, so people actually know what they’re doing? What are they giving when they’re enabling access to different accounts?

    And beyond the — you mentioned the many, many disclosures that people are faced with, I think that is a big area of focus for FDX, just to make sure that disclosures are consistent, they’re in plain English, people understand what they’re actually sharing and for how long. Is this a one-off, like an instant account verification? You share once, right? Whoever you give that data to have no right to reuse that, right? If it’s a budgeting app, you actually do want ongoing access because you want your latest data to be updated in your budgeting app. So, there’s still this idea of control and things like revocation of access.

    We’ve seen in tangential industries, you may or may not know this, but probably within your LinkedIn profiles, you went to an event five years ago and you gave access to that event company and they’ve been scraping your LinkedIn profile ever since, right? You can go in on LinkedIn and actually turn off access. I think that was many people’s first experience of revocation of access. It will become more common as — and I think Wells Fargo did a fantastic job very early with their control tower functionality within their app. Just making it, “This is your mobile banking app, here’s your control tower,” and you can see where your data is going. It was really great innovation when they launched that.

    And I think from a wider industry perspective, even beyond FDX, from a privacy and security perspective, there are a lot of interdependencies that need to work together, right? There is a ton of investment in digital identity, for example. There’s a ton of investment in fraud, anti-fraud coalitions. How do you mitigate fraud and first-party fraud and friendly fraud?

    And there’s a lot of things that have been going on that relate to FDX and there needs to be collaboration across the industry. But one of the key pieces is just this idea of consumer understanding of how data permissioning and revocation works and why is that important to them.

    So, it isn’t — especially in the case of first-party fraud or friendly fraud, like there are aspects well beyond technology that as an industry we have to help solve for.
    Jerry:  Well, Jane, we have maybe a couple of minutes left. Is there anything else you’d like to share with our listeners?
    Jane:  I totally appreciate this opportunity. And I think a few thoughts, and it’s more sort of far-reaching, future-facing thoughts. In terms of banks, financial institutions, financial providers are not just repositories of money anymore. And we used to call primary financial institution, the PFI was the designation that institutions wanted to get because it meant that’s where your paycheck goes. I’m the primary financial institution because that’s where my paycheck goes.

    We are increasingly seeing, and especially the more ambitious clients and partners of ours, they also see themselves as repositories of data, right? And bringing in third-party data, or held-away data you may call it, to bring in that 360-degree view of your customer, like that data is incredibly valuable in terms of being able to provide accurate credit histories. What are some insights and advice that you can give? Like, what is the credit worthiness for when loans are being applied? A lot more proactive work can be done by financial providers if they are that repository of data.

    So, I think that’s one big conceptual shift that some elements of the industry are making, some are not. They still see data as belonging to marketing for cross-selling, for example, which is a very poor use of a data repository.

    I’d mentioned just the use of alternative data in credit decisioning. So, even though 1033 just covers sort of Reg E, Reg Z accounts, being able to go a lot broader with data access is incredibly important, again, for pushing for better outcomes for consumers to be able to provide more choice and competition and for a healthy functioning, let’s just say, of the ecosystem.

    So, it is important that financial providers understand just how data — how does it come in, how is it processed, how is it being used, how is it being secured, and then how is it being shared? So, MX was founded on the mission of empowering the world to be financially strong. And, every year that goes by, we are getting towards a data ecosystem that helps us fulfill on that mission.

    But from a consumer perspective, and frankly, even from a company perspective, data or the lack of data really can make or break financial wellness. And this is for people sort of across the economic spectrum. This isn’t something that is just unique to underbanked or unbanked people. We do see a — and it’s a smaller trend, but a smaller trend of people, because we’ve been so clear, don’t click on a link, don’t share your data.

    We’ve scared people into the “don’t share anything,” and it’s very hard to sometimes tell the difference between a scammer and yes, this is actually your bank calling. But the more educated that people can get, the more able they’ll be to make that, “Oh, yes, this does make sense to share this data. It will be good for me” versus the “I’m not going to do anything and I’ll just stay put where I am financially.”

    So, we do see this unwillingness or inability to share data as being something that will ultimately hurt consumers. And so, a big part of the solution to that is to create more and better personalized and transparent experiences.

    And that is — at the end of the day, we’ve seen both from our research and from just the usage of our products, when people are given a reason to share their data, right, give me personalized insights, give me better offers, they will. And we see it. We have an insights product. When people start using it, they’ll go from one or two accounts connected to four to five within six months. So, they get that, “Oh, I’m actually getting relevant advice for me. I’m going to bring in my held-away credit card. I’m going to bring in that extra bank loan I may have somewhere else so I can get more accurate advice.”

    But I think the very last thought is, again, I shared that I’d spent time in the digital space. And so, the early days of the internet, we did a lot of pounding of tables of, “This is important. Like, you need a website. You need to be out there on the internet.” Back then, digital literacy was something that sat within technology groups and webmasters, right? It was very siloed away from the rest of the business.

    Nobody today in business would claim to be digitally illiterate, right? No one. We all use the tools. We understand what a cookie is, for example. But where data literacy is now is kind of where digital literacy was in the early 2000s. And so, we see this sort of new educational frontier for both consumers and businesses that serve them is this idea of data literacy and how data can be used for good versus just value extraction.
    Jerry:  Wouldn’t it be wonderful if we could get there? And if I want to say to my financial institution, “Could you give me an understandable projection of what my digital identity is as you see it, something that could be translated for me to understand.” It would so empower me to understand my behaviors and how they’re affecting my choices.

    But that will require further advancement in data science, but also a new way of looking at data as a consumer-empowering agent and giving the consumer access to that data that will empower them. It’s fascinating. The world that we’re going to see over the next number of years will be so different than what’s come before.
    Jane:  100%. And once again, we’ll make a plea to anyone who is on the fringes here, who has something to contribute, something to say, to have questions. Now is the best time to get diverse voices into this ecosystem to get to this future. As you say, Jerry, won’t it be wonderful?
    Jerry:  Thank you so much, Jane. It's been great having you with us. 
    Sasha:  Yes, thank you. This was wonderful.
    Jane:  Thank you, Sasha. Thank you, Jerry.