Open Application Programming Interfaces: CFPB Comments and Legal Issues to Consider
Tuesday, November 22, 2016

Another major bank recently announced the launch of an open application programming interface (or “API”) platform through which it will grant third-party software developers access to its APIs for a number of use cases, including peer-to-peer payments, reward redemptions and account summary access.  The announcement comes on the heels of prepared remarks by Consumer Financial Protection Bureau (“CFPB”) Chairman Cordray at Money20/20, a large payments conference held in Las Vegas, suggesting that the CFPB views open APIs and other technology innovations that allow consumers to more easily access their own financial data to be a strategic priority.  Specifically, Chairman Cordray stated “We believe consumers should be able to access [their financial data] and give their permission for third-party companies to access this information as well” and noted that in the Dodd-Frank Act, Congress stated that consumer financial data “shall be made available in an electronic form usable by consumers”.

Over the past few years, a number of major financial institutions in the United States and Europe have launched open API initiatives and open banking platforms. Many industry commentators see open APIs as a key component of banks’ digitization and fintech strategies.  Developing API platforms can increase the accessibility of data internally across different business lines (for risk scoring, fraud mitigation and real-time decision making), enable banks to move away from stale “flat file” data transmissions and make it easier for banks to form partnerships with fintech companies in developing innovative applications and services that meet the needs of their mobile banking customers.  Among European Banks, the move toward open APIs has been driven in part by the implementation of the Directive on Payment Services Regulation (PSD2) in Europe which, among other things, seeks to encourage competition in the payments ecosystem and to make it easier for third party technology providers to gain access to customer financial data.

What is an Open API?

An API is a collection of tools, computer routines and technology protocols that enable the sharing of data and content internally and with external developers and technology providers.  APIs can generally be grouped into three different categories: (i) private APIs are accessible only to developers internally and can, for example, be used to facilitate the sharing of customer data across business lines that have traditionally had siloed data warehouses; (ii) partner-based APIs are accessible only to trusted, pre-approved third parties that use, for example, the API to deliver services to bank customers; and (iii) open or “public” APIs enable third party application providers to pull and access customer data after receiving appropriate access permissions from the customer.

Open APIs: Legal Issues To Consider

When evaluating whether to adopt open APIs, banks and other financial services companies will focus on a number of legal issues, including:

  • Data Security. Transferring data through properly built and maintained APIs is generally considered more secure than allowing fintech companies and third party application providers to log into a consumer’s account through a software application (a practice called “screen scraping”). Many APIs rely on OAuth (or open standard for authorization) technology which allows authorized access to APIs and enables customers to approve a third party application provider’s access to their individual accounts without sharing their passwords. While OAuth technology is more secure than screen scraping, ensuring the security and stability of APIs requires ongoing investment and maintenance. A number of industry consortia are addressing the need for technology standards around API development in the financial services industry. As open API platforms gain broader adoption, financial services regulators will likely also take an interest in shaping these technical standards.

  • Privacy. To the extent third-party application providers gain access to valuable customer data (such as payment transaction data) through APIs, the privacy practices and standards of third party application providers will be a focus among customers, regulators and the API publishing bank.

  • Data Ownership. While regulators and other fintech participants support greater consumer access to their own financial data, the legal ownership of this consumer data as between the various participants in the ecosystem (including customers, banks and fintech companies) is not always clear. In the short run, data ownership will likely be addressed by contract (not state or federal law).

Ultimately Chairman Cordray’s comments at Money20/20 suggest that there is at least some support among financial services regulators for the adoption of more open API banking platforms in the United States. To the extent open banking initiatives continue to gain traction, banks, fintech companies, consumer rights advocates and regulators will no doubt benefit from the experience of early adopters of open APIs and open banking platforms in the United States and Europe.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins