Banks and credit unions are raising concerns about data security risks and oversight of third-party partners as the Consumer Financial Protection Bureau crafts rules around how much control consumers have over their own financial data.
The CFPB is in the midst of writing a rule that will determine how financial institutions make data available to consumers on request. Banks say the rule could create an uneven playing field because financial firms are supervised and examined by regulators for compliance with consumer protection laws while hundreds of large technology and nonbank fintechs
"Nonbanks are increasingly providing financial products and services, yet their activities are largely unsupervised by the Bureau," said Brian Fritzsche, vice president and regulatory counsel at the Consumer Bankers Association.
Fritzsche and Shelley Thompson, CBA's vice president and associate general counsel, wrote a
The 1033 rule — so named for the section of the Dodd-Frank Act that authorizes it — is viewed as one of the most important rulemakings that will be completed under CFPB Director Rohit Chopra. The bureau released
Last year, eight bank trade groups petitioned the CFPB to define data aggregators as larger participants subject to regulatory supervision. Some experts think the bureau will issue a so-called larger participant rule before it completes its data-access rule, sometimes referred to as an "open banking rule."
Though the language of the statute is focused on information about a consumer's use of a product or service, bankers are concerned that the rule appears to be one-sided and anti-competitive because it comes from the view that only banks hold data that consumers want access to, with no requirements that nonbank financial firms such as mortgage lenders or buy now/pay later companies provide consumers the same data access to banks.
Ryan Miller, vice president of innovation policy at the American Bankers Association, wrote that "without regular and ongoing supervision of larger data aggregators and data recipients, implementation of Section 1033 will increase the risk of harm to consumers and competition."
The CFPB listed more than 100 questions last year in an
Millions of consumers have already provided third-party firms access to their bank account transaction data that banks and credit unions say puts them in a bind. Although the Gramm-Leach-Bliley Act allows consumers to opt out of having their data shared, experts say consumers rarely read the small typeface buried in agreements with fintechs and data aggregators.
"Consumers should be given control over how much and what type of data they choose to share," said Andrew Morris, senior counsel for research and policy at the National Association of Federally-Insured Credit Unions.
Consumers should know "exactly what data a third party will be requesting on their behalf, for what purpose it is being used [and] how frequently it will be accessed," he said. Consumers also should be given information on how long their data will be stored, with whom it might be shared and under what conditions including how the consumer can exert any rights they may have if their data is lost or stolen, he said.
Rampant fraud in payments has forced banks and credit unions to sound the alarm about liability risk. The CFPB's 71-page outline, released as part of a small business advisory review panel, makes no mention of liability.
Bank trade groups are asking the Consumer Financial Protection Bureau to issue a rule to supervise data aggregators before issuing a separate rule on consumer access to financial data.
Banks and others want the CFPB to create clear guidelines around which entity is responsible if a consumer suffers any loss or harm. Liability should travel with the data, many argue, to ensure that third-party technology companies are responsible for any crime, hack or other loss or harm to consumers.
"Data providers should not be required to make data available to any third party that is unwilling to accept liability for loss or harm that results after the data leaves the data provider's portal," said Paige Pidano Paridon, senior vice president and senior associate general counsel at the Bank Policy Institute.
Many experts agree that consumers have little or no understanding of the way bank account transaction data is accessed by scraping the information with a consumer's login credentials. Some banks such as JPMorgan Chase have
"Permissioned login approaches generally serve as a fallback option when a financial institution does not have an API, which is common for smaller institutions," said Penny Lee, CEO of the Financial Technology Association.
Another bone of contention appears to be whether the CFPB has enough manpower to oversee data aggregators and other third-parties. It is unclear if the CFPB has any mechanism to determine if third-parties are abiding by a consumer's specific request around data-sharing. In December, the CFPB announced that it planned
"Regulatory standards to discourage screen scraping can help mitigate fraud and account takeover risks," Morris said. "The CFPB might explore regulatory incentives to abandon screen scraping and establish minimum data security standards for third parties."
