WASHINGTON—The CFPB’s new open banking rule shifts liability burdens onto financial institutions, increasing their responsibilities for securing data shared with third-party fintechs, Bank Info Security says.
"CFPB seems to have hamstrung the banks in terms of what they can do in demanding accountability from third-party fintechs, while the documentation requirements on banks are far more extensive," said John Horn, director of cybersecurity practice at Datos Insights, in the Bank Info Security report.
Critics argue the ruling falls short by not mandating the transition from outdated screen-scraping methods to secure APIs, which leaves gaps in fraud prevention and consumer data protection, he said.
"When financial institutions get their API security solutions in order, the API security channel is much stronger. If you put API security, passkeys and phishing-resistant multifactor authentication together, these are significant defense mechanisms against risks of screen scraping," he said in the report.
Horn added that Europe's open banking model sets a stronger precedent with prescriptive, date-driven regulations, whereas North America lags behind in adopting robust security frameworks.