Small banks, credit unions and fintechs are asking the Consumer Financial Protection Bureau to ease into a proposal that would eliminate a method many data aggregators use to connect consumers’ bank accounts to financial apps, saying a sudden ban on the practice would put community banks at a disadvantage and limit consumer choice.
The request comes as the CFPB has started a rule-making process aimed at giving consumers greater control over their financial data, an authority Congress granted the bureau under Section 1033 of the 2010 Dodd-Frank Act.
A final rule on Section 1033 will likely have a significant impact on the future of screen scraping, a practice fintechs and banks have battled over for years.
Screen scraping is a form of data collection where a third-party requests credentials from a customer’s bank account in order to “scrape” information that is then provided to a fintech, such as a payments platform or budgeting app.
Large firms such as JPMorgan Chase and PNC have warned about privacy risks associated with screen scraping, and have implemented security and policy changes that have blocked some aggregators from accessing passwords.
A provision in the 71-page outline the CFPB released in October aims to eliminate screen scraping by requiring banks to establish and maintain application programming interfaces, standardized software widely regarded as a more secure way to connect consumers’ accounts to financial apps.
The CFPB is expected to issue a proposal on the data privacy rule later this year, with finalization and implementation planned for 2024.
In its letter to the CFPB, the Bank Policy Institute, which represents some of the nation’s largest banks, called for the agency to establish a date by which the practice would be banned to encourage the transition to APIs.
But while the banking industry has been migrating toward APIs, smaller banks often lack the tech budgets required to create such platforms, the Independent Community Bankers of America said.
The ICBA said it supports the use of APIs, but warned the CFPB against mandating standards that would put community banks at a steep disadvantage.
“[T]here is limited adoption of APIs among community banks as they are highly dependent on their core banking platforms and other solution providers for API integration capabilities,” the group wrote. “APIs and API integration from core and solution providers may come at a cost to community banks. For this reason, standards implementation by different market participants should reflect industry progression at a reasonable cost or no cost, so as not to leave community banks at a disadvantage from any asymmetry of capabilities and resources.”
The group asked that the CFPB establish a “sufficient timeframe” for firms to develop, test and implement an API portal in its proposed rule.
The group’s members said a sufficient timeframe would range from five to eight years, and requested that implementation time be staggered based on a bank’s asset size.
The National Association of Federally Insured Credit Unions also warned the bureau against unintentionally creating a rule that would only benefit the nation’s largest firms.
“In the long run, commoditization of financial data driven by the CFPB’s goal of ‘reducing switching costs’ could have the opposite of its intended effect: rewarding the largest, most technologically, sophisticated companies at the expense of credit unions and other community institutions focused on relationship banking,” the group said in its comment letter.
Fintechs also voiced their support for a measured migration away from screen scraping.
Data aggregator Plaid said it supports a phase out, but wants the CFPB to protect consumers’ rights to continue to allow authorized third parties to utilize screen scraping during the transition.
Plaid, which has contracts with some of the nation’s largest banks, estimates more than 60% of its traffic is currently on APIs.
The fintech, however, still uses screen scraping in cases where it lacks a data access sharing agreement with a consumer’s financial institution, Plaid said.
The Financial Technology Association, which said it prefers to use the term “permissioned login” rather than the “potentially derogatory” term, screen scraping, believes the practice should remain viable, especially in situations where APIs are not offered or available.
“[W]e urge the Bureau to focus on encouraging third-party providers to increase API integrations and performance rather than imposing limits on permissioned login approaches,” the trade group, which represents fintechs Brex, Betterment and Plaid, wrote. “[S]mall banks and financial institutions are most likely to require substantial time in implementing APIs and should be able to rely on permissioned login approaches until they have API capabilities.”
The group suggested the CFPB stagger API implementation timelines based on banks’ total assets, “with the smallest entities having the most time to meet stated Bureau targets.”