To understand all that is wrong with the CFPB's new
Currently, millions of bank customers routinely and securely transfer data from their bank to fintechs and other service providers in a secure way through application programming interfaces, or APIs. There are over 120 data aggregators currently connecting bank data to other providers of financial services. Plaid, the leading provider of APIs, is connected to over 200 million bank accounts. Financial Data Exchange, a nonprofit standard-setting body created as a partnership between banks and fintechs, has an established API that securely connects 94 million bank accounts.
These results have been achieved through years of negotiation between banks and other data users. They have largely replaced screen scraping, where a third party obtains a customer's username and password and simply siphons data from the bank — in many cases on a constant, flow basis with the aim of harvesting and selling that data. Banks have sought to ensure that data is being transmitted securely and to an authorized user, and banks have leverage because they can shut off the data flow in the event of poor data security practices or fraudulent behavior at the third party. On the other hand, banks also want to please their customers, who object if data is not transferred where they want it. The result has been a reasonable balance where banks transfer data at a customer's request but retain some ability to prevent fraud and ensure the security of that data.
As a result, customers at the largest U.S. banks are receiving a wide range of services from fintechs, with a constant flow of data through APIs. Customers are managing their finances, making peer-to-peer payments through services like Venmo, paying their taxes and monitoring their overall financial health — all successfully leveraging their bank data. The only gap in the system is smaller banks, which in many cases lack the resources to negotiate and implement APIs.
Notably, this entire ecosystem was created and is thriving without any government intervention. However, the current CFPB — which has never found a market-based solution it likes — has decided to overturn this happy apple cart. Its rule upsets the balance and requires banks to ignore privacy and security concerns and simply open the taps on customer data.
What is most remarkable about the CFPB's rule is that it fails to acknowledge in any way that it is being issued at a time of massive and ongoing online fraud. Data from the
For perspective, imagine if someone walked into a branch of your bank with a suitcase and asked to withdraw in cash everything in your checking and savings accounts. Before handing over the cash, the bank would certainly ask for identification, ask security questions, ask the reason for the withdrawal and perhaps do further investigation. The CFPB's rule, in the online world, hamstrings banks' ability to do any of those things. So long as the third party produces a customer's authorization, a form showing the customer wants the third party to obtain his or her data from the bank, the CFPB's rule requires the bank to share the customer's data with limited ability to withhold for security concerns.
Enforcement actions from the Consumer Financial Protection Bureau still fresh in the mind of financial leaders have renewed hopes that a second Trump administration will favorably alter the agency's future.
Similarly, even in the absence of fraud, imagine a newly established company that has poor data security practices and is not subject to any government regulation. The Treasury Department
Adding to all its errors of commission, there is one remarkable, arbitrary omission in the CFPB's rule. The CFPB refers to its rule as an "open banking" rule, a term popularized in the United Kingdom when it acted to encourage the transfer of bank data. But the EU and the U.K. have taken significant steps to ban screen scraping and instead require the use of APIs. A survey conducted by The Clearing House found around 80% of consumer respondents were unaware that third-party app providers gather users' financial data; 73% were unaware that fintech apps have access to username and password information; and 78% were unaware that aggregators have access to personal data even when the app is closed or deleted. Nonetheless, the CFPB, again ignoring comments received on its proposed rule, has refused to ban screen scraping. While CFPB Director Chopra has publicly claimed that the rule would "sunset" screen scraping. The final rule does nothing to legally prohibit this practice — it merely suggests that the CFPB could get rid of it in the future under its existing authority.
Oh, and recall how the last mile was small banks, who generally lack the resources to arrange for APIs. The
In this case, the interest of the banking industry is fully aligned with the interests of their customers. They do not want to be victims of fraud; they want to maintain privacy; they want to avoid higher bank fees that will result if banks are both combating higher rates of fraud and doing the job of the CFPB, which should be policing fintechs.
Editor's note: The Bank Policy Institute is
