Banks Challenge CFPB Rule That Jeopardizes Security and Privacy of Consumer Financial Data

Banks?Challenge CFPB Rule That Jeopardizes Security and Privacy of Consumer Financial Data

The Bank Policy Institute and?Kentucky Bankers Association filed a lawsuit this week against the Consumer Financial Protection Bureau challenging aspects of the agency’s rulemaking under Section 1033 of the Dodd-Frank Act, which governs how consumers access their financial data and how that data is protected. The lawsuit, filed in U.S. District Court in Lexington, KY, asserts that the CFPB overstepped its statutory authority and finalized a rule that jeopardizes consumers’ privacy, financial data and account security. “BPI supports a competitive marketplace where consumers control how their personal financial data is used and with whom it is shared, so long as their data remains protected. Unfortunately, the CFPB delivered a rule that treats sensitive financial data with as little care as a consumer’s web browsing history. If left unchallenged, technology companies subject to little to no oversight will have access to very sensitive information, like how much is in your account and where you spend your money. Banks have a responsibility to protect customers and their data, and this rule compromises these responsibilities, putting bank customers at risk.” — Greg Baer, BPI President & CEO “The CFPB’s 1033 rulemaking jeopardizes the safety and soundness of our banking system and fails to protect consumer data. We are challenging the CFPB to ensure that banks can continue to protect their consumers and the integrity of the financial system in a safe and sound manner.” — Ballard W. Cassady, Jr., Kentucky Bankers Association President & CEO The lawsuit raises several key concerns with the CFPB rule:

• It requires no oversight of third parties using bank customer data. The Treasury Department issued a report in 2022 finding that “...there is virtually no regulatory oversight of data aggregators’ storage of consumer financial information akin to the supervision of [banks’] data security.” The entire responsibility of protecting customers is left to banks under the final rule, while the CFPB takes no accountability for the oversight or supervision of data recipients. Mandating data sharing without requiring third parties to sufficiently protect that data will undermine existing consumer protection laws.
• It increases the likelihood of fraud and scams by failing to address weak safeguarding practices. Without proper oversight and supervision of aggregators and third parties, the chances rise of bad actors gaining access to data from third-party entities with weak security practices. Exposure to account and routing numbers, along with transaction data, could provide fraudsters with all the details they need to initiate unauthorized transfers and engage in other malicious activities.
• Screen scraping and other unsafe practices are allowed to persist. Many data aggregators continue to rely on unsafe practices such as screen scraping to obtain account and transaction data, often collecting more information than is needed to offer a core product or service. The CFPB has taken no concrete action to prohibit screen scraping and banks would remain limited in their abilities to address this risk and protect their customers.
• It fails to hold third parties accountable. When a customer authorizes their data to be shared, the data recipient has an obligation to protect the data and provide the customer with basic customer service when problems arise. Third parties’ use and protection of sensitive consumer data is outside of banks’ control, leaving banks unable to protect their customers from data breaches at third-party companies and fraud that may result from these breaches.
• It allows third parties to profit, at no cost, from systems built and maintained by banks. Technology costs are a significant expenditure for every major company in America, and banks have invested billions of dollars in building systems to protect consumers’ data and information and have earned customers’ trust accordingly. Banks should be able to charge third parties who seek access to that sensitive data, just as companies charge one another for products and services routinely in the marketplace. These practices are consistent with developer access offered by Google, Apple, Facebook and other major U.S. companies.
• It imposes an unreasonable implementation timeline. While the final rule seemingly provides a longer compliance runway, the new compliance deadline is not tied to the promulgation of any consensus standards that will naturally become the industry’s default standard for compliance under the rule. But banks cannot build toward compliance with standards that do not exist. Until such standards are promulgated, any steps data providers take toward compliance come with the substantial risk of being wasted in the event that they must unwind and redo that work to adapt to standards that are later adopted.

Banks support a regulatory framework that fosters competition and safeguards consumer interests. The industry's goal is to achieve a resolution that sufficiently protects bank customers’ privacy, data security and control over their personal financial information. To access a copy of the complaint, please click here.

1.?Correcting the Record on the CFPB’s Open Banking Rule

Consumer Financial Protection Bureau Director Rohit Chopra made several appearances this week to announce the release of the Bureau’s latest rulemaking, known as Section 1033. The rule governs how consumers access their financial data and how that data is protected. The Director made several statements in his remarks that warrant clarification. For example: ? Director Chopra: “[T]he rule also strengthens protections by accelerating the shift away from the industry practice known as ‘screen scraping.’” … “By moving things to more secure sharing, we are going to be able to sunset this practice of screen scraping…” FACT: There is nothing in the rule that would “sunset” the practice of screen scraping. The CFPB suggests in the preamble that it could regulate screen scraping in the future under its existing authority; however, the final rule does nothing to legally prohibit screen scraping practices. Many data aggregators will continue to rely on unsafe practices such as screen scraping to obtain account and transaction data, often collecting and retaining more information than is needed to offer a desired product or service. ? Get the facts on Director Chopra’s statements here.

2. Chopra Signals Opposition to Reproposing Basel Rule

CFPB Director and FDIC board member Rohit Chopra this week indicated opposition to a reproposal of the Basel capital rule, a stance that has previously been reported in media articles citing deadlock on the FDIC board. “It’s very important that the United States finalize this as quickly as possible,” Chopra said this week in a POLITICO interview.

3. Hsu Backs Federal Payments Oversight

Acting Comptroller Michael Hsu expressed support for a federal payments oversight regime this week in comments at the D.C. Fintech Week conference. “We do not have a federal payments, e-money payments, regime charter that other countries have,” he said. Hsu said such a framework “would be better fit for purposes today.” The notion of a federal payments oversight entity was floated by senior Treasury official Nellie Liang in a recent speech. Hsu described a “regulatory gap” in the oversight of banking services provided by nonbanks, such as collapsed fintech Synapse. Too many fintechs operating in the financial services “supply chain” are “not well-regulated” and need federal oversight, Hsu said.

To read this entire edition of BPInsights, click here.

To receive BPInsights in your inbox every Saturday morning, click here.