Unlocking Open Banking in the United States: Ozone API’s Support and Recommendations for the CFPB on the Personal Financial Data Rights Rule
On October 22nd 2024, the Consumer Financial Protection Bureau (CFPB) in the United States finalized the Personal Financial Data Rights rule, commonly known as Section 1033, based on the respective section of the Dodd-Frank Act.
Bringing regulated open banking to the U.S. for the first time, the rule will unlock personal financial data, granting consumers the right to access their data and authorizing third parties to access that data on their behalf. This means increased competition, better rates, and improved services for consumers across banking, credit cards, and payments. However, for financial institutions, this change brings significant complexity, sparking both excitement and in some cases, substantial pushback.
At Ozone API, our mission is to empower secure, standards-based open finance ecosystems all around the world. We therefore congratulate the CFPB and fully support the trajectory it has set for the United States.
To show our support for the CFPB, and based on our experience with open banking frameworks globally, we offered our expertise and responded to the CFPB’s proposed rule, as part of their open review of proposed standards-setting bodies.
In our letter of response, we express strong support for their effort overall, recommend FDX as the leading standards body, and offer several recommendations on how they can improve upon their existing strategy moving forward.
What did Ozone API’s letter to the CFPB include?
The first section of our letter to the CFPB expresses concrete support for the U.S. Personal Financial Data Rights rule and advocates for the selection of the Financial Data Exchange (FDX) as the standards-setting body for open finance in the United States.
FDX, a non-profit that includes over 200 members across the financial services spectrum, has established their FDX API as a leading standard for financial data-sharing, widely used to effectively move institutions away from insecure methods such as screen-scraping. We wholly believe FDX meets the CFPB’s criteria for governance, inclusivity, and procedural rigor, and we highlight this in our letter. [Note: As of this writing, FDX has applied to be a recognized standards-setting body, but has not yet been selected.]
More generally, we emphasize the need to examine any given open banking standard as consisting of two major categories: data standards and security standards. These should be considered as two parts of a whole, each with their own key considerations and respective compliance requirements. Such a lens helps clarify the recommendations to follow.
The remainder of the letter describes three specific recommendations for how the Personal Financial Data Rights rule may be improved upon, based on our deep experience with other regions. The key areas described are:
Standardized Security Framework and Interoperability
A common security standard and framework are critical to ensuring safety and interoperability. We underscore the importance of established secure data-sharing protocols, such as OAuth 2.0 and OpenID Connect (OIDC), as necessary to minimize consumer risks and strengthen ecosystem trust. We recommend the adoption of the FAPI Security Profile, which provides more robust protections than OAuth 2.0 alone, including mutual authentication, token binding, and fine-grained authorization requests, all of which enhance security in a manner purpose-built for high-stakes financial data sharing.
Certification and Registration of Ecosystem Participants
Certification should include compliance with both data standards and security standards, and certified participants should be registered in a public, interoperable directory, but of which will drastically simplify risk management and liability concerns.Given the unique size and diversity of the U.S. market and the robust data-sharing activity already in place, we suggest considering a federated directory system involving existing participants, like FDX as well as major aggregators, to avoid centralization while still maintaining consistency, interoperability and trust.
Inclusion of Service and Payment Initiation
To foster growth and innovation, open banking standards often include the ability to initiate actions, such as payments. We advocate for the eventual inclusion of such standardized APIs for service and payment initiation, as seen in other regions. This would enable expanded use cases and enhance the ecosystem’s value by enabling third-party initiation of services, such as payments or account creation, in a secure, standardized way. Simultaneously, the distribution available to existing players would grow in tandem, extending their reach and further strengthening the ecosystem.
We encourage the CFPB to learn from other regions and adopt best practices observed in global markets where open banking is more established. These practices consistently include the adoption of common security frameworks, robust certification processes, and support for payment/service initiation.
In summary
To close, our letter summarizes our support for FDX as the standards-setting body and advises the CFPB to consider: a) a standardized security framework and secure communication protocol; b) certification based on both data and security tests alongside a public directory for participants; and c) a standardized API for payment and service initiation in future expansions.
We were very pleased to see the announcement from the CFPB on October 22nd, 2024, enshrining Personal Financial Data Rights into law in the United States. The U.S. has now joined other countries worldwide using open banking to push for more innovation, competition and inclusion in their financial sectors, allowing consumers to move, manage, and get more out of their money.
_
Read the full letter we submitted to the CFPB and access additional resources on the Section 1033 hub.
