Banks want more fintechs regulated under CFPB open banking rule

CFPB
The Consumer Financial Protection Bureau (CFPB) headquarters in Washington, D.C., U.S., on Saturday, April 16, 2022. The Credit-reporting company TransUnion is an "out-of-control" repeat offender engaging in “deceptive” marketing practices the CFPB alleged this week after filing a lawsuit. Photographer: Samuel Corum/Bloomberg
Bloomberg News

Banks remain concerned about the security risks and liability from unregulated fintechs and data aggregators when consumers gain control over their financial data under the Consumer Financial Protection Bureau's data access rule.

Banks and some data aggregators have asked the CFPB for an extended two-year timeframe to comply with the CFPB's final rule on personal financial data rights. The CFPB has received more than 11,000 comment letters on its proposed open banking rule — known in the industry simply as "1033" for its section of the Dodd-Frank Act — which is expected to be finalized in October.  

The CFPB's proposal would require financial institutions that offer checking accounts, prepaid cards, credit cards and digital wallets to allow customers to share their data safely with, or transfer the information to, another provider such as a fintech company or data aggregator. 

Banks already have built applications that allow more than 50 million consumers to share their bank transaction data with third-party fintechs and data aggregators. All the parties in the data sharing ecosystem will have to update public-facing websites, ensure that data is provided in an as-yet unestablished standardized format and enable support for data elements — some which, like bill payment data, are not currently shared.

Many banks and experts have been asking the CFPB to initiate a larger participant rule to bring the largest data aggregators under the bureau's supervision.

CFPB Director Rohit Chopra said in recent testimony before the House Financial Services Committee that data aggregators currently are subject to supervision through the CFPB's existing authorities based on their risk determination and as larger participants in the consumer reporting market. But banks still want a larger participant rule to sweep in more nonbanks.

"Bringing at least some fintechs under CFPB supervision affords a necessary regulatory lever to ensure compliance," said Ryan Miller, vice president of innovation policy and senior counsel at the American Bankers Association, in a comment letter. "However, it does not cover the entire ecosystem and only accentuates the supervisory gap for the vast majority of fintechs."

The massive scope and technological complexity of the rule caused the CFPB to break it down into at least two parts so far. In June, the bureau finalized part of its open banking rule, establishing criteria for standard-setting bodies in the space.

The process of applying to become a standard-setting body and getting accepted by the CFPB will take time. Four bank trade groups said the scope and technological difficulty of the rule provide support for extending the compliance deadline. Because so many companies will be affected by the final rule, banks and some data aggregators are citing potential disruptions to consumers as a reason for the bureau to give them more time. 

"Once a final rule is issued, banks likely will have to make complex and time-intensive changes to their systems and processes to implement, and create associated controls to ensure ongoing compliance with the requirements of a final rule," four bank trade groups — the American Bankers Association, Bank Policy Institute, Clearing House Association and Consumer Bankers Association — wrote in a comment letter last month to the CFPB.

The proposal would require that consumers be made aware of where their data is held and how it is used, which has sparked a nuanced debate about whether consumers should be given the option to "opt in" or "opt out" of having their data used for secondary purposes. 

The comment letters raise concerns about the security of the data, how much data should be exchanged and how quickly consumers can revoke access.

The rule will impose significant technological burdens and financial costs on community banks, which complained about the lack of a mechanism for them to recoup costs from third-party fintechs that benefit from the access to consumer financial data. 

"Community banks will largely be dependent on their core processors or other third-party companies to create the technologies required to allow them to build and maintain developer portals to comply with this rule, limiting their ability to control or mitigate the cost of implementation," said Mickey Marshall, assistant vice president and regulatory regulatory counsel at the Independent Community Bankers of America.

Marshall wants the CFPB to exempt banks with less than $850 million in assets from creating a developer interface, citing the "difficulty of ensuring that data recipients have sufficient safeguards to protect sensitive financial data." 

The ICBA and other bank trades also want banks to be allowed to charge a reasonable fee for providing access to consumer information to third parties. Banks want to be permitted to  recoup some of the costs of creating a developer interface without leading to any cost to consumers. 

Banks also are clear about making certain the CFPB does not exceed its authority under 1033 to allow nonbank fintechs and aggregators to use the rule as a vehicle to initiate payments. Some of the debate has been around the categories of information consumers are allowed to share with third-parties, an issue banks are clear should not include payments. 

"Section 1033 was created as a way for consumers to 'access information,' not mandate specific functionality," Miller wrote. "The statute does not create an obligation to enable payment transactions initiated by third parties. Thus, this data field exceeds the powers delegated by Congress and should be struck."

Bank regulators already expect banks to safeguard information and to exercise judgment and due diligence on third parties. Banks and others — including consumer advocates — have asked for the CFPB to clarify how liability would work under the final 1033 rule.

"Stakeholders are concerned about the lack of clarity in the proposal about who bears responsibility if a third party misuses the data or in some other way violates the requirements of the rule," wrote Major L. Clark, deputy chief counsel in the Office of Advocacy of the U.S. Small Business Administration. "Such lack of clarity could lead to confusion and expensive litigation. Advocacy encourages the CFPB to clarify who bears responsibility if a third party misuses the data or violates the requirements of the rule." 

Banks currently are in the process of trying to make the rule work technologically, which they claim is no small feat. Once the rule goes into effect, consumers will need "machine readable" files that are accessible. Banks will also need to train their customer service operations and refine their ability to notify third parties when a consumer revokes access to their data. Other tasks that are still in the works include performing robust testing of third-parties, adapting current data access agreements and improving oversight.

For reprint and licensing requests for this article, click here.
Data privacy Regulation and compliance CFPB News & Analysis
MORE FROM AMERICAN BANKER