Q&A: MX head of policy Lexi Hall breaks down the state of open banking regulation

The Consumer Financial Protection Bureau (CFPB) has been on something of a regulatory blitz under Director Rohit Chopra—in June alone, it began investigating rent-a-bank lending, overdraft fees, and banking customer service. It’s sniffing around credit data reporting, using dormant powers to regulate fintechs, and scrutinizing market competitiveness with a new office.

But in the final months of the Obama administration and under the Trump White House, the CFPB solicited public comment on how to implement a now decade-old policy crafted after the fallout from the global financial crisis: Section 1033 of the Dodd-Frank Act.

Section 1033 governs consumer access to financial information and has broad implications for the future of open banking and open finance—it could, for example, dictate the breadth of data that financial institutions’ consumers have the right to share with third parties. The CFPB is expected to finish 1033 rulemaking as early as this year.

As we await the CFPB’s rules, Insider Intelligence sat down with Lexi Hall of MX, who heads the data aggregator’s policy efforts. We talked about the state of open banking regulation, the sticking points that have prolonged action on 1033, and what open banking means for the broader financial ecosystem.

-------------------------------------

The following has been edited for clarity and brevity.

Insider Intelligence (II): What’s your sense of the regulatory and policymaking environment right now? Is there a consensus that open banking is something that they need to work on? Is there a wing that's skeptical?

Lexi Hall (LH): It's a super exciting time. The CFPB—compared with the pace of the last administration—has really put its foot on the pedal.

What's exciting about open finance is that there is consensus around it. It’s not just us in the connection business who believe it's a moral and regulatory imperative; banks and FIs openly acknowledge that, too. They're setting up their own systems, and regulators have also plainly stated that open finance is the future. It’s a priority, and you can see that with, finally, the 1033 rulemaking really reaching the home stretch—we're expecting a proposed rule within a year.

The consumer data access right was part of Dodd-Frank in 2010. It's sat there for quite a while, which isn't a bad thing: Think about where connectivity and APIs are now compared with what they were in 2010, or even 2015. So as embedded finance has taken over how we transact and manage our money, we're seeing that sort of on the same path as this open finance rulemaking that we're finally anticipating.

I think the industry has consensus on about 85% or 90% of the 1033 rule that the CFPB is considering. Some of the nuts and bolts that are still being decided, but we got here because the industry figured quite a lot of it out on its own.

II: What are some of those nuts and bolts that still lack agreement?

LH: I think there are two things.

No. 1 is data access. The CFPB is promulgating the consumer’s right to data access so that consumers can access their data and share it with third parties. But they're still determining exactly what data that is. There are many ways to go about this—you could break data out by data fields and let consumers decide exactly what they want to share. But generally, data holders want to share less than data recipients do.

Then the other big issue is liability in the event of a data breach or consumer harm. Right now, under Reg. E, FIs are on the hook for all restitution, which made sense in a closed financial system where banks were the one-stop shop for financial services. But what MX, aggregators, and fintechs advocate for is a common-sense approach to loss and fault: Whoever is responsible for the adverse action should bear responsibility for it. That's just not the way that it's set up right now.

II: What would MX prefer in terms of how consumers decide what data gets shared? Something like one button—”yes” or “no” to sharing? Or the option to share x, y, and z?

LH: In terms of the granular details, it depends on the financial service and the function. But we support a broad 1033 data right that puts consumers in control of that decision, and that also includes the ability to stop sharing that data at any time. To us, it's really about privacy-preserving technologies that keep the consumer in control and put the consumer at the forefront.

II: I'm thinking about Big Tech and privacy data as a comparison. When Apple came out with those data tracking updates, the fear was that when consumers are prompted whether to share, they're more likely to say, "No, I don't want to share my data." Is that a concern with open banking? That if regulators decide you have to prompt consumers every time you want to share X, Y, or Z data, they're not actually going to use these services?

LH: That's something that the industry is working out in the absence of a federal data privacy law. It’s on everyone's mind when it comes to consumer permission services—not just financial services.

Big Tech’s notice-and-consent model has taught us a lot. Now consumers are more wary of just saying, "Yes, I agree." That's a good thing in general; they're more conscious of their privacy. But then you look over at Europe’s GDPR, for example, and you see fatigue over the notice and consent. Consumers might just click agree to get rid of the little popup box. So there needs to be a balance.

There’s no perfect example of that balance, but when we say "consumer-permissioned data," we mean informed consent. We want the insights to be renewable so it's not just taking data one time—but only if the consumer wants those insights to be renewable.

There are tons of algorithms and machine learning to illustrate the best notice, but with open finance, with this new infrastructure, there’s an opportunity to implement privacy by design. You can implement these pro-consumer control features that I think a lot of consumers—especially when it comes to their financial data—really crave.

II: Is there a concern that the CFPB will regulate open banking too aggressively?

LH: That's always a fear when you're welcoming regulation.

It's a bit of a, “Be careful what you wish for” situation, but the good news is that even though "open banking" and "open finance" are new to the lexicon of public consumption, these ideas have been debated for a long time behind the scenes. We've been engaged with the CFPB in the entire 1033 process and with other stakeholders and industry groups, and we're pleased with the progress we've seen so far. We're pretty confident that they understand the competitive and regulatory imperative and those nuts and bolts we referenced before.

II: Are there any specific proposals being floated that raise red flags?

LH: Not in terms of 1033 rulemaking. CFPB is convening its small-business review panels, and it promised to share a near-final 1033 rule. That will shed light on potential issues, and we in the industry are very eagerly awaiting that.

In general, the industry recognizes that APIs and secure connections are the way to go. But as the intervening technologies like screen scraping and tokenized screen scraping are being phased out, it's important to recognize that smaller institutions without large resources take advantage of those the most. Those are still an important component of open banking, and we wouldn't want to see a restriction because they still help facilitate financial access and inclusion.

II: With the small-business panel, does open banking regulation pose unique concerns to small businesses and community banks?

LH: It's taken some time to put the panel together because the CFPB and the Small Business Administration had to think through what entities should qualify.

When we're talking about open finance, a lot of people conjure up images of JPMorgan and the other global systemically important banks. But the real pain point for these smaller institutions is actionable data insights and letting customers connect their accounts to third parties—not just fintechs but also things like paying at your pharmacy with your phone.

For smaller FIs to compete against fintechs and survive the current climate, being able to set up secure connections—and having those capabilities imported instead of having to build it themselves—is a really key benefit of open finance.

II: We’ve seen reports about privacy concerns, and there have been issues with authorized push payment fraud that the CFPB has to address. But is there anything you think is missing from the conversation about open banking regulation?

LH: I would sort of flip that. I would say that the privacy angle is not getting enough attention—in terms of the benefits that open finance can add.

Privacy and open finance are framed as these two competing ideas, but we don't view it like that at all. This is the financial infrastructure of the future, and we see that as an enormous opportunity to reframe financial privacy around a system that's transparent and permission-based. That means building out those privacy-preserving technologies—including tokenization at the start—and taking that GDPR privacy-by-design approach.

I think what we're trying to focus on is the idea that this actually helps and enhances privacy. It's not competing with the idea of secure sharing at all.

II: Do you think those privacy concerns are going to delay the roll out of the 1033 rules?

LH: We're confident it won't. We've probably read similar reports that Big Tech creates a privacy issue. Big Tech's not going anywhere. It's certainly a component of open finance in terms of data holders and data recipients, but it's not the primary function of open finance as the CFPB is considering it to give Big Tech even more data.

Director Chopra indicated that we would have a proposal at least within a year, so we're confident in that.

II: Will Big Tech's involvement in finance and open finance limit competition in this space?

LH: When people think of Big Tech and its reach into other industries, the fear is the data it holds—the idea that these companies will combine all the social and behavioral data they collect with financial data to exploit marketing opportunities and things like that.

As not only Big Tech but all nonfinancial institutions enter financial services, I think a large part of what the CFPB and other financial regulators are considering right now is chartering. What is a bank now? Does it have to do deposits, payments, and lending? Or if it just does payments, can it be a bank?

I'll leave that up to the federal financial regulators, who've been considering this for a long time, but the idea of nondepositories entering this space and capitalizing on data is certainly not going anywhere, so that will absolutely be a consideration as new policies and regulations are ruled out.