Banks and credit unions are raising concerns about data security risks and oversight of third-party partners as the Consumer Financial Protection Bureau crafts rules around how much control consumers have over their own financial data.
The CFPB is in the midst of writing a rule that will determine how financial institutions make data available to consumers on request. Banks say the rule could create an uneven playing field because financial firms are supervised and examined by regulators for compliance with consumer protection laws while hundreds of large technology and nonbank fintechs are not. The explosive growth of data aggregation services has created risks for consumers that could result in uneven enforcement, banks say.
“Nonbanks are increasingly providing financial products and services, yet their activities are largely unsupervised by the Bureau,” said Brian Fritzsche, vice president and regulatory counsel at the Consumer Bankers Association.
Fritzsche and Shelley Thompson, CBA’s vice president and associate general counsel, wrote a comment letter last week stating that the CFPB “does not adequately oversee these nonbank participants even though they compose a significant, continuously growing segment of the market for consumer financial products and services.”
The 1033 rule — so named for the section of the Dodd-Frank Act that authorizes it — is viewed as one of the most important rulemakings that will be completed under CFPB Director Rohit Chopra. The bureau released an outline of its plan in October, and is expected to issue a proposal later this year with a rule finalized in 2024.
Last year, eight bank trade groups petitioned the CFPB to define data aggregators as larger participants subject to regulatory supervision. Some experts think the bureau will issue a so-called larger participant rule before it completes its data-access rule, sometimes referred to as an “open banking rule.”
Though the language of the statute is focused on information about a consumer’s use of a product or service, bankers are concerned that the rule appears to be one-sided and anti-competitive because it comes from the view that only banks hold data that consumers want access to, with no requirements that nonbank financial firms such as mortgage lenders or buy now/pay later companies provide consumers the same data access to banks.
Ryan Miller, vice president of innovation policy at the American Bankers Association, wrote that “without regular and ongoing supervision of larger data aggregators and data recipients, implementation of Section 1033 will increase the risk of harm to consumers and competition.”
The CFPB listed more than 100 questions last year in an advance notice of proposed rulemaking that the final rule is supposed to answer, including: Does the consumer understand what is happening to their data? How can the consumer revoke access after initially consenting for their data to be used? And will the data be monetized for additional downstream uses?
Millions of consumers have already provided third-party firms access to their bank account transaction data that banks and credit unions say puts them in a bind. Although the Gramm-Leach-Bliley Act allows consumers to opt out of having their data shared, experts say consumers rarely read the small typeface buried in agreements with fintechs and data aggregators.
“Consumers should be given control over how much and what type of data they choose to share,” said Andrew Morris, senior counsel for research and policy at the National Association of Federally-Insured Credit Unions.
Consumers should know “exactly what data a third party will be requesting on their behalf, for what purpose it is being used [and] how frequently it will be accessed,” he said. Consumers also should be given information on how long their data will be stored, with whom it might be shared and under what conditions including how the consumer can exert any rights they may have if their data is lost or stolen, he said.
Rampant fraud in payments has forced banks and credit unions to sound the alarm about liability risk. The CFPB’s 71-page outline, released as part of a small business advisory review panel, makes no mention of liability.
Banks and others want the CFPB to create clear guidelines around which entity is responsible if a consumer suffers any loss or harm. Liability should travel with the data, many argue, to ensure that third-party technology companies are responsible for any crime, hack or other loss or harm to consumers.
“Data providers should not be required to make data available to any third party that is unwilling to accept liability for loss or harm that results after the data leaves the data provider’s portal,” said Paige Pidano Paridon, senior vice president and senior associate general counsel at the Bank Policy Institute.
Many experts agree that consumers have little or no understanding of the way bank account transaction data is accessed by scraping the information with a consumer’s login credentials. Some banks such as JPMorgan Chase have eliminated screen scraping and now route all inquiries from third-party apps through a secure application programming interface instead of allowing companies to collect data through screen-scraping. The CFPB has suggested that it could set a specific date beyond which screen-scraping would be banned. But some experts suggest that cutting off screen-scraping would be problematic, akin to when the Federal Communications Commission in 2009 required televisions stations to switch from analog to digital-only transmission.
“Permissioned login approaches generally serve as a fallback option when a financial institution does not have an API, which is common for smaller institutions,” said Penny Lee, CEO of the Financial Technology Association.
Another bone of contention appears to be whether the CFPB has enough manpower to oversee data aggregators and other third-parties. It is unclear if the CFPB has any mechanism to determine if third-parties are abiding by a consumer’s specific request around data-sharing. In December, the CFPB announced that it planned to create a registry of nonbanks that have been subject to state or local orders or judgments to police lawbreakers. The CFPB also said last year that it will conduct supervisory exams of nonbank fintech companies that pose risks to consumers.
“Regulatory standards to discourage screen scraping can help mitigate fraud and account takeover risks,” Morris said. “The CFPB might explore regulatory incentives to abandon screen scraping and establish minimum data security standards for third parties.”