Our sources in Washington were right. The Consumer Financial Protection Bureau (CFPB) announced with the rule and set forth an ambitious goal that’s bound to redefine the contours of the financial world. Let’s unpack this significant shift to understand its nuances and implications:
Key Highlights of the CFPB Proposal:
- Current state: The CFPB estimates that at least 100 million consumers have authorized a third party to access their account data, half of which is via API.
- Consumer-Centric Approach: The new rule is a boon for end-users. By enhancing protection and preventing vendor lock-in, consumers are poised to enjoy superior services.
- The Dawn of Dedicated Digital Interfaces: The mandate is clear – data exchange needs dedicated, safe, and reliable digital pathways. The prevalent solution in today’s world? APIs.
- Guardrails for Data: With robust protections against unchecked surveillance and misuse, the importance of detecting and managing the sharing of sensitive data over APIs (or interfaces) is underscored.
- Empowering Users: The proposal champions consumer rights by allowing them to revoke data access, a control that can be centralized at the API level to regulate third-party data sharing.
- Redefining Data Collection Practices: A significant departure from screen scraping, the current risky practice at many Financial Institutions (FIs), the proposal is nudging the industry away from these error prone methods that often create vulnerabilities.
- Phased Implementation: The rollout is gradual. Larger providers will need to align with the requirements sooner, with smaller entities getting a longer runway.
- Timelines to Remember: The clock is ticking. Comments are due by December 29, 2023. And depending on assets under management, data providers have a compliance window ranging from approximately 6 months to 4 years from the final rule’s publication.
- The Necessity for Advanced Interfaces: Both consumer and developer interfaces are emphasized, which can be effectively managed and shielded using the right set of APIs.
- Performance Benchmarks: Commercially reasonable performance is non-negotiable. With a stipulated response time of under 3,500 milliseconds and a 99.5% average response rate, API security solutions that induce significant delays might be non-compliant.
- Security Considerations to Ponder:
- Access credentials shouldn’t overlap between consumer and developer interfaces. This underscores the importance of proper Authentication, Authorization and Access at the API level.
- The information security program for the developer interface should align with the Gramm-Leach-Bliley Act (GLBA) or the FTC’s Standards for Safeguarding Customer Information, depending on the entity’s regulatory purview.
- The CFPB took a stance that credential based access to this data is discouraged, leaving tokenized access as the preferred method.
Given this intricate web of requirements and shifts, how do institutions adapt while ensuring top-notch cybersecurity? We propose Unified API Protection (UAP) to help implement this CFPB rule at financial institutions.
Cequence Is Your Partner in These Choppy Waters
APIs are central to this new directive. Cequence dives deep into the realm of API Protection and offers a platform covering all phases of the API lifecycle, unifying API discovery, compliance, and real-time detection and native prevention for effective, efficient, and secure financial data sharing. As the financial sector braces itself for this new chapter, partnering with Cequence can mean the difference between treading water and charting a confident course staying ahead of these tight deadlines.
Hear it directly from the experts – please join us for an upcoming webinar, Mastering the Open Banking API Gold Rush: Expert Tips and Strategies with Don Cardinal, open banking expert, and Varun Kohli from Cequence, the API security leader on November 9. They’ll discuss the new CFPB rule, why it matters, and the action items and deadlines you need to know.
Sign up for the latest Cequence Security news
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.