What is open banking and what are the risks?

If you’ve used Zelle, Venmo, Apple Pay or PayPal, you’ve already dipped a fingertip into the waters of “open banking,” even if you’re not familiar with the term. But the convenience of those payment apps is just scratching the surface of the changes that the open banking ecosystem is bringing to both consumers and financial institutions.

Just what is open banking?

The Consumer Financial Protection Bureau is working to finalize new open banking standards designed to give consumers greater control over their financial information. Open banking is a system that uses application programming interfaces (APIs) to enable more seamless transactions across institutions, streamlining tasks such as transferring money, changing banks and applying for loans without the need for extensive data collection and re-entry.

“Open banking offers lots of potential benefits to consumers,” said Alison MacLaren, Financial Institutions Product Officer at Zurich North America. “Right now, many consumers may feel beholden to their banks due to direct deposits, auto-pays and linked credit cards, and it’s onerous to change all that. If those barriers are removed, consumers will have more choices, and banks will likely get more creative to earn and keep their customers, beyond competing on more typical metrics like interest rates.”

The impending standards could boost competition in the financial sector, spurring development of more distinctive services and products. This competition could create new opportunities for middle market and smaller financial institutions as well as fintech businesses. But there are many implications and unknowns, not just because the final open banking rules haven’t been approved. In any case, the changes will alter the risk landscape, and financial institutions and insurance providers will play a role in managing those evolving risks successfully. Open banking implications were the focus of a panel discussion that MacLaren participated in at the 2024 American Bankers Association’s Insurance Risk Management Forum.

What are the security and regulatory implications?

The draft open banking standards, outlined in Section 1033 of the Consumer Financial Protection Act, were shared with the public in late 2023 to gather feedback from stakeholders. With the comment period now closed, many expect the new regulations to be approved in the second half of 2024 and phased in over a period of time, with the largest financial institutions expected to be required to comply the soonest.

“While the preliminary standards present many potential upsides for both consumers and financial institutions of various sizes and types, they also pose security and regulatory implications that financial service providers will need to navigate carefully,” said MacLaren. “Roles, responsibilities and liabilities for data security and the impact on financial lines insurance programs are two overarching issues to work through.”

What are the risk considerations for financial institutions?

Increasing data portability may mean financial institutions need to develop new vendor relationships with fintech companies that can offer niche services efficiently, including APIs that can help with selective, secure sharing of data. APIs are widely regarded as more trustworthy than the previous method of collecting data through what is known as “screen scraping,” a method of gathering information from a screen display to use for another purpose.

Even so, selecting third-party data aggregators will require extensive vetting to manage incremental costs and mitigate potential cyber risks such as data breaches, which can create opportunities for social engineering fraud, reputational damage and loss of customer loyalty.

All stakeholders, including insurance providers, also will need to address questions of liability in case of a breach. How much of the liability lies with the bank if they selected and entrusted the data to that partner? An additional complication is identifying where the breach occurred, given what will likely be a greater number of players and interconnected systems.

“A big part of the conversation at the conference was around how financial institutions can contract with vendors to seek indemnification and hold-harmless provisions, to the extent permitted,” MacLaren said. “Another question was whether fintech vendors will be able to get adequate insurance.”

Financial institutions’ insurance strategies vary and are often related to their size. Some smaller financial institutions may not purchase a dedicated cyber insurance policy, opting instead to purchase cyber coverage via their modular insurance package that includes directors and officers, bankers' professional liability, fiduciary and/or employment practices liability coverages.

Once the new rules take effect, some institutions may want to reassess that strategy and decouple cyber from their modular policy. They may want to explore purchasing a dedicated cyber insurance policy that can be tailored as needed.

What insurance coverages may be affected by open banking?

In addition to cyber coverage, other insurance coverages could be worth reviewing as part of this open banking evolution. They include the following.

• Directors and officers coverage: D&O coverage could come into play as consumers increasingly share news and experiences on social media. A worrisome news report about a financial institution could cause a sudden chain reaction not just on social media but in customers withdrawing their money via quick thumbwork on an app. “The immediacy of consumer reactions through social media platforms could create liquidity risks for financial institutions,” MacLaren said. “Negative news can quickly spiral as we saw with notable bank failures in early 2023. These new dynamics open the risk for a swift, virtual bank run.”
• Bond policies: Bond policies could be relevant if a vendor experiences a data breach, exposing data not just of customers but also employees of a financial institution, making them vulnerable to a variety of convincing social engineering schemes in which bad actors email them sharing data that makes requests for payments or other sensitive data seem legitimate.
• Bankers professional liability (BPL): BPL coverage may take on heightened importance as banks look to introduce new services and products to compete for customers.

For all policies, leaders may need to review whether their previous coverage levels remain relevant and adequate.

Where else is open banking available?

The U.S. financial services sector may benefit from not being the earliest adopters of open banking advancements.

“The UK has traveled farther down this open banking path, and our financial institutions can benefit from seeing some of their adaptations," MacLaren said. "Insurance providers with a global footprint, like Zurich, benefit from the experiences of our colleagues overseas.”

Open banking in the U.S. has been years in the making, dating to provisions in the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010, after the financial crisis. Significant thought has gone into developing the new standards, and many large banks are actively preparing for compliance.

This is a good thing, because the proposed timeline for compliance is short. It’s suggested that the largest banks, holding over $500 billion in assets, comply within 6 months of the new rules taking effect. It’s 1 year for depository institutions with $50 billion to $500 billion in assets, 2.5 years for those holding between $850 million and $50 billion in assets, and 4 years for those with less than $850 million in assets.

“There are many reasons to be talking about this now,” MacLaren said. “Open banking offers opportunities for financial services providers, brokers and insurance providers to innovate and collaborate to manage the risks and realize the benefits for many years to come.”