Designing Open Banking Experiences for Delegated Access

As open banking comes to the United States and Canada, financial institutions are designing new customer consent experiences for consumers to share data with their designated third-party recipients. These consent experiences are designed, in general, for primary account holders.

However, complex relationships that exist outside the current third-party data-sharing models must also be accommodated.

At ByAllAccounts, the complex relationships that we’re most concerned about are consumer relationships with financial advisors, trustees, and guardians, which are established outside the open banking third-party data recipient model.

These relationships are recognized by many financial institution data providers today and are accommodated on their customer portals.

However, support for these providers’ open banking experiences is spotty. Due to the interruption in reliable access to this data by their advisors, consumers are disadvantaged and at risk of incomplete or incorrect financial advice.

In 2022, 35% of Americans—that’s about 116.5 million people—worked with a financial advisor. According to a 2018 report by the National Council on Disability, a conservatorship (referred to in the report as guardianship) “directly impacts the lives of an estimated 1.3 million Americans with disabilities.”

Clearly, delegated access affects millions of consumers and deserves support.

Any legal arrangement by which an end-user account holder, or principal, has appointed an agent to act on their behalf is potentially eligible for delegated access. ByAllAccounts typically sees agency relationships such as:

• Advisor: a registered investment advisor, certified tax professional, or certified financial planner.
• Attorney in Fact/Agent: either general purpose or limited. The agent can be appointed by the principal through power of attorney or by a court as a guardianship.
• Trustee: a designated individual or firm operating on behalf of an individual or family.

These legally formed relationships exist outside an open banking financial data-sharing experience. They are established and governed by an overarching legal construct such as a contract with the advisor or a court order in the case of a guardianship. Trustees are appointed via a written enforceable trust that defines the relationships and powers of the trustee.

In addition to legal authority, the agent has a legal duty to act in their principal’s best interest. In the case of certain advisors, this is enforced by regulation (e.g., RIA license obligations).

Legal definitions of consumer also extend to their agents in relevant regulations and regulatory guidelines:

• The Consumer Finance Protection Act (Section 1002) defines “consumer” as “an individual or an agent, trustee, or representative acting on behalf of an individual.”
• Reg P (12 CFR Part 1016) says, “Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.”
• Reg S-P (17 CFR Part 278) defines “consumer” to mean an individual (and his or her legal representative) who obtains, from a financial institution, financial products or services that are to be used primarily for personal, family, or household purposes.
• The Federal Trade Commission says that under the Gramm-Leach-Bliley Act, a “consumer” is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person’s legal representative.

So why is an agent not treated as a third-party data recipient under the applicable open banking regulations?

By CFPA definition, an agent is not a third party, as an agent is a legal representative of the consumer established outside of Section 1033 for a purpose other than open banking.

The Consumer Financial Protection Bureau Notice of Proposed Rulemaking muddies the water a bit by suggesting a consumer should be a natural person. However, its context is to distinguish an agent from third parties that are authorized to access covered data on behalf of consumers pursuant to the proposed third-party authorization procedures in the NPRM.

It later makes the statement in the NPRM that “Section 1033(a) of the CFPA generally requires data providers to make information available to a consumer and Agents, trustees, or representatives acting on their behalf. The proposed authorization procedures are designed to ensure that third parties accessing covered data are acting on behalf of the consumer.”

This clearly distinguishes a third party from a consumer’s other agents.

Many banks and brokerages already recognize and support agent relationships for their consumer clients. Notable examples include Fidelity, Morgan Stanley, UBS, and Bank of America/Merrill Lynch.

This is a great start, but more needs to be done to ensure that the new open banking ecosystems are at least on par with consumer-direct web portals.

To this end, ByAllAccounts is engaging with financial institutions of all types and their industry standards bodies, such as the Financial Data Exchange, to develop comprehensive guidelines for supporting delegated access in open banking consent flows.

Millions of consumers engage in complex relationships to manage their finances, for reasons both personal and impactful: family members looking after orphaned children, disabled siblings, or aging parents; professional advisors ensuring that their clients are ready for, and then experiencing, a safe dignified retirement; guardians protecting their charges from harm by predators or ignorance. These relationships are important and must be supported by open banking.

Learn more about how ByAllAccounts is engaged in the open-banking ecosystem.