“It’s tough to make predictions, especially about the future.” While there is some dispute whether baseball Hall of Famer Yogi Berra uttered these words, it is irrefutable that making predictions is tough business. I suspect Yogi would be disappointed to know that after many years of writing a year-end public policy predictions blog post, I am no longer aware of my batting average. Nevertheless, I enter this year with confidence that my crystal ball will enable me to string together a series of hits with my four predictions for 2023.
1. The CFPB's New Open Banking Proposal Will Accelerate Exciting Product Innovations
For those in the financial services industry, 2023 will be the year when U.S. regulators take a major step in addressing the emerging open banking landscape. The Consumer Financial Protection Bureau (CFPB) has indicated it will publish rules, not guidelines, aimed at strengthening consumers’ control over and providing portability of their financial account data, sometime in 2023. While a final rule implementing section 1033 of the Dodd-Frank Act will not be issued until 2024, knowing that “rules of the road” are now on the way is sure to add more momentum to open banking initiatives.
For several years now, FICO has recognized the potential of new scoring innovations leveraging consumer financial account data. In 2018, FICO introduced the UltraFICO Score, leveraging consumer-permissioned financial data combined with account aggregation technology and distribution capability to provide lenders with new insights and consumers with enhanced access to credit. Moreover, FICO has produced various open banking analytic models for use by financial institutions around the world. These models are focused on personalizing the consumer’s experience with real-time and summarized insights from available financial instruments and consumer transactions.
FICO is not alone in these efforts. Just in the last few months, both Freddie Mac and Fannie Mae announced that their respective automated underwriting systems will consider consumer-permissioned cash flow data in the assessment process that will provide key benefits for first-time homebuyers and underserved communities. The CFPB’s Section 1033 rulemaking will only fuel further innovations as open banking takes a stronger hold in the U.S.
With a weakening economy, BNPL firms have seen a rise in bad debts, growing losses, increased costs of operations and tumbling share prices. Leading up to 2022, the industry saw meteoric growth with transaction volume increasing fourfold, from $33 billion to $120 billion, between the years of 2019 and 2022. The introduction of new BNPL offerings across many product lines also attracted attention from regulators. The CFPB has collected information from five of the top BNPL companies and issued a comprehensive industry report. CFPB Director Rohit Chopra has further indicated that he would like to see consumer protections akin to those for credit cards, including improving disclosures and fraud and dispute resolution protections.
However, some have questioned whether the same consumer protection laws apply to all BNPL activity. Several groups have also called for comprehensive industry regulation. Yet a larger participant rule covering leading BNPL companies currently is not on the CFPB rulemaking agenda.
Instead, I would expect regulators in the coming year to focus on providing greater regulatory clarity through guidance and their use of enforcement powers to encourage BNPL providers to update their operations. Some BNPL firms already are providing disclosures mandated by the Truth-in-Lending Act. Other companies offer BNPL as a traditional long-term installment loan, which are subject to a number of consumer financial protection laws.
Consumers will likely see more transparency from industry participants going forward. BNPL is certainly here to stay and, even in the absence of specific regulatory requirements in 2023, providing consumer protections and disclosures will soon become table stakes in the next phase of the industry’s maturation.
3. For Public Companies, Cybersecurity Compliance with New SEC Rules will be a Top Priority
As cybersecurity threats to the private sector continue to increase, the federal government remains focused on enhancing cybersecurity outside of government-controlled systems. In March 2022, the Securities and Exchange Commission (SEC) issued proposed rules regarding cybersecurity risk management, strategy, governance, and incident disclosure for public companies subject to the reporting requirements of the Securities Exchange Act of 1934. The proposed rules appreciably increase corporate accountability on cyber risk, starting from the boardroom and cascading down throughout the organization.
One of the most talked about provisions is the proposed change to the Form 8-K; a report public companies must file with the SEC to announce major events that alert shareholders. The proposal requires registrants to disclose information about a cybersecurity incident within four days after the registrant determines that it has experienced a material cybersecurity incident, as opposed to the incident’s date of discovery. This new provision will not only require organizations to understand materiality in the context of a covered system breach, but it will also have the effect of challenging leadership in public companies to understand materiality in financial terms before breaches occur. The SEC rules will require a new cyber security preparedness level that many organizations may not be meeting today.
The Office of Management and Budget has reported that final SEC cyber rules are expected to be issued in April 2023. While it is not yet clear when the new SEC requirements will be effective, 2023 will be a year when public companies take steps in preparation for the SEC’s new rules by further evaluating the effectiveness of their current cyber reporting practices and procedures.
4. Meaningful Developments but No Federal Privacy Law or AI Regulations
Entering 2023, the United States continues to be without a comprehensive national privacy law. However, in 2022, there was a significant development with the introduction of the American Data and Privacy Protection Act (ADPPA). For the first time, privacy legislation in Congress garnered bipartisan support among key House and Senate committee leaders. In July, the bill even passed out of the House Commerce Committee by a vote 53-2.
However, there still remains a number of objections including concerns over the state pre-emption provision as well as the private right of action language. Privacy matters generally have not been partisan issues, giving hope for the bill’s future where party control in Congress is divided among the Democrats and Republicans. While policy leaders will make further progress on shaping a federal privacy bill, I predict that a final deal will not be forged in 2023. Other privacy-related proposals focused on children’s privacy (COPPA 2.0 and KOSA) could also take energy away from ADPPA passage.
As it relates to AI regulation, the White House recently published its Blueprint for an AI Bill of Rights, which provides a framework for more accountable AI. Meanwhile, the National Institute of Standard and Technology is expected to release its AI Risk Management Framework in 2023. This effort will provide a set of voluntary standards for businesses and others to adopt. The success of these measures will depend on how well industries adopt clearly defined practices, metrics and thresholds, and can both define and demonstrate their adherence to Responsible AI.
Though the EU is moving forward with its efforts to regulate AI, 2023 will likely be a year in the U.S. focused on AI principles and standards. This no doubt will keep FICO’s Chief Analytics Officer Scott Zoldi, who has received more than 100 patents for his work in developing AI and machine learning software technologies, busy as he shares his insights online on a variety of responsible and ethical AI topics.
As we look to 2023, I am reminded that each year brings renewed hope for baseball fans and players that their team will have a successful season. Though Yogi rightfully noted the challenge of making predictions, I am optimistic that my “Four for 2023” will significantly increase my batting average – whatever it may be.