How Identity Can Power CFPB’s Personal Financial Data Rights Rule

The announcement by the Consumer Financial Protection Bureau (CFPB) regarding the creation of the Personal Financial Data Rights Rule has paved the way for significant changes in U.S. open banking, giving consumers greater control over their financial data. The planned activation of this rule, as part of Section 1033 of the Consumer Protection Act, empowers consumers to access, share, and leverage their financial information in new ways, marking a new era for financial transparency and competition in the U.S.

Today, around 100 million³ U.S. consumers have authorized third parties to access their financial data, with 36%⁴ already using open banking services for payments and 55%⁵ willing to share financial data for better loans or interest rates. The CFPB’s Data Rights Rule enables individuals to share data from checking accounts, credit cards, prepaid accounts, and digital wallets while choosing services and products that better meet their needs—without their data being exploited for commercial purposes.

This shift is designed to foster transparency, promote consumer choice, and accelerate innovation in the financial services industry. Identity and Access Management (IAM) forms one of the key strategic capabilities needed to secure and drive seamless interactions between consumers, banks, and third-party providers. As in the European Union (EU), the U.K., Australia, and other mature open banking markets around the world, IAM has been and will continue to be vital in unlocking this opportunity.

The global impact of open banking can be seen in regions like the EU (Payment Services Directive 2), the U.K. (open banking API specifications), and Australia (Consumer Data Right) where regulations and specifications have propelled data sharing and API-driven financial service innovation. In 2020, Europe’s open banking market was valued at $6.14⁶ billion, with projections suggesting it will reach $48.30 billion by 2030⁷. Currently, 36.9%⁸ of the global open banking market is attributed to the EU and the U.K.

Open banking is also on the rise globally, with an estimated market size of $25.14 billion in 2023⁹, and it’s projected to grow at a CAGR of 27.4% by 2030¹⁰. Countries like Australia, Brazil, and Canada have established their regulatory framework to further advance a more connected and data-driven vision of financial services. Open banking adoption has been growing at 50%¹¹ annually on average, signaling its success and potential across different markets.

Despite its global prominence, open banking in the U.S. has traditionally been market-driven. A lack of formal regulatory impetus has slowed the adoption of data-sharing practices compared to regions like the EU and the U.K. Some of the key reasons underpinning this include fragmented systems, privacy concerns, and reluctance from larger financial institutions to open their data.

However, market pressure from fintechs and techfins has driven some adoption, with leading banks and financial institutions offering open banking services. The CFPB’s activation of Section 1033 through the Personal Financial Data Rights Rule seeks to address some of these underpinning factors, ushering in a regulatory approach to further advancing secure, standardized access to financial data.

The CFPB’s Personal Financial Data Rights Rule rule focuses on giving consumers more control over their financial data and fostering competition in the financial services sector. By placing the consumer at the center of the financial ecosystem, the CFPB ensures:

1. Consumer Privacy is Protected: The rule mandates that data sharing be strictly consent-based, ensuring consumer information is not used for purposes beyond their explicit consent.
2. Consumer Choice is Prioritized: With access to their financial data, consumers can shop for financial products—loans, interest rates, credit cards—that best suit their needs, leveling the playing field for smaller fintech players.
3. A Competitive Market is Fostered: The regulation ensures that third-party providers, including fintechs, can compete with traditional financial institutions by offering more tailored financial products and services.

To support the CFPB’s vision, Identity and Access Management (IAM) will play a pivotal role in enabling secure and transparent interactions between consumers, financial institutions, and third-party service providers. Here’s how IAM will underpin open banking market growth in the U.S.:

1. Privacy and Consent Management

Leading incumbent and digital-native financial service providers in the EU, U.K., and Australia leverage modern IAM to give their customers control over whom and what data is shared, putting them in control. These privacy and consent management capabilities can be extended to the U.S. open banking market to help both account information service providers (AISPs) and payment initiation service providers (PISPs)¹² create new opportunities for hyper-personalization, while also ensuring compliance with the CFPB’s Personal Financial Data Rights Rule.

2. Single View of Consumer Needs

By unifying consumer identity data across multiple financial accounts and organizational boundaries, financial service providers can build a better picture of customer needs and deliver hyper-personalized offerings across the wider financial ecosystem in real time. These end-to-end identity lifecycle management capabilities can be extended to the U.S. open banking market to drive new upsell and resell opportunities for incumbent providers, as well as fintech and techfin disruptors.

3. Secure Financial-Grade API Access

Converged IAM platforms safeguard financial APIs used for data sharing between financial service providers and third-party providers, ensuring the secure handling of customer data and consolidating trust-based services. Open APIs provide financial service providers with the flexibility to offer basic data-sharing services, allowing consumers to connect with third-party fintech apps seamlessly. Meanwhile, premium APIs can offer advanced features, including personalized financial products, high-value payments, and enhanced fraud detection services. By leveraging these capabilities, financial service providers can accelerate open banking growth, offering differentiated services that enhance customer experiences, while ensuring regulatory compliance and data protection through IAM-secured APIs.

4. Decentralized Identity and Data Portability

As open banking adoption increases and moves to extend to open finance use cases, decentralized identity ecosystems will become more prevalent across retail banking, wealth management, and insurance segments of the wider financial services industry. By leveraging verified credentials, digital wallets, and best-in-class identity verification capabilities, financial service providers will be able to put their customers at the center of data ownership and data sharing, while mitigating fraud and account takeover. On top of this, decentralized identity will enable incumbent providers, as well as fintechs and techfins, to champion customer-centered digital innovation across a multitude of payments, inclusive finance, and integrated finance use cases. This decentralized identity model aligns perfectly with the CFPB’s focus on giving consumers control over their data.

5. Financial Intermediation for Fintechs and Techfins

As fintechs and techfins enter financial services, modern IAM plays a crucial role in enabling secure, compliant access to banking APIs and fostering innovation. Fintechs use IAM to provide personalized banking services, such as instant payments, while techfins integrate financial offerings within their platforms. Converged IAM platforms ensure these providers can access sensitive data securely, comply with regulations, and protect user privacy. This accelerates market growth, creates new revenue streams, and gives consumers more choices, control, personalization, and security over one of their most precious assets – their data.

6. Strong Customer Authentication

Strong Customer Authentication (SCA) has become a cornerstone in EU and U.K. open banking, requiring multi-factor authentication (MFA) to verify the identity of users during sensitive transactions. By combining factors like biometrics, one-time passcodes (OTPs), and device verification, SCA enhances security for consumers, while maintaining a seamless user experience. In the U.S., adopting similar authentication standards through IAM could further accelerate open banking by providing a secure framework for financial data sharing. This would enhance consumer trust, protect against fraud, and create more opportunities for fintechs and techfins to accelerate innovation.

The CFPB’s intention to create a new Personal Financial Data Rights Rule as part of Section 1033 of the Consumer Protection Act represents a significant milestone for open banking in the U.S. By empowering consumers with greater control over their financial data and promoting transparency, this regulation has the potential to transform the financial landscape in one of the biggest financial markets in the world. Ping Identity helps leading financial service providers leverage privacy and consent management, secure APIs, end-to-end identity lifecycle management, verified credentials, and cutting-edge identity verification, as well as full platform extensibility in mature and emerging open banking markets – the opportunity for extending this to the U.S. can no longer be ignored.

Learn more about Ping Identity solutions for the financial services industry.