Financial institutions will have to level up their games to hold onto core deposits under a newly proposed rule requiring banks to share consumer data.

The Consumer Financial Protection Bureau has proposed an "open banking" rule that would require financial institutions to set up data connectivity to make customer data available to third parties for free upon consumers' request. The agency envisions a more competitive banking system for consumers to switch providers more easily, and hopes to create an incentive for banks to provide cheaper loan rates and higher yields on deposits.

Core deposits — stable, relationship-driven and less sensitive to interest rate changes — are central to regulators' assessments of banks' safety and soundness, and banks lean on core deposit relationships for detailed, real-time insights into customer behavior, including deposit flows and payment history. Open banking has the potential to erase that advantage, because consumers can choose to hand over their profiles to other providers, which can compete for their business.

"Having access to the spending behavior is going to really empower banks to provide more personalized solutions," said Britney Pope, associate vice president at banking software company nCino. "It's going to be who is faster, who has the better rates or the better experience — they're going to win."

Tug of war to win consumers

The convenience of switching banks could make deposits more fluid, and some banks fear that it will be easier for longtime customers to leave, said Ian Katz, managing director at policy research firm Capital Alpha Partners.

The proposed rule, enacted by implementing Section 1033 of the Dodd-Frank Act, could "facilitate rapid and unpredictable movements of deposits" and could introduce more systemic risks to the banking sector, Ann Petros, vice president at National Association of Federally-Insured Credit Unions (NAFCU), wrote in a statement.

In its consultations with regulators including the Federal Reserve, the CFPB has not heard any concerns about open banking spurring instability, and there is no evidence to suggest that it would be an increased concern, a senior CFPB official said in a press briefing Oct. 19.

Proponents of the proposed rule argue that the stability of core deposits is rooted in banks' products and services. When open banking unlocks more consumer insights, they say, banks that are able to take advantage of what they have learned will gain more consumers.

If open banking indeed makes it easier for customers to break up with their banks, PNC Financial Services Group Inc. will be a "net beneficiary," Chairman, President and CEO William Demchak told analysts on an investor conference call.

"I'm in favor of the notion of open banking where somehow I can just lift and shift my account from one bank to another, because now there's technology to do it — I'm not that afraid of that," Demchak said.

More security but higher compliance cost

With or without regulation, large banks, including PNC, have already been developing Application Programming Interface (API) for data connectivity. PNC sits on the board of Financial Data Exchange LLC, also known as FDX, a nonprofit organization that sets API standards for financial data sharing. FDX covered 65 million active bank accounts of consumers as of October.

API is believed to be more secure than the other widely used but controversial data collection method, screen scraping, in part because API does not ask consumers to reveal the passwords of their digital banking sites for data-sharing purposes. Using screen scraping, which lets a third-party application gain access to a customer's bank account via log-in credentials, will not be compliant with the proposed new rule.

While large banks have been practicing open banking proactively, there are concerns that smaller financial institutions cannot benefit equally.

The proposed rule could pose "extraordinary compliance costs" on credit unions because it will be an additional obligation that they cannot charge for, NAFCU's Petros wrote in the statement.

"The smaller banks and credit unions have much longer time frames to come into compliance because many of them are going to have to depend on their core providers to set this up," said John Coleman, a partner at Orrick Herrington & Sutcliffe LLP. "Depending on their customer base and the current core provider, there could be significant expense associated with that."

The CFPB estimates that up to one-third of depository institutions would need to change core banking vendors to set up compliant API. The cost to change a core vendor can range from $50,000 to $350,000 upfront, and another $200,000 to decommission the prior vendor. For small depository institutions to build API in-house, the upfront cost could be $250,000 to $500,000, in addition to ongoing technology and staffing costs.

Heightened concerns on data security

Data privacy and security is another area of concern if financial institutions are obligated to send sensitive information to unregulated companies.

The proposed ruling did not address who carries the liability in the event of a data breach, said Jeremy Mandell, co-chair of the financial services group and co-lead of the fintech practice at Morrison & Foerster LLP. While financial institutions are routinely examined by regulators to meet security standards in compliance with the Gramm-Leach-Bliley Act, fintechs, in general, are not subject to examinations regarding the act's compliance, he said.

"It creates risk around breach and unauthorized disclosure of a consumer's financial information," Mandell said.

Industry experts say the power of open banking is that financial institutions can personalize their products for consumers with different profiles. Adding a regulatory framework will help ignite innovation in a secure and dependable manner, said Lisa Novier, head of governance, risk and compliance at data aggregator Yodlee Inc., a unit of Envestnet Inc.

"I think the call to action for everybody in the ecosystem is to think about the consumer first, and what are their needs and how can I service them to either build a relationship or deepen my relationship with them," Novier said in an interview.