The Consumer Financial Protection Bureau (“CFPB”) is poised to finalize a rule under Section 1033 of the Dodd-Frank Act later this year that will usher in an open banking framework—a legal right for consumers to share their financial data—allowing them to select financial products and services that work best for them in an easy, safe, and secure manner. To accomplish this lofty objective, the rule will require data providers (banks and other financial institutions and entities possessing covered consumer financial data) to build developer interfaces to allow authorized third parties to obtain consumer-permissioned financial data securely. The CFPB’s rule has the potential to meaningfully empower millions of consumers to improve their financial lives by opening access to mainstream lending and credit, enabling more efficient and easier debt servicing, providing access to personal financial management tools, and facilitating more secure and accessible payment use cases.
As is the case with any seismic shift in the regulatory landscape, the technical elements of the CFPB’s rule will be critically important to ensure the delivery of these important outcomes. But a combination of certain provisions in the CFPB’s proposed rule and a regimented and limited legacy authentication approach favored by the largest financial institutions could block vulnerable populations from the benefits of open banking and nullify in-person banking use cases.
The CFPB proposed a rule under which it will recognize a standards-setting body to implement the de facto technological means through which consumers are authenticated under Section 1033. Today, there is likely only one such body that may potentially be recognized: Financial Data Exchange (“FDX”). The FDX standard requires that consumers authenticate via a credential-based tokenized gateway. Through this protocol, after the consumer provides his credentials to the data provider, the data provider passes a digital token to the third party financial institution requesting the consumer permissioned data it needs to provide a product or service the consumer requested. The token allows the third party access to the requested data through the developer interface. There is no question that this is meaningfully more secure than credential sharing—an access approach commonly used today to screen scrape—which requires consumers to provide their credentials to third parties directly. But the protocol has significant constraints.
If the Bureau recognizes a credential-based tokenized gateway protocol, data providers would have the right to deny data access to consumers who lack credentials
First, it foists a requirement on every consumer to have credentials with the data provider if they wish to access and share their financial data to obtain products and services from another entity. Indeed, if the Bureau recognizes such a protocol, data providers would have the right to deny data access to consumers who lack credentials. But millions of consumers do not have credentials by choice or by disadvantageous circumstances. And Section 1033 promises a personal financial data right to all consumers, not just those who can and do bank digitally. Second, it impedes common use cases enjoyed by consumers to apply for products and services telephonically or in-person at a physical brick-and-mortar locations. And third, it places undue burden and financial strain on smaller financial institutions, who will be required to build the resource-intensive tokenized gateways to access developer interfaces. These institutions, already required to deploy their own developer interfaces, may not be able to simultaneously build and deploy tokenized gateways. Thus, the recognition of such a protocol would inadvertently deprive millions of consumers, particularly vulnerable households from the benefits of open banking while also widening the competitive divide between the largest U.S. financial institutions and the thousands of small financial institutions and credit unions. In the future, as the Bureau starts to iterate on a final rule and expand its coverage to other account types, these adverse impacts will only grow and compound.
The Urgency of Inclusive Authentication
It’s clear that this isn’t what the CFPB intended. Shortly after the CFPB announced its proposed rule last October, CFPB Director Rohit Chopra delivered remarks at Money 20/20 heralding the Bureau’s step and underscoring his desire for the Section 1033 rule to be inclusive of all consumers. In multiple public remarks about the open banking rule, Director Chopra has repeatedly emphasized the goal to empower consumers, particularly economically marginalized populations, to choose more affordable financial products, services, and tools, to improve their financial wellbeing and to better manage their budgets and meet their savings goals.
But the CFPB’s potential recognition of a credential-based tokenized gateway as the means through which consumers must access open banking benefits will alienate millions of consumers lacking credentials, including the unbanked, underbanked, and those who bank non-digitally.
According to a 2021 Federal Deposit Insurance Corporation (“FDIC”) survey, about 18.6 percent of U.S. households, or roughly 24.6 million, were “unbanked,” or “underbanked.” These households, disproportionately lower-income, less educated, older, minority, and rural, lack sufficient access to financial markets and instead rely on nonbank financial products or services including money orders, check cashing, international remittances for transactions, rent-to-own services, payday loans, pawn shops, tax refund loans, and auto title loans for their credit, lending, and banking needs. These nonbank financial products are commonly considered to be predatory with high fees and astronomical APRs. More recent data from the Financial Health Network shows that the financial wellbeing of these households is only getting worse. Its 2023 findings “reveals a new, concerning shift toward financial vulnerability – particularly among historically disadvantaged populations.”
33.8 percent of the banked population, roughly 36.4 million households, use a non-digital channel as their primary method of bank account access
If the Bureau recognizes a credential based tokenized gateway standard, this worrying trend will only worsen particularly as the Bureau expands the rule’s coverage to other account types. FDIC data estimates that 33.8 percent of the banked population, roughly 36.4 million households, use a non-digital channel as their primary method of bank account access, including a bank teller, ATM/Kiosk, or telephonic banking. Reliance on branches is 2-3x higher among low-income, elderly, and rural populations. Non-digitally banked households are unlikely to have credentials, and thus would be barred from the benefits of open banking and prevented from accessing lower cost financial products and services, exacerbating their reliance on predatory nonbank options; outcomes that are contradictory to the core principle of inclusivity and financial betterment championed by Director Chopra.
Method’s Vision for a Diverse Authentication Ecosystem
At Method, we have dedicated ourselves to building financial experiences that promote consumer financial heath and developing an inclusive authentication solution that safely and securely allows for open banking access to a broader population, including those who would benefit most from such access. To enable more non-digital and vulnerable consumers to benefit from the use cases we power, and to preserve existing use cases through non-digital channels, our platform does not require credentials to authenticate consumers. Rather, our approach mirrors a standard practice among financial institutions. It pairs a consumer’s PII—verified in a process consistent with Know Your Customer/Customer Identification Program (“KYC/CIP”) identity proofing practices that uses Mobile Network Operators (“MNOs”), major credit bureaus, and other databases—with the full account number to meet the “something you know” authentication prong and layers that with OTP to meet the “something you have” prong to fulfill MFA best practices.
Financial services isn’t the only industry that deploys an MFA authentication protocol using PII. Direct health care and health insurance providers commonly use the same approach to ensure safe and secure access to individual’s sensitive, legally protected health care data. The ubiquity of the approach in these highly regulated, consumer protected industries demonstrates the trusted, secure accessibility to critical data it gives to consumers, allowing them to obtain that data when they need it.
Direct health care and health insurance providers commonly use the same approach to ensure safe and secure access to individual's sensitive, legally protected health care data
Our multifaceted authentication model has empowered hundreds of thousands of consumers to share their liability data safely to access debt management products, obtain credit previously unavailable to them, lower their APRs on existing debt, reduce their monthly payments, and increase their savings. By adopting and refining these widely recognized and regulated practices, Method not only ensures a high level of security and trust but also paves the way for more inclusive and resilient financial services. Our authentication process enables consumers, including those who may not have traditional bank accounts or bank online, to access important open banking-enabled services, including:
- Comprehensive API Integration for Debt Management: Our innovative API technology connects with an extensive network of lenders, allowing users to manage various types of debts through a singular, intuitive platform. This integration is key to breaking down the complexities of financial management into manageable, user-friendly interactions.
- Consent and Credential-less Linking: We simplify the process of linking financial accounts and liabilities. With users’ explicit consent and discrete sharing of PII, our MFA authentication protocol effortlessly integrates their financial obligations into our platform, circumventing the need for account-by-account credential sharing. For example, Method enables direct loan disbursements and debt payoff within the app by using the borrower’s phone number to connect account details.
- Real-Time Liability Insights: Our platform provides users with instant access to comprehensive data on their liabilities, empowering them with the information needed to make informed financial decisions. This feature is instrumental in fostering financial literacy and autonomy among users.
Method estimates that over 70 million annual loan and credit applications are initiated non-digitally
Method’s authentication model is particularly well suited to bring the benefits of real-time connectivity to non-digital banking channels. Method estimates that over 70 million annual loan and credit applications are initiated non-digitally. Branches, in particular, provide advice throughout the origination process, ideal for the financially vulnerable and households that have recently become banked. Yet, in person loan and credit applications often rely solely on stale credit bureau data for underwriting versus up-to-date account balances, which may not yield the best offer or even result in declines. Method's solution allows simplified data connectivity to all their outstanding liabilities that helps this population get competitive financial products.
.jpg)
The Path Forward: Regulatory Support and Industry Collaboration
Method commends the CFPB’s efforts in advancing its Section 1033 rulemaking, which is a critical step towards empowering consumers with control over their financial data. But the proposed technical details threaten to diminish these advantages. For open banking’s promise to be fully realized, the CFPB must mandate that any standard-setting framework it recognizes enables consumer authentication through the use of PII and account number verification plus OTP or secure link authentication, which meets MFA standards (something you know and something you have) and is consistent with commonly used authentication practices today. This is the only way that the CFPB can be sure that financially vulnerable consumers and non-digital consumers can benefit from open banking, that existing telephonic and branch banking use cases remain available, and that its rule does not disproportionately burden smaller financial institutions.
By recognizing PII and account number authentication as a sufficient means for consumer authentication, the CFPB can provide the inclusivity and competitiveness intended by Section 1033.
Additional Sources
- Auto loan application volume derived from 2022 originations from Equifax U.S. National Consumer Credit Report and rejection rates from Federal Reserve Bank of New York. Non-digital application percentage from Cox Automotive.
- Retail credit card application volume derived from 2022 originations from Equifax U.S. National Consumer Credit Report and rejection rates from Federal Reserve Bank of New York. Non-digital application percentage from the CFPB’s Consumer Credit Card Market report.
- General purpose credit card application volume derived from 2022 originations from Equifax U.S. National Consumer Credit Report and rejection rates from Federal Reserve Bank of New York. Non-digital application percentage from the CFPB’s Consumer Credit Card Market report.
- Consumer finance application volume derived from 2022 originations from Equifax U.S. National Consumer Credit Report and rejection rates from Federal Reserve Bank of New York. Non-digital application percentage from FISERV’s Expectations and Experiences report.
- Mortgage includes Home Purchase, Refinance, Home Improvement, and Other Purpose Mortgages. Application volume sourced from the CFPB’s 2022 Mortgage Market Activity and Trends report. Non-digital application percentage from Ellie Mae data.
- Student loan application volume derived from 2022 originations from Equifax’s U.S. National Consumer Credit Report and rejection rates from Federal Reserve Bank of New York SCE Credit Access Survey. Non-digital application percentage from FISERV’s Expectations and Experiences report.
