Following CFPB Rule, Credit Unions Must Prepare for Open Banking

The Consumer Financial Protection Bureau’s (CFPB) recently issued its final rule in open banking, and it’s causing quite a stir for financial institutions. Simply put, a consumer would now have an easier time moving their financial data from one financial institution to another, giving them more freedom in choosing which financial institution they want to work and bank with. For credit unions, questions are being asked about open banking, such as what effect it will have on cybersecurity and how they will go about their underwriting.

Host and Co-Founder of The Credit Union Connection Sarah Snell Cooke sat down with Alkami’s Chief Compliance Officer Dennis Irwin and Chief Technology Officer Deep Varma to discuss open banking and the impact to credit unions. They also discuss how credit unions can adjust to the CFPB’s new open banking regulation and find success.

Read the full transcript:

Disclosure: Transcript is automatically generated

Sarah Cooke 00:02

Hello and welcome everybody. My name is Sarah Snell Cooke. I'm the Co-founder and host of The Credit Union Connection. I'm here today with two of Alkami's top stars. On my left is Deep Varma, CTO, of Digital Banking Solutions at Alkami. Welcome.

Deep Varma 00:20
Thank you, Sarah. Thanks for having me.

Sarah Cooke 00:22
Thank you. Thank you for your time. And Dennis Irwin, who is the Chief fund, I mean, Compliance Officer at Alkami. Welcome.

Dennis Irwin 00:31
Thank you. It's great to be here.

Sarah Cooke 00:34

And so with that brief, brief introduction, I'm going to let you all introduce the company and yourselves. And then we'll get rolling with some open banking discussion, super hot topic these days. Deep you want to start?

Deep Varma 00:48

Sure. So thanks for having me. I'm Deep Varma, Chief Technology Officer here at Alkami. I joined January of 2023, so definitely claim to be a veteran here at Alkami now. I'm based out of San Francisco Bay area, but a little bit about Alkami. Alkami is a digital banking platform which enables the financial institutions to serve their members or consumers or users for day to day banking needs which they can do it over the digital platform, and Alkami is the one who provides that digital platform to the financial institutions.

Sarah Cooke 01:30
Alrighty, thank you. And you, Dennis.

Dennis Irwin 01:33

Yeah. Dennis Irwin. I am the Chief Compliance Officer, manage risk, among other functions here at Alkami, and based out of Dallas, Texas. And I think Deep's covered, really our overview of our company and what we what we provide to financial institutions.

Sarah Cooke 01:53

Yep, yep. And I know you guys provide a lot of educational information as well to the credit union market, and I'm sure other financial institutions, but yeah, that, it's very, very useful to get the, the help from the experts. And so I'm going to start right off, dig right in. Last week, I think it was, the CFPB issued its final rule in open banking. Who wants to start with the high level overview of what's going on with that?

Dennis Irwin 02:24

You want to go? Sure, sure. So the CFPB, which was formed in 2010 as a result of the Dodd Frank Act, was, one of the the articles in the Dodd Frank Act, Article 1033 has always been there, but it has never been implemented, and over the last couple of years, there's been a big push to have it implemented, and it's and it's the regulation that's really going to enable us to do open banking, of which we're doing a lot of today, but now it will, and the CFPB first came out last year with a draft of this regulation, and it took a lot of comments, and as you mentioned last week, enacted it. In essence, it is going to empower all of our customers to be able to move their trend, their banking data, their transactions data, for up to two years, and be able to move it from one institution to the next. There's a lot that goes with that, which I know we'll dig into, but that's a the overview of the regulation. I know Deep is is very passionate about this part of the market. So I'll let him elaborate on the rest of it.

Deep Varma 03:43

Yeah, and I think it's I being in the Silicon Valley, being too much behind, with the GDPR coming in and CCPA coming in, which is the consumer, when I see, this is the power given back to the members and the consumers, right? So this is my data. This is my information. Let me decide how best I get the benefit of this information and the data. And then on top of it, this, this is going to allow more of an innovation definitely. You know, there are a lot of challenges around the security going to come, but Dennis and Sarah, I look into 2003 when the Phone Number Portability Act comes into a picture, when federal, FTC allowed anyone to carry the same device, but they can go and change their number, and it was not easy. But look into where we were and how it transformed the industry with the innovation, I am expecting, and frankly speaking, we are behind. I want to be very clear when we compare ourselves to other countries. So, open banking enables the members and the consumers to have the full control over their data, and they're deciding, who to share this data, when to share this data, they have a power to revoke this access when they want. And then, you know, industry has to step up the game, right, where we have so many challenges. So I, I definitely see from a win win situation, from the consumers or the members point of view.

Sarah Cooke 05:20
So as a practical matter, what does that mean? What can the member do?

Deep Varma 05:26

Yeah, so think about a very simple use case. You know, today I have a financial institution not providing me the best services, and I want to go to the different financial institution. For me, doing this shift is a painful process. And what is the painful process? I have my direct deposit coming here in this financial institution. I have my bill payment set up here. I have everything set up here. Now to get here, there is no easy way for me to take my data and move to a financial institution. That's the number one. Number two. I've been in this industry, both as a CTO in the role as well as the member or the consumer. My financial institutions have the information about me. Sometimes they don't even come and tell me, Hey, Deep, your checking account had this much money you should move into savings to get more benefit out of it. Hey, Deep, you are paying a mortgage at the higher rate, you can get the lower rate. So this, we, this very reactive approach. Now what happens is this creates where I as a consumer, can share, share my transactions data with the fintechs. And fintechs are going to start providing me more insights about my data. So this is where I feel it is going to enable for me to have multiple choices in front of me with the data, and then I can decide, oh, I'm going to move to this financial institution. I can carry data with me, and I can port my data over to the new financial institution without worrying about getting penalized for delay on my bill payments or other areas. So this is how I see industry is going to move in this direction.

Sarah Cooke 07:25

And so what happens to the institution they leave? What happens that, they no longer have access to the data? Like, can they download the data? Do they keep certain bits of data? I mean, I assume there has to be some kind of, you know, trail for compliance purposes and underwriting purposes.

Deep Varma 07:41
Yeah, yeah, okay. No, no. I think financial institutions and Dennis can speak, they all will still keep the data. So I think the data is still with the financial institution. The only change what you have done, you have given the member, and say, you as a member of a financial institution, you can take your data and you can share with the different different fintechs for the more advantage of this, but financial institutions still to run the compliance and the risk and all those things, Dennis, I assume that they need to keep this data.

Dennis Irwin 07:55

Yeah, they'll still fall under the Data Retention guidelines of their, of whatever regulator they fall under, right, and on how long they can retain that, depending on that retain, continues to be their customer.

Sarah Cooke 08:33
And one last question, I think, for you Deep would be, are there any drawbacks for consumers?

Deep Varma 08:40

I think the drawback is, how do I know my data is safe and secure? I think that's to me is going to be the biggest thing. When I am saying, share this data with this FinTech, I want to make sure that the transmission of the data is safely and safe and secure. Number two, the finance, the FinTech, I'm sharing the data with them, they keep it safe and secure. And in the future, when I go back and say, Please, I want to revoke the permission of this data, how do we ensure the data gets purged and data gets cleaned? I think those are the areas where I see this industry still needs to invest more. So it's mostly, I think, in my opinion, revolves around the data security area is the one.

Sarah Cooke 09:38
And how is that going to affect the compliance of data security Dennis?

Dennis Irwin 09:42

So the rule is, has a lot of stringent guidelines around data security, from encryption, authentication, secure access points, as well as your data retention limits. And currently for all fintechs out there, there's those requirements are not there. They are definitely something prudent companies are following, and now the regulation is going to require that they all have those. So, Deep is exactly right. This is this is the larger risk for the consumers, but the reg is taking that into consideration, and I think it's going to be one of the bigger challenges for compliance for those fintechs and, that don't have those things in place today, so there will be strong security protocols that are required by the regulation.

Sarah Cooke 10:39

And I mean, I may be getting a little in the weeds here, but you know, during that transmission where the member says, Okay, I want to switch my banking accounts to here, you know, ABC bank versus ABC Credit Union. During that transition. I mean, is, I imagine there's going to be one, a lot of it, because it has been incredibly difficult to switch accounts, um, but also, I imagine there's some sort of liability, like whose liability is that, and the data shifting back and forth between the institutions, or whatever fintechs that are doing as well.

Deep Varma 11:12

I think again, the first and the foremost, what I'm excited finally, this guidelines are out because so long we've been waiting, I think what you're going to see, there are standardization going to start developing up soon. Now what's going to happen, there are the standards going to come. I'm a financial institution. One, I'm a financial institution. Two, I'm the member in the middle. I'm asking for my financial institution to transmit this data to financial institution two. Ultimately, as Dennis also said, I think industry needs to evolve the best practices and the security protocols, but I will say, ultimately it is industry will define the standardization the security protocols, but it is up to the fintechs and the financial institutions to ensure that those protocols are in compliance, because regulation is going to go behind them at the end of the day, because they are the one, those who are the source of truth for the consumers or the members that are. Dennis, what's your thought on that?

Dennis Irwin 12:29

Exactly you know when you when you think about a security incident today, at, whether it is a hotel, a retailer or a financial institution, you don't necessarily look at the, the credit card company, right? It's the institution that caused it. So identifying where that breach happens or event happens is relatively easy today. We are able to narrow that down depending on your institution. So, and I think that will be very clear on, on where an event happened based on the security protocols that are set up. So, then that that takes place today, that will still be obvious.

Sarah Cooke 13:15
Okay. Okay. And then for the the credit unions, the banks, the fintechs themselves, what are the opportunities and challenges for, for them?

Deep Varma 13:27

Yeah, from a technology side Sarah, what I see, and again, there is a technology play, and then there is a process play, and there is a people play, because let me explain. What does it mean? If I'm a credit union, I want to make sure that either my infrastructure or my technology provider is ready with this new ruling. That's number one. Number two, they need to also ensure that their call center, their internal team members, everyone understand what this ruling is. One simple example, I will say, as a CTO of the company, you know, I just because the best way for me to test how the industry is going. So I'm a member of multiple financial institutions within Alkami. So recently, I've been calling their call center. And just to say, Hey, I'm calling to understand, you know, this open banking, 99.9% of the time they're not ready. They don't even understand what it is. So that's the second part for the credit unions, how you're going to ensure that your people are ready to address this open banking? And the third thing is, you need to empower your members so that they had the visual way of saying, I approve this access, or I want to revoke this access. And ruling has been very specific in that case, that user interface has to be provided. So what I will say these are the three areas which credit unions really, start looking into your infrastructure, or your technology providers start ensuring that your organization, from front to top, bottom, they're ready and make sure that you have those user interfaces to enable members to access or revoke the permissions.

Dennis Irwin 15:26

And Sarah, I would add to that, I think, I think when you look at some of the smaller institutions, some credit unions and smaller banks, they have a great opportunity here to compete more with the large banks who have that digital wallet, if you will, they have the connectivity for a lot of customers, and they can attract them now, because it's easy to switch from them to a credit union that may offer the products or be local, or whatever reason they want to move. They can, they can attract those customers to, because they'll be able to move easier. I think sometimes the customers of larger institutions don't want to move because of the pain of the move, not necessarily because of the institution they're going to. So there's a great opportunity for those institutions to be able to attract new customers with innovative products that are competing with those larger institutions.

Sarah Cooke 16:28
And so, I'm going to go ahead and ask you, Dennis, from a compliance standpoint, how can credit unions prepare themselves?

Dennis Irwin 16:37

I think you have to assess your your data first, right Deep? Deep was hitting on it, but how what does your data infrastructure look like today? What kind of capabilities do you have for API development? Identify what your security protocols are? The people are going to be a big shift, you're going to need to set up the ability to do the consent management, people that are going to opt in, as well as those that want to opt out. Right now, the regulation says you you need to cut off access immediately if they opt out. Well, immediately, that takes processes and people to figure out how to do that. So I think the first thing is to, how is your, your data being stored and shared today, to determine what, how much of a lift this is going to take. When you look at the implementation timelines, April 1 of 2026. Is the first one for the largest institutions. I don't think that's most of the institutions that we're talking about, but they still have, you know, two to three years after that for full compliance, seems like a long, long time, but that'll be here before you know it, and assessing the scope of your institute, where your institution is, in comparison to this, so that you can you know back up from that timeline to where you are today, of what needs to be done, because it's not only internally, there's a lot of coordination with your third parties and beefing up, one thing that we haven't talked about so far is, how do you beef up your third party assessment processes to ensure that those that you're doing business with are going to meet those security protocols that are asked for in this regulation. So there's so many tenants to this. It's complicated, far reaching and impacting others that you're going to need to really come up with a plan and scope sooner rather than later. Mm, hmm.

Sarah Cooke 18:44
Definitely sounds like and I know those cores sometimes, and probably others don't like to

share their data security measures.

Dennis Irwin 18:52

And if those cores are a bit older, you may have even more challenges in getting the data. And that's what I say, really scoping where your data is and how you're going to share it is going to be the bigger challenge.

Sarah Cooke 19:08
And how about from a technology perspective, you talked a little bit about this already. How do credit unions and others prepare themselves?

Deep Varma 19:15

Yeah, again, I think to me, most of the credit unions, as we know they are using, that they have some technology providers. I will say, start having the conversations with your technology providers. Hey, are you ready? Do you have the APIs? Do you have a means to securely transfer the data? So that, to me, is the first conversation needs to happen ASAP, because this ruling also explicitly called out the cutting of the screen scraping technologies, because the screen scraping has been there for long. So talk to your providers. I think API and infrastructure. And if you have your own hosted infrastructure, as we are talking about, the cores, there are still credit unions, they are not moved to the cloud. Yes. Those who have not moved to the cloud, now suddenly, what's going to happen if members start giving it the access to two or three fintechs, and if you have 10,000 members, you take, number multiply by three, your traffic is about to increase for the data. If you are hosted solution, can you scale your infrastructure? So that, to me, is going to be another big challenge coming on the way that is your infrastructure ready to scale if you are on prem still, because we know there are many, many credit unions there have still haven't moved to the cloud infrastructure.

Sarah Cooke 20:55

Absolutely. And so, the credits have been all abuzz too about the security of it. We've touched on that some. Cybersecurity, the AI, and a lot of new tech investments that they're going to be making, what's preparing for open banking going to cost a financial institution?

Dennis Irwin 21:14

I want to jump in there. I don't think you can quantify it yet. This is not a, and this isn't a one and done as, as Deep was saying, you know, this is, this is going to take some time and and even when we get to full compliance of this regulation, there is going to be more tenants. This doesn't include mortgage or loans in this. Yeah. This is, we're talking about bank accounts, checking, savings, credit cards. So there's going to be more evolutions to this. I think the investment is going to be ongoing for some time. And as we mentioned, it's not only in your technology and being able to connect APIs, but going to the cloud, and then the people I mentioned being able to do your consent management, that's going to require certain people, but now you have stronger security protocols, so there's going to be more that you're going to add for security as well as third party, and I'm never going to get out of an interview without saying that you're going to need more risk management, and there's no doubt about that, and preparation for the exams that come with that to ensure compliance. So I can't, it would, it would be quite a challenge to come up with any number of where we're at, but rest assured, it's going to be investment for some time.

Sarah Cooke 22:49
Yeah. Any any input from you Deep?

Deep Varma 22:53

Now, I think it's to me, before last week, I used to tell the financial institutions, get ready. Now I'm gonna tell them in my final thoughts, it's here. So don't wait. Embrace this change, because embrace this change, because this is gonna help you also to get better and serve your members. So don't take this as Oh, this is another regulation coming. And frankly speaking, this is to me, we in the United States have an obligation towards the members to bring more innovative, so I want us to take this as the change for the future which is going to bring us more innovation. And so they should take this as more from a positive sentiment at this moment of time, and it will take us time to all of us to come together. But at the end, I feel it is going to be a win win value proposition for all of us. Yes,

Sarah Cooke 23:54

I know some credit unions are certainly concerned having their members stolen away. Okay, guys, so I appreciate your time so much. And as always, I'm going to allow my guests final thoughts. Dennis, we'll start with you. What's your final thoughts for our audience?

Dennis Irwin 24:13

I think the most important are, you know the planning now, scope it as soon as possible so you can determine what your needs are. I think it's going to be different for each institution, and the fears of losing members can be subsided with really ramping up their own products. What's going to make sure they are attractive and clients want to stay with them or attract new clients? And how can you, how can you start doing that? I think that's what it's going to force all institutions to do.

Sarah Cooke 24:49
And Deep your final thoughts for the audience.

Deep Varma 24:51

Yeah, my final thoughts are on the technology front. Start looking into your infrastructure, your security protocol. And the consent management, I think that's to me start looking into it now, because you still have a time. So that's on the technology. But also, don't just focus on technology. Look into training your people also, because that's the area which sometimes we ignore, because we think it's all technology. We, as well, as we look into the technology, start looking and preparing, training your call center and your internal organization to get ready for this change. That's what I will say.

Sarah Cooke 25:33
Excellent. Yeah, absolutely always got to remember the human element involved. Well, thank you so much for your time today, guys, appreciate it, and you all have a great rest of your day.

Dennis Irwin 25:43

You too.

Deep Varma 25:43

Thanks for hosting us.

Previous
Previous

Alkami Surpasses All Digital Banking Providers To Become #1 in Credit Union Market Share

Next
Next

Pure Storage Simplifies Cloud Migrations for Enterprise-scale VMware Environments on Microsoft Azure