The Consumer Financial Protection Bureau’s rule making it easier for customers to access and transfer their financial data gives banks the power to reject potentially risky financial technology companies, but traditional lenders say the provisions aren’t clear enough.
The final open banking rule, unveiled Oct. 22, requires banks to give fintechs access to customer deposit and credit account data with the customer’s permission. Banks warn that this will expose customer data to hacks and increase fraud risks, while creating potential headaches for compliance programs.
The CFPB’s rule also allows banks to reject data requests that pose a risk and don’t meet technical requirements established by an industry standard-setting body approved by the agency.
Those provisions should provide enough leeway for banks to protect themselves, said Graham Steele, former assistant Treasury secretary for financial institutions in the Biden administration.
“Issues the banks say they have feel like practical, solvable problems,” he said.
But banks aren’t buying it.
The Bank Policy Institute, a trade association representing the biggest banks, announced a lawsuit to challenge the rule the day it came out.
“Banks have a responsibility to protect customers and their data, and this rule compromises these responsibilities, putting bank customers at risk,” Greg Baer, BPI’s president and CEO, said in a statement on the suit.
The CFPB declined to comment on the record.
Balancing Act
The CFPB faced a tough balancing act designing the open banking rule, required under Section 1033 of the Dodd-Frank Act.
It had to enable customers to share their financial data with third-party fintechs or even other banks to boost competition, while still allowing banks to protect that sensitive data.
The CFPB made a push to shift away from screen scraping—where customers share their login credentials with third-party companies that then collect a wide swath of data—in favor of application programming interfaces that allow for more targeted data collection.
“At the end of the day, we do think the rule actually increases safety and security in the whole ecosystem because it does shift the market away from, I think, practices that were quite shoddy and exposed a lot of risk, not just to consumers, but to the banking system as well,” CFPB Director Rohit Chopra said in an interview after the final rule was released.
The industry is already eliminating screen scraping. Plaid Inc., the largest data aggregator, says approximately 80% of its traffic between fintechs and financial institutions went through APIs as of September.
The agency also put in place such privacy protections as requiring fintechs to get permission once a year to collect customer data and mandating that fintechs delete all data if the customer stops using their service.
In addition, the CFPB put limits on how much data companies can collect from banks.
The rule “really should serve as a model on how privacy and data are protected,” said Chi Chi Wu, a senior attorney at the National Consumer Law Center.
Unlike other countries and jurisdictions that have open banking regimes, such as the UK and European Union, the US doesn’t have a federal privacy law that applies to all companies, including fintechs.
That could pose a risk even with the CFPB’s built-in protections, said Mercedes Tunstall, a partner at Cadwalader, Wickersham & Taft LLP focused on consumer financial services and fintechs.
“We don’t have a national privacy law that controls everything when it goes from a bank to a third party,” she said.
Banks have also raised concerns that the CFPB didn’t set up clear guidelines to determine which party is liable in the event of a data breach.
Safe Fintechs
Banks warn the CFPB’s rule will bar them from blocking access to fly-by-night fintechs that may be a vector for fraud.
The agency wants “the open banking industry to flourish even at the costs of some of these companies being scammers,” said Jonathan Joshua, a financial regulations specialist at Joshua Law Firm LLC.
The CFPB made some changes in its final rule to clarify when banks can block a fintech’s access, including when a customer hasn’t specifically authorized data sharing.
The CFPB is also reviewing applications from groups applying to serve as industry standard-setting bodies.
One, the Financial Data Exchange, is led by a former JPMorgan Chase & Co. executive. Several large banks and bank trade groups, including BPI, are FDX members and will help set the technical standards should the CFPB give FDX the nod.
Another is the Digital Governance Standards Institute, a Canadian standard-setting body.
Those groups can create a “white list” showing the fintechs that meet all technical specifications and can be trusted by banks.
“The people who have the expertise to determine those things are probably not bankers and they’re probably not lawyers either,” said Catherine Brennan, a Hudson Cook LLP partner focused on fintech.
The CFPB also allows banks to confirm fintechs meet data security standards in the onboarding process, and requires that all companies in the open banking ecosystem comply with existing data protection requirements, such as the Gramm-Leach-Bliley Act’s Safeguards provisions.
BPI’s lawsuit questioned the CFPB’s authority to defer to industry on setting technical and compliance standards.
The agency is likely to approve more than one standard-setting body, opening the door to a potential race to the bottom if fintechs seek out groups with weaker standards, Tunstall said.
‘Good Shift’
The CFPB will allow banks to reject a fintech’s request for data access if they can prove the fintech poses a threat to safety and soundness.
Chopra said the CFPB, which isn’t a safety-and-soundness regulator, is currently in discussions with the Federal Deposit Insurance Corp., the Federal Reserve, and the Office of the Comptroller of the Currency to set up a regime for recognizing such threats.
If that goes well, banks’ concerns may be at least somewhat alleviated, Tunstall said.
“That was a really good shift for the CFPB to make that could ultimately end up saving this rule,” she said.
— With assistance from
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.