Open Banking and payments competition

Much of the operation of the financial industry is legible to people outside of it. Your credit card works basically like you understand it to (excepting the occasional mythmaking about second order consequences). Debates about what terms banks are allowed to offer on credit cards are fairly straightforward and can be easily followed by non-specialists.

But some issues are under the hood, and a societal debate about them doesn’t exactly wear its consequences on its sleeves. Consider the controversy over Section 1033 of the Dodd-Frank Act (and even that framing is an effective medication for insomnia).

In July, JPMorgan Chase announced its intention to charge fintechs for access to so-called Open Banking data. This comes amidst a consortium of banks trying to sue this hithertofore obscure regulation out of existence.

Almost all discussions of it center on “data”, but it’s actually a fight about payments, and whether banks have a right to monopolize and charge for all economic activity their users engage in, irrespective of whether the bank operates the payment method.

Cards on the table: I previously worked at, and am an advisor to, Stripe, a financial infrastructure company which facilitates customers’ use of both bank-sponsored (cards, etc) and competing (account-to-account, stablecoins, etc) payment methods. Stripe does not necessarily endorse what I say in my personal spaces. (I’m also a user and tiny shareholder of Chase. One presumes they also don’t endorse what I say in my personal spaces.)

The genesis of Section 1033

The Dodd-Frank Act was passed in the wake of the 2008 financial crisis. It included a combination of needed reforms and, effectively, partial negotiated settlements for the way in which banks had reaped enormous profits originating mortgages of less-than-stellar quality then left taxpayers holding the bag once those mortgages could not be repaid.

We’ve previously discussed one of the knuckle raps: banks had their debit card interchange capped, with an exemption for small banks. (Interchange is the fee card-accepting businesses pay to transact with bank customers.) The Durbin Amendment became a major pillar of fintech companies, as it established a revenue model for them. It also became something of a lifeline for smaller financial institutions, particularly those that partnered with fintechs.

Did banks like the interchange cap? No. It made a very lucrative line of business rather less lucrative. Taxpayers had provided about $245 billion in capital to backstop banks, and they (through the ordinary operation of a representative democracy) got a post-hoc concession for it. 

The interchange cap was not the only concession in the Dodd-Frank Act. Section 1033 was another one: it is designed to increase competitiveness in financial services by establishing a presumption that banks must allow users to access their own data, including through competing providers.

In the intervening years, that competition has arrived. The banks do not like it, and would prefer it if it went away.

Bootstrapping payment methods with Open Banking

Financial institutions offer their customers a complex bundle of services.

You might reasonably expect that Open Banking is a fight over the budgeting app space. The banks have, via the magic of account records, a large portion of the underlying data about a household’s finances. You could imagine software using Open Banking to allow it to slurp in transactions and then categorize them. That would compete against the lackluster offerings the large banks have in their apps.

But Open Banking is not actually a fight over budgeting apps. Banks don’t make money on them and the best known standalone budgeting app, Mint, was acquired for a relatively small amount of money.

Payments, on the other hand, are an enormous business. They are monetized both by banks and by a diverse ecosystem of fintech providers.

The data banks find it annoying to make Open are, principally, account numbers. This is because, due to the long shadow of checks, possession of an account number (plus the routing number, identifying the bank) is sufficient to attempt to debit a bank account. Direct account-to-account transfers, including “pulls”, are a common payment method in many countries, but they are not a large share of consumer to business payments in the United States.

Why not? One reason is that the user experience of asking someone for their account number is pretty awful. There is no way to check in real time whether an account actually exists. Credit card numbers, in addition to having infrastructure which allows you to query them in real time, are specifically formatted so that typos in them are easily catchable.

Since you can’t know whether the account exists you certainly can’t know its current balance or whether a transaction posted against it today will succeed in a few days or be reversed for insufficient funds (or another reason). This means that businesses which use account transfers as a payment method would frequently suffer credit losses if they released goods or services at the time of “payment.” For many businesses, that isn’t a worthwhile tradeoff.

So they keep using cards. Cards give much stronger (but not foolproof) real-time guarantees of funds availability and likelihood of a transaction going through successfully. The ergonomics of card acceptance, at the register, through your phone, or in a web browser, are also much more palatable to most customers.

Several fintech companies, including Stripe, realized that they could use Open Banking to make account-to-account payments something customers would actually enjoy. The user is prompted at checkout whether they’d like to pay directly from their bank account. They log into their bank account and grants the fintech read access. This is a much stronger signal of authorization than simply knowing an account number. (We print those on every check, after all, and a check is designed to be handed to a cashier or waiter you’ll never meet again.) The fintech then grabs the account number and perhaps e.g. looks up the current balance.

Then, they can pull money from the account, through an ACH debit.

The ACH debit itself is not Open Banking. It is the ordinary operation of existing payment rails in the financial system. The ACH debit was just made much more convenient by Open Banking.

A brief note about aggregators

Most use of Open Banking is through so-called aggregators. Plaid and Yodlee are well-known examples.

Prior to the existence of Open Banking, the aggregators (and businesses which needed the data they can make available) were largely forced to build supportability networks, bank by bank, by writing so-called screenscraping software. Screenscraping software emulates someone typing the password into a bank’s website then browses through a live bank account to extract the information needed from it. Hopefully that screenscraping software isn’t bugged, because bugs in scrapers that interface with consequential systems are terrifying.

Aggregators would then ask users to share their bank account passwords, so they could operate the bank accounts via software automation, to get the data the aggregators’ business customers were interested in. Like, say, account numbers.

This is a worse model for users and security of the banking system than Open Banking, because sharing bank account passwords leads to misuse of accounts. The flow for Open Banking, in the best implementations, redirects users to the bank site to authorize the data sharing, without forcing the user to irrevocably cough up the keys to the kingdom.

Open Banking enables lower cost payment rails

ACH debits are not new. Businesses have been able to use them for decades. You very likely use them yourself to e.g. pay recurring bills every month, like utilities, mortgage, or credit cards. ACH debits have just been very annoying to use for payments online or at cash registers, and so almost all consumer to business payments go over card rails instead.

ACH debits are almost free.

NACHA, which administers ACH, charges a per-transaction fee of ​​1.85 hundredths of a cent. This compares favorably to regulated debit card interchange (21 cents plus five basis points of the transaction size) and extremely favorably to Durbin-exempt debit cards or credit cards (generally about 2.X% of the transaction size plus 20-30 cents). The interchange fee is paid mostly to the card issuing banks.

Banks would strongly prefer the world not make novel payment methods that are convenient and cost accepting businesses less than cards. Banks are interested in Section 1033 because they want to continue earning interchange revenue on coffee purchases and software subscription invoices. 

But payments for goods and services are not the only interesting Open Banking use case. Useful infrastructure, once it exists, tends to get incorporated into everything.

When you open a brokerage account or engage with crypto companies, you are quite likely to pass through an Open Banking flow to link your existing bank account. You’ll use your linked bank account to fund your investments and, hopefully, eventually receive your returns. 

Older users might remember that this used to require asking the brokerage to make trial transactions, typically pushing two ACH payments under $1 in total and asking you to confirm the amounts. This would demonstrate that you hadn’t typoed your bank account number, that the account could actually accept transfers, and that you (presumptively) had authorized access to that account, given that you could read recent transactions at will.

Trial transactions are painful for all parties. They insert a multi-day wait into the account opening process, and many customers abandon the process during that lull. Brokerages and fintechs were overjoyed that Open Banking largely allowed them to move away from trial transactions to authorize every new account.

There are also clever uses of Open Banking to piggyback on banks as oracles. For example, how do you, a financial institution or insurance company, know that I, a particular natural person, have authority to direct Kalzumeus Software, LLC to open a new financial account? One way you could establish that is to ask me to submit a copy of the LLC’s Articles of Organization and a Certificate of Good Standing from the great state of Nevada. Then you pass those to a backoffice paralegal, who can ascertain that the Articles name me the Managing Member, and empower the Managing Member to open new financial accounts. This costs $50 to involve Nevada, and very many small businesses in America will not succeed at the task “please locate an authoritative copy of your Articles of Organization.”

A much faster way is to use an Open Banking aggregator to read a bank account statement issued to Kalzumeus Software, LLC. This allows a second financial institution to make the reasonable inference that if I habitually direct a small business’ banking, as demonstrated by being able to grant access to its accounts, then I probably direct a small business’ banking. This will save their operations team from reviewing 100 pages of boilerplate and cut down on account opening time. (This is one of the rare and underacknowledged benefits of Know Your Customer regulations. Since banks are understood to have KYC responsibilities, the bank “vouching” for you as a customer in this fashion is treated as strong evidence by others in the economy.) 

So why is Open Banking in the news now? We’ve had Open Banking for almost 15 years. The competing payment products work and work well. They are lower cost to accepting businesses and easy for customers to start using. Customers are switching to them in increasing numbers. Not all of them, but enough to worry the banks into wanting to strangle the upstarts.

This has happened via a regulatory push, litigation, and ultimatums over fees.

The CFPB completed rulemaking for Open Banking

The Consumer Financial Protection Bureau finalized its rule for Section 1033 in late 2024. As you can tell by the lag between 2010 (when the Dodd-Frank Act was passed) and 2024, it was something of an involved process.

Relevantly, the CFPB which passed this rule was the Biden administration CFPB. I try to be non-partisan in professional spaces but will need to neutrally observe how partisan players have seen the CFPB.

The CFPB was not well loved by many people in the finance industry or the fintech community. Critics alleged that the CFPB was less a federal agency and more a one-woman show, with the stars being Senator Elizabeth Warren and a ventriloquism dummy. This was unfair. The CFPB staff was actually quite intelligent in anticipating Senator Warren’s preferred positions and rulemaking to achieve them without the dreary necessity of her writing legislation or convincing Congress to vote for it.

As I mentioned last December in discussing the debanking discourse, influential supporters of the second Trump campaign, including fintech and crypto investors, wanted the CFPB’s scalp. They essentially got what they wanted. The CFPB was hollowed out early in the new administration.

In a swift and ironic turn of events, a policy promoted by the crypto industry due to their frustration with the decisions of large banks (regarding their industry’s supportability) was quickly used by large banks for commercial advantage, catching the crypto industry in the crossfire.

Prior to the election, the Bank Policy Institute, a banking industry trade group, and the Kentucky Bankers Association sued to prevent the CFPB’s rulemaking from taking effect. I think an informed person would understand that their legal arguments are pretextural. Their policy arguments, against the normative intent of Open Banking, I’ll return to below.

The CFPB initially defended the suit vigorously, but the newly hollowed out CFPB in June announced its intention to surrender.

This has caused a bit of chaos in Washington, as Section 1033 is administered by the CFPB but is part of the financial regulatory apparatus that crypto companies actually like.

Exchanges largely monetize by charging a vig on crypto purchases, and the so-called “onramp” (transfering money from the traditional financial system to the crypto ecosystem) enables the rest of their revenue (such as e.g. receiving a cut of interest earned by stablecoin issuers or staking the coins owned by customers).

Exchanges want to accomplish the onramp at the lowest possible cost, which is through ACH debits. Their desired outcome is the new user uses an aggregator to authorize a debit from their bank account. Then, the debit is very close to free, both for the first transaction and also for subsequent transactions using the same banking details. (The exchange bears a bit of credit risk, since the debit is not known to settle successfully until about two business days later and it can be reversed long after that if it was fraudulent. These issues cost Coinbase about $20 million last quarter. It dries its tears on money.)

The legal and regulatory wrangling continues. It’s difficult for me to read tea leaves from Washington in the best of times, and in the interests of avoiding partisan commentary, I’ll refrain from confidently guessing whether statements of the administration predict its future actions over multi-week timescales.

The tangled web of payments policy

The credit card brands, which were originally created by banking consortiums, consider Open Banking data aggregators to be an existential risk to their business. They have long wanted to co-opt or kill them.

That isn’t just me saying it. Visa attempted to buy Plaid back in 2020. The argument to Visa’s board was (pg 5) that Plaid could potentially be a, quote, “existential risk” to their debit card business, which threatened a $300 to $500 million a year revenue hit. It was cheaper to take them off the table, even at $5.3 billion. Call it an insurance policy, their CEO said.

The FTC quashed the acquisition, saying it would have the anti-competitive harm of protecting the debit card business. The FTC alleged that Visa had a near monopoly in online debit transactions. (This payments geek thinks there is actually a vibrant competitive landscape there, including internationally.)

Some commentators might assume that that was one of the Commissioner Lina Khan era anti-monopoly interventions. (This enforcement environment was part of the causus belli which flipped some notable Silicon Valley personages. It’s a complicated story and not particularly well-told by the press, in part because people with a nuanced view of the situation no longer respond to press inquiries, due to journalists’ repeated defection in an iterated game.)

While I’m not a close follower of anti-trust enforcement, I do happen to know how to use a calendar, and so feel obliged to mention that the action to stop the Plaid acquisition was late during the first Trump administration.

Politics legendarily creates strange bedfellows. Crypto companies are now asking the CFPB to revive a regulation protecting a business the first Trump administration kneecapped, after which the second Trump administration hollowed out that same agency, despite campaigning against kneecapping tech and crypto—leaving the CFPB, long a sworn enemy of big banks, in Chase’s corner dismantling the crypto industry and suppressing competing payment methods, because the administration apparently thinks that’s what its backers want.

Yep, one’s head spins.

Chase sends some surprise bills

Chase is the largest bank in the U.S., maintaining checking accounts for approximately 44 million Americans, and therefore makes up a hefty chunk of total transaction volume within the financial system.

To avoid adversarially screenscraping banking apps, which is unreliable and a bit of a security hole, the better way to do Open Banking is to negotiate API access with as many banks as possible. (Companies make APIs available to let developers access data from them in a safe and controlled fashion. API access allows customers to give secure, scoped, and revocable access to their financial information. Handing over a password is not ideal for those properties.) 

This will customarily require signing a contract with the bank, obligating you to e.g. not steal the money, not attempt to hack bank servers, and not abuse customers’ expectations. These are all reasonable requests, swiftly agreed to. Most of the aggregators had agreements in place with Chase, which eagerly promotes their API access to developers.

In July, Chase started sending data aggregators notices about upcoming changes to their agreements.

The typical notice between financial institutions and developers downstream about changes to contracts is something along the lines of “We updated the wording in our privacy policy.” 

These notices weren’t that. Chase was altering the deal; pray that they do not alter it further.

Chase demanded payment for access to Open Banking APIs, and would cut that access if companies interfacing with them did not acquiesce. The fees demanded were enormous.

A fintech industry trade group was quoted by the Financial Times as saying:

“Across all the companies that received the notices, the cost of just accessing Chase data is somewhere from 60 per cent and in some cases well over 100 per cent of their annual revenue for the year … Just from one bank.”

Plaid was asked for $300 million, which would be 75% of their 2024 revenue. That is likely more than the wages and benefits for all of the 1,200 people who work at Plaid.

Even as someone whose perennial advice to companies was Charge More, these don’t strike me as serious proposals to put a reasonable price tag on valuable services.

The prospect of Chase monetizing Open Banking has dragged some other banks into the fray; PNC is also looking at taking a bite at the apple. The table gets crowded quickly if even a fraction of the next 4,500 banks try to join.

Banks’ arguments for monetizing Open Banking

You can imagine some rapid back-and-forth happening between bank and fintech negotiators happening in the background. There is some reluctance in the industry to speak of that openly, partly because negotiations are delicate and partly because some fear retaliation elsewhere in their business relationships.

But, helpfully, the banks have published their arguments, directly and via their industry associations. They are not particularly persuasive.

The best one is that banks bear risk here, and want to price it. Should a bank authorize a third party to use Open Banking, that third party might use it to exfiltrate value from a bank account. Should a bank customer authorize a transaction but regret it, perhaps because it was to a scam operation, they might ask their bank to make them whole.

Banks bear this fraud risk, the same as they do when they pay out a fraudulent check, until they can recover the money by reversing the transaction. They will not always be able to successfully reverse the transaction.

This is structurally similar to banks’ obligations under Regulation E for debit cards and Regulation Z for credit card purchases. If a consumer gets abused over card rails, the bank is good for it by regulation, less a $50 deductible that the industry universally waives in the interests of their good name. Banks are quite happy with this responsibility for cards, because card issuing prints money, but Regulation E covers almost any form of electronic payment and almost any imaginable form factor of abuse. (For non-limiting examples, see the AI-sung ditty, Doesn’t Matter, That’s Reg E.)

But account-to-account payments are less like cards and more like checks. Indeed, the Automated Clearinghouse part of “ACH debit” refers to being a clearinghouse for check payments. 

Banks will occasionally take fraud losses over checking accounts. They mostly can’t charge for checks directly; customers expect to write them freely and businesses expect to deposit them for, at most, a nominal fee. Certainly you’d be laughed out of the boardroom if you suggested a check fee scaling with the size of the check. That’s check cashing nonsense, and not something that regulated financial institutions or their customers expect.

Dimon, in his 2024 letter to shareholders, laments that typical retail checking accounts are a low- or negative-margin business. As an avid reader of Chase shareholder letters, I know why Chase operates that business anyhow: it’s the foundation of their relationship with households, which they largely monetize through credit card issuance, mortgage origination, and the like. It’s also operated by design to charge lower-income lower-asset consumers less and reliably increase monetization over their long relationships with the institution

The deposit franchise, which contributes a lot to the Fortress Balance Sheet™, is most valuable when it attracts retirees, small businesses, and others who keep larger balances earning 0.01% in a savings account or nothing in checking. As a cost of acquiring that business, it offers accounts to e.g. a teenager who wanted to cash the paycheck for their summer job, even though the margins on that account might be negative for the next ten years.

And so suggesting that retail checking account availability is threatened by banks’ responsibility to monitor transactions and pay out if they make mistakes in authorization is, frankly, an insult to the intelligence of anyone familiar with banking.

Checking accounts are also a public service expected by society of banks. This is in return for their lucrative monopolies on industries like e.g. consumer debt issuance and explicit and implicit taxpayer backstops of their operation. Chase is intimately familiar with those, most recently from when it cashed a $13 billion sweetener check to acquire a failed bank.

We have made enormous strides, both from the financial industry and civil society, in banking almost everyone. That should not immediately imply “and thus banks get to charge a fee on every transaction in society.”

Chase is extremely capable of shipping payment products that customers actually want to use. Witness the Chase Sapphire Reserve, which probably half of fintech VCs and management teams use to pay for dinners, to my casual observation.

When Chase can’t successfully convince a customer to use a Chase payments rail that has a Chase CSR standing by to help out at 2 AM, Chase shouldn’t charge the accepting business money. Chase should understand that Open Banking and account-to-account payments are close in character to a check: one facilitates them in the ordinary course of business, for close to free, as part of the larger package offer.

Banks additionally make the argument that Open Banking leads to screen scraping. Certainly, as a financial technologist, I would prefer high-quality APIs with reasonable security guarantees. And some banks, like Chase, used the fifteen years of advance notice they had to develop these.

Other banks had other priorities, and are now using their own inaction to argue that screen scraping is a threat. (One can’t help but notice the bait and switch: first say aggregators must use official APIs rather than screenscrape, then claim that anyone who’s viewed developer documentation has agreed to a bill for 75% of their revenue.)

The banks additionally argue that fintechs are freeriding on substantial technology investments made by banks to serve their customers. This is extremely selective memory. Stripe did over $1.4 trillion in payment volume in 2024. Using no private information whatsoever, that implies that Stripe alone paid the banking industry somewhere in the general neighborhood of $20 billion in interchange fees.

Twenty. Billion. Dollars. From one firm alone.

It’s a little rich, pardon the pun, to cash a check for $20 billion and then whine about fintechs freeriding on your IT spend.

Innovation in payment methods is a good thing

Credit cards are an enormously lucrative business for banks. The capability for businesses of all sizes to transact with customers worldwide over those rails is an enormous service to the world. 

But cards are not and cannot be the last word in payments. We, as a society, should continue making things people want. Sometimes, the natural way to buy those things will be less compatible with cards or the assumptions baked into cards’ business model.

There has been quite a bit of enthusiasm for stablecoins in some quarters recently. Part of the sales pitch for stablecoins has been that you get to bypass the traditional financial system rails. This sales pitch does not accurately predict the operation of stablecoin businesses with material volume. Those are often operating something of a crypto mullet, with a stablecoin in the front and a bank transfer in the back. Those bank transfers are often substantially facilitated by Open Banking. This is a necessary part of the growth story for stablecoin businesses, as they are increasingly attempting to interact with the real economy, rather than crypto speculation. The real economy wants dollars and doesn’t much care what brand of database your backoffice uses.

People, particularly at the socioeconomic margins, increasingly use things which aren’t exactly a plastic rectangle. Sometimes that is a Cash App or a Venmo, or wallet directly integrated into a phone, or whatever a YC company invents next week. Our international peers like Japan (and our adversaries) have thriving payments ecosystems.

Developing these innovations will almost always need to touch the banking system because, at the end of the day, businesses want dollars. If we award banks the ability to impose a fee on any transaction that competes with their card business, that will strangle some of these innovations. This would be unfortunate, because customers and businesses benefit from choice.

It also helps us keep the banks on their toes. The industry tends to default to sleepwalking with regards to core services. Bank apps actually being quite good in the last few years is not simply a reflection of their general technical competence. They invested deliberately, after decades of underprioritization, because they saw the younger generation increasingly defecting to apps, and then they realized that would eventually threaten the deposit franchise.

The banks aren’t inherently opposed to shipping good products! They do it frequently! But if you ask the question slightly differently, they will happily bankrupt anyone who threatens revenue streams which are fat-and-happy. In that world, you get to use 1999 banking websites on Internet Explorer 5.0 forever. (And if that sounds unlikely, speak to a Korean friend sometime.)

There was also something of a kerfuffle with regards to banking supportability decisions recently. I have a nuanced point of view on it, but if I can offer a comment: when you let banks look into the economic logic of their customers’ lives to determine their pricing structure, you’re giving them the capability to pick winners and losers.

It has been reported that Chase wants a two-tier pricing system for Open Banking: one fee for data access and another, much higher, fee if someone uses that data access to facilitate a payment. These are the same products from Chase’s perspective. The same servers hold the same data. The same CSR stands ready to answer the call if a customer’s data leaks. But one of them is inimical to Chase’s preferences, and so they charge it more to discourage it.

We should not allow banks to get into the habit of sending demand letters to ruin the economics of businesses they simply do not like. Those demand letters will be inevitably abused, including in ways which are not determined by any conceivable direct business interest.

Banks are good at much of what they do, and it is quite profitable. If they want to maintain their share of wallet in their payments businesses, they employ intelligent people who are capable of shipping good products. Let them compete for the business. They’ll frequently win it, fair and square, including from me. But if customers choose to use someone else or if they mistakenly release payment to a fraudster, eh, have your teams break out Excel and try better tomorrow.