This content first appeared in the November 2023 Fintech newsletter. If you’d like more commentary and analysis about news and trends from the a16z Fintech team, you can subscribe here.
In October, the Consumer Financial Protection Bureau (CFPB) published its proposed Personal Financial Data Rights rule, which, if implemented, will give consumers more control over their data and usher in a shift toward open banking. As former employees of the CFPB and Plaid, we can’t emphasize enough how big this rule is, and for how many years it has been in the works.
The Personal Financial Data Rights proposal wants data providers—defined as financial institutions that offer checking accounts, prepaid cards, credit cards, and digital wallets—to allow their customers to share transaction information (including historical data), account balances, basic identity information (name, email, address, phone number), information required to initiate a payment, and other financial data with other companies that may offer cheaper or better products. If approved, this proposal will allow customers to more easily switch providers, and make it easier for new fintech companies to onboard and serve new users.
Notably, the rule (which is implementing section 1033 of the Consumer Financial Protection Act of 2010) does not comment on several other common forms of data (such as brokerage or payroll), but the CFPB hasn’t ruled out expanding its breadth in future rulemakings. For now, covered data providers must make all transactions for the past 12 months available to be shared, and set up secure APIs with a guaranteed uptime of at least 99.5%, at no charge per API call. This rule should ideally prevent banks from directly or indirectly blocking fintech companies’ access to data, an issue that fintech companies and consumers have been battling since the beginnings of the financial data aggregation market. Furthermore, under this ruling, banks have to fund the development of the APIs. This means that screen scraping will no longer be allowed, and both fintech companies and aggregators will have to rely on APIs built by bank software engineers (who are traditionally slower to ship things due to the high regulatory scrutiny and bureaucracy of banks) to access this newly protected consumer-permissioned data.
Authorized third parties (e.g., fintech apps) can gain access to covered data in the rule, provided that they use standardized APIs and disclose to consumers how the data is being used and processed. How they access the data is up to them. They are free to either build direct integrations to bank APIs, or rely on a data aggregator (like Plaid) to do it for them. The proposed stipulations for data aggregators are fairly straightforward: they must comply with basic authorization procedures, disclose their name, and certify to the consumer that they will adhere to certain conditions. Such conditions include, but are not limited to: third parties not being allowed to use their data for targeted advertising, data re-sale, or even cross-selling (unless the customers are opted-in). Access to a person’s data needs to be reauthorized annually, and consumers have the right to revoke access at any time.
This is a big step forward in a yearslong tussle between banks and fintech companies over the way consumer data is shared, a topic that has become especially important as the number of fintech apps has increased from 12,000 in 2019 to over 26,000 today. The hope is for the ecosystem to move toward open banking, a regulatory construct that establishes that a user’s financial data belongs to that user—and not to the bank at which it’s hosted. This in turn lets consumers share their financial data with third parties without their bank being able to charge access fees or delay real-time use cases. Importantly, all of this must be done in a private, secure, and accurate way without creating new opportunities for fraud or misuse. Open banking allows users to take control over their finances, seek the best products for their specific needs, and ultimately encourage healthy competition amongst market participants in financial services.
Importantly, it is still unclear how the CFPB will measure or enforce violations once the rule goes into effect. All we currently know about this is that the requirements will be implemented in phases, with larger providers being subject to them sooner than smaller ones (and financial institutions lacking any digital interface with consumers may be exempt entirely).
So how does this impact fintech companies? Overall, it’s good. Banks are required to provide consumer-permissioned access to customer data and can’t charge fees for doing so. This should theoretically make it easier for fintech companies to build personalized applications for consumers. That said, it will take time for this to be implemented and relies on banks providing and maintaining APIs, which they have no business incentive to do.
If we were to examine impact by constituent in this ecosystem, it’d likely look something like:
The proposed rule is open for comment from lobbyists and consumer groups until December, and then there’s still a period before it goes live. Starting 6 months after it gets published, institutions are expected to comply with the set forth standards on a tiered timeline based on their total assets, with the big banks getting 30 months to comply. So, while it’ll be some time before we see changes across the industry, it sets the tone that consumers should have access to and control over their data.
Embarking on a debt raise can be a daunting task, particularly given the sheer number of options, structures to consider, resources required, and ever-evolving debt provider landscape. If your company has decided to raise debt or at least would like to explore the option, the most recent installation of our How Fintech Companies Can Simplify Their Funding Strategy series lays out what you’ll need and how the process could unfold.
Selling into financial institutions has long been the end goal for many software-oriented fintech businesses, though a variety of factors can preclude early stage founders from pursuing this go-to-market channel. We aim to demystify the “B2FI” (or “business to financial institution”) GTM motion for fintech companies with a valuable sales framework known as MEDDICC.