BankThink

The CFPB's 'open banking' rule is a solution in search of a problem

CFPB
Banks solved the issue of consumer data sharing years ago. So, why is the Consumer Financial Protection Bureau stepping in now, with a rule that could make sharing data less safe and secure? asks Greg Baer, of the Bank Policy Institute.
Frank Gargano

To understand all that is wrong with the CFPB's new consumer financial data sharing rule, which it labels an "open banking" rule, it's important to understand the current state of affairs.

Currently, millions of bank customers routinely and securely transfer data from their bank to fintechs and other service providers in a secure way through application programming interfaces, or APIs. There are over 120 data aggregators currently connecting bank data to other providers of financial services. Plaid, the leading provider of APIs, is connected to over 200 million bank accounts. Financial Data Exchange, a nonprofit standard-setting body created as a partnership between banks and fintechs, has an established API that securely connects 94 million bank accounts.

These results have been achieved through years of negotiation between banks and other data users. They have largely replaced screen scraping, where a third party obtains a customer's username and password and simply siphons data from the bank — in many cases on a constant, flow basis with the aim of harvesting and selling that data. Banks have sought to ensure that data is being transmitted securely and to an authorized user, and banks have leverage because they can shut off the data flow in the event of poor data security practices or fraudulent behavior at the third party. On the other hand, banks also want to please their customers, who object if data is not transferred where they want it. The result has been a reasonable balance where banks transfer data at a customer's request but retain some ability to prevent fraud and ensure the security of that data.

As a result, customers at the largest U.S. banks are receiving a wide range of services from fintechs, with a constant flow of data through APIs. Customers are managing their finances, making peer-to-peer payments through services like Venmo, paying their taxes and monitoring their overall financial health — all successfully leveraging their bank data. The only gap in the system is smaller banks, which in many cases lack the resources to negotiate and implement APIs.

Notably, this entire ecosystem was created and is thriving without any government intervention. However, the current CFPB — which has never found a market-based solution it likes — has decided to overturn this happy apple cart. Its rule upsets the balance and requires banks to ignore privacy and security concerns and simply open the taps on customer data.

What is most remarkable about the CFPB's rule is that it fails to acknowledge in any way that it is being issued at a time of massive and ongoing online fraud. Data from the Identity Theft Resource Center found that data breaches are at an all-time high and experiencing significant year-over-year increases. Data from Experian also shows that more than 70 million consumers were affected by a data breach globally in 2023, a 30% increase from 2022.

For perspective, imagine if someone walked into a branch of your bank with a suitcase and asked to withdraw in cash everything in your checking and savings accounts. Before handing over the cash, the bank would certainly ask for identification, ask security questions, ask the reason for the withdrawal and perhaps do further investigation. The CFPB's rule, in the online world, hamstrings banks' ability to do any of those things. So long as the third party produces a customer's authorization, a form showing the customer wants the third party to obtain his or her data from the bank, the CFPB's rule requires the bank to share the customer's data with limited ability to withhold for security concerns.

Enforcement actions from the Consumer Financial Protection Bureau still fresh in the mind of financial leaders have renewed hopes that a second Trump administration will favorably alter the agency's future.

November 18
CFPB

Similarly, even in the absence of fraud, imagine a newly established company that has poor data security practices and is not subject to any government regulation. The Treasury Department issued a report in 2022 finding that "... there is virtually no regulatory oversight of data aggregators' storage of consumer financial information akin to the supervision of [banks'] data security." Despite numerous comments requesting that it do so, the CFPB fails to impose any obligations on such a firm. Its rule includes no security requirements, no privacy requirements and no obligation to provide customer service (instead of having the customer call — of course — his or her bank). Most notably, the CFPB refused calls to specify that liability follows the data and that a fintech or other company that is hacked is responsible for any customer losses. The CFPB leaves it to the bank — the only one that will answer the phone — to clean up the mess.

Adding to all its errors of commission, there is one remarkable, arbitrary omission in the CFPB's rule. The CFPB refers to its rule as an "open banking" rule, a term popularized in the United Kingdom when it acted to encourage the transfer of bank data. But the EU and the U.K. have taken significant steps to ban screen scraping and instead require the use of APIs. A survey conducted by The Clearing House found around 80% of consumer respondents were unaware that third-party app providers gather users' financial data; 73% were unaware that fintech apps have access to username and password information; and 78% were unaware that aggregators have access to personal data even when the app is closed or deleted. Nonetheless, the CFPB, again ignoring comments received on its proposed rule, has refused to ban screen scraping. While CFPB Director Chopra has publicly claimed that the rule would "sunset" screen scraping. The final rule does nothing to legally prohibit this practice — it merely suggests that the CFPB could get rid of it in the future under its existing authority.

Oh, and recall how the last mile was small banks, who generally lack the resources to arrange for APIs. The CFPB exempts them from the rule — all banks below $850 million, which accounts for about 3,500 banks, or almost 84% of banks operating in the U.S. The CFPB thus seeks to regulate only banks that are already doing exactly what it claims they want them to do.

In this case, the interest of the banking industry is fully aligned with the interests of their customers. They do not want to be victims of fraud; they want to maintain privacy; they want to avoid higher bank fees that will result if banks are both combating higher rates of fraud and doing the job of the CFPB, which should be policing fintechs.

Editor's note: The Bank Policy Institute is currently challenging the Consumer Financial Protection Bureau's open banking rule in court.

For reprint and licensing requests for this article, click here.
Regulation and compliance Politics and policy CFPB News & Analysis Consumer banking Fintech
MORE FROM AMERICAN BANKER