In 2010, Congress bestowed upon the Consumer Financial Protection Bureau the authority to create an open banking regime in the United States. Section 1033 of the Dodd-Frank Act empowers the CFPB to provide to U.S. consumers and small businesses a uniform, legally binding right to digitally share their own financial data with third-party financial services providers of their choice.
A Section 1033 rulemaking would both improve financial access at home and bring the U.S. financial system in line with many other G-20 countries abroad.
There is no doubt that the CFPB and the Biden administration intend to usher in an era of open banking in the United States. Through various statements and orders, the Biden administration and the CFPB have made it clear that increased centralization and weakened competition within the financial services industry has led to worsening consumer value and fewer choices, which is particularly harmful in today’s economic environment of persistent inflationary pressure.
And they’re not alone: There has been bipartisan interest in moving forward on a Section 1033 rulemaking over the last six years, beginning when former CFPB Director Richard Cordray first issued a request for information on the subject in 2016, and continuing through former CFPB Director Kathy Kraninger’s issuance of an advance notice of proposed rulemaking (ANPR) in October 2020.
Despite this consistent support, U.S. consumers and small businesses still lack a formal financial data right 12 years after Congress initially granted the CFPB the authority to create one. Now, more than one year after the close of the bureau’s ANPR on Section 1033, reports suggest the rule may be further delayed due to concerns over data privacy. While the CFPB’s focus on consumer data privacy is well placed, in reality it is the absence of a Section 1033 rulemaking that threatens to create a patchwork of decentralized, asymmetrical data privacy standards in the customer-permissioned data sharing marketplace.
Today, consumer data privacy in the U.S. open banking ecosystem is driven principally through bilateral data access agreements negotiated between and executed by financial institutions and data-aggregation firms. These proprietary agreements are not homogeneous, and, as a result, consumers’ ability to access and use their own financial data, and the protections afforded to them when they do so, may differ depending on which financial institution they use. By contrast, countries that have implemented legally binding data rights under authorities akin to Section 1033 have instituted accreditation or licensing requirements that impose standards on companies that offer financial services, products or tools, including data privacy requirements.
Having watched much of the world move more quickly toward open banking, the United States and the CFPB can benefit from learning the lessons of other countries’ experiences. To wit: There exists widespread consensus among financial technology firms and data aggregators that a well-crafted Section 1033 rule will subject data aggregators to the CFPB’s supervision, will create a uniform set of consumer-protective standards for any financial technology firms that offer open banking tools, and will require any entity that breaches consumer data to hold the liability for making the impacted consumer whole.
Put differently: The fintech community believes now, like it did when the CFPB began exploring a Section 1033 rulemaking six years ago, that data privacy standards are a critical element.
Unfortunately, each day that goes by without a Section 1033 rulemaking makes it more difficult for the CFPB to impose legally binding standards that protect consumers and their financial data.
As the negotiation and execution of bilateral data-access agreements accelerate, the proliferation of individual parties’ interpretation of what they believe to be the appropriate data privacy standards becomes more complex and contentious. As such, continued delay of a final rulemaking under Section 1033 of the Dodd-Frank Act will merely extend and exacerbate the disparate data privacy status quo while making the CFPB’s task more complex with each passing day.