Main Content

TCH Comments on the National Institute of Standards and Technology’s Report on Cybersecurity Considerations for Open Banking Technology and Emerging Standards

The Clearing House Association (TCH) submitted comments in response to the National Institute of Standards and Technology’s (NIST) draft report 8389 on “Cybersecurity Considerations for Open Banking Technology and Emerging Standards” (Report). TCH noted, in its comments, that it fully supports the ability of consumers to safely and securely share their data with permissioned third parties, and fully supports the Consumer Financial Protection Bureau’s Principles for Consumer-Authorized Financial Data Sharing (CFPB Principles). With respect to the Report, TCH expressed its concern that the Report contains minimal information relating to the cybersecurity risks associated with open banking, and does not accurately represent the current state of open banking in the U.S. TCH also noted that while the Report addresses some regulatory developments related to open banking, it leaves out others which serve as important standards in the facilitation of open banking, and the Report fails to give due consideration to rulemaking activity by the CFPB relating to the implementation of § 1033 of the Dodd Frank Act and consumer access to data. TCH observed that material new standards may be on the horizon, and that such standards would render the Report obsolete. Due to these concerns, TCH recommended NIST withdraw the Report pending the finalization of the CFPB’s rulemaking activity, or, in the alternative, substantially revise the Report to ensure that it is comprehensive and accurate.

If NIST is determined to proceed with the Report, TCH recommended the Report be revised in the following ways:  

  • The Report should more accurately characterize open banking developments and approaches in the U.S. and other jurisdictions;
  • The Report should more fully set forth the risks associated with open banking, including cybersecurity risks, privacy, fraud, liability limitations, risks to bank IT systems, risk associated with credential-based access, risks associated with screen scraping, and concentration risk;
  • The Report should be revised to note that a substantial amount of open banking activity in the U.S. is NOT accomplished through APIs;
  • The Report should be revised to acknowledge that while NIST frameworks may be beneficial the frameworks are voluntary and there is no regulatory and supervisory structure in the U.S. to ensure compliance; and
  • NIST should undertake a gap analysis between the NIST frameworks and existing regulatory standards to ensure the frameworks are fully aligned with U.S. regulatory guidance applicable to open banking.

To read the full letter click here.