Washington, D.C., March 3, 2022 – The National Institute of Standards and Technology recently released a draft report on cybersecurity considerations for open banking. While the NIST report rightly identifies the importance of cybersecurity and privacy safeguards when it comes to how companies share sensitive financial data about customers, it offers a wholly incomplete picture of the current consumer financial data-sharing ecosystem in the U.S., BPI, ABA and SIFMA said in a comment letter filed today. The draft report also endorses open banking without examining potential risks or recommending security and privacy measures to mitigate those risks.

What is open banking?  While there is no “one-size-fits-all” definition of “open banking,” in general, it refers to banks providing access rights to customers over their financial data, including the right to grant permission to third parties, such as third-party apps, to also access the data and carry out transactions on behalf of, and provide financial services to, the customer.

Key context: As consumer demand surges for interactive digital financial services, banks are meeting this demand while safeguarding their customers’ data and facing growing competition from less regulated FinTechs. In the U.S., consumer data access and sharing has expanded through innovation in the marketplace rather than through government mandates, which has enabled firms to adapt quickly and develop safer, more secure solutions.

For example, the banking industry is moving away from allowing third party data aggregators the ability to screen scrape customer information and toward more secure Application Program Interfaces (APIs), which are secure portals through which customers can direct banks to share the customer’s sensitive financial information with third party apps and other providers.  APIs facilitate the transfer of consumer financial data through tokenized access allowing users to be securely authenticated at their own financial institution.  Data sharing through APIs is more accurate and secure than screen scraping and credential-based data access, and therefore better for consumers.  The banking industry also is helping to advance the marketplace toward common technical standards for secure access and entering into data access agreements with aggregators to streamline and enhance the security of the data sharing process.

• Worth noting: Nonbanks are not subject to the extensive federal regulatory and supervisory regime that governs banks. In particular, nonbanks are not subject to direct supervision for compliance with federal privacy and data security requirements.  This inequity should be addressed by subjecting every player in the financial data-sharing ecosystem to the same set of strong requirements and oversight of their privacy and security practices.

What we are saying:

“Policymakers should empower consumers to access their financial data safely, and they should put privacy and cybersecurity safeguards at the forefront. The NIST report describes positive outcomes of open banking without citing supporting evidence, considering the full range of potential risks or recommending robust security and privacy protections. It also fails to discuss the important issue of consumer control and consent over how their data is used, stored and shared. These aspects of the data sharing ecosystem are all the more critical in the context of potential government actions — by Congress or the CFPB — to address this ecosystem.” –Paige Pidano Paridon, senior vice president and associate general counsel, BPI.

“We believe cybersecurity concerns are important in all aspects of consumer data sharing.  We support consumer data sharing but cannot emphasize enough how critical it is to ensure consumers’ personal and financial information remains secure when it is shared between financial institutions and third parties.  An open banking regime without adequate consumer protections leaves consumers vulnerable to fraud, privacy and cybersecurity challenges which should be avoided at all costs.” –Melissa MacGregor, managing director and associate general counsel, SIFMA.

“Banks support their customers’ ability to safely and securely share their financial data, but it is critical to ensure consumers retain the same strong protections as their data is moved outside of the secure banking environment.”  –Rob Morgan, senior vice president, innovation strategy, ABA.

We recommend that NIST:

• Delay further action on the draft report until after the CFPB proposes a so-called “open banking” rule under section 1033 of the Dodd-Frank Act.
• Consult with market participants and stakeholders in U.S. consumer financial data sharing.
• Revise the draft report to include the full suite of risks that must be considered in an open banking regime to protect consumer data, along with an assessment of safeguards to mitigate those risks.

-30-

About SIFMA

SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development.

SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA).

About Bank Policy Institute

The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.

About the American Bankers Association.

The American Bankers Association is the voice of the nation’s $23.3 trillion banking industry, which is composed of small, regional and large banks that together employ more than 2 million people, safeguard $19.2 trillion in deposits and extend nearly $11 trillion in loans.