The Bank Policy Institute, the Kentucky Bankers Association and a community bank in Lexington, Kentucky, filed a lawsuit late Tuesday against the Consumer Financial Protection Bureau and Director Rohit Chopra, challenging the agency's open banking rule.
The
The suit was filed in the U.S. District Court for the Eastern District of Kentucky.
Judd Littleton, a partner at Sullivan & Cromwell who is representing the plaintiffs, said the fundamental defect in the CFPB's rule is that banks generally have wide discretion to engage in risk management for all their operations, but particularly with respect to consumers' information. By requiring banks to turn over their customers' banking data to potentially unvetted third parties, the rule puts customers' data at risk, the suit argues.
"We just think it's fundamentally an unsafe rule for consumers," said Littleton, who is representing BPI, the Kentucky Bankers Association and the $1.6 billion-asset Forcht Bank. "It requires banks to share information with all of these thousands of fintechs and data aggregators. It requires not only the sharing of transactional information and account information, but even information that could initiate payments in and out of the consumer's accounts."
The CFPB's
The rule places limitations on banks' ability to manage their risks and the circumstances under which they can deny access to consumers' information, Littleton said.
He called the rule "fundamentally unsafe," and said that the CFPB used an "arbitrary and capricious framework … to adopt it." The lawsuit seeks to halt the rule under the Administrative Procedure Act.
When Congress enacted Section 1033 of the Dodd-Frank Act in 2010, lawmakers envisioned that consumers would be able to obtain their personal financial information and provide it to companies that have a fiduciary duty to the consumer, Littleton said.
"Congress did not authorize the CFPB to regulate open banking in the United States through this little provision of Dodd-Frank," he said late Tuesday on a call with reporters.
The complaint alleges that third parties are less regulated than banks — which are subject to extensive oversight and supervision by financial regulators — and notes that a number of fintech companies have fallen victim to data breaches.
"We can expect that such [cyber] attacks are only going to become more prevalent once highly sensitive data is in the hands of more third parties," Littleton said.
After the CFPB issued a proposed open banking rule last year, bank trade groups raised major concerns about its approach to risk management in comments to the CFPB and in discussions with the agency's staff, said Paige Paridon, BPI's senior vice president and senior associate general counsel.
Paridon said one of the problematic parts of the rule is that banks or data providers can deny access to a third party only if the denial is reasonable under standards set by the CFPB — standards that limit banks' discretion to manage the risks of their customers' information. The change also comes at a time when frauds and scams through technology, apps and text messages are rampant.
The CFPB's final rule "is actually worse than the proposal in that it has to be balanced against a very highly discretionary and unclear framework where the CFPB could actually decide if the bank's denial of access to a third party is basically legitimate," Paridon said. "We have serious concerns that this goes well beyond what the statute provides through its language, and well beyond what Congress intended the definition of 'consumer' and the understanding Congress had when they enacted this rule 14 years ago."
The Kentucky Bankers Association has previously fought the CFPB in court, having sued the agency over its
Though the final open banking rule has a carveout for those community banks with less than $850 million of assets, Forcht Bank, with assets of $1.6 billion, exceeds that threshold.
