When Congress enacted financial reforms in the wake of the 2007 financial crisis, it gave consumers the right to share their financial data with the third parties of their choosing. That right has undergirded the rapid growth and evolution of a U.S. data-sharing ecosystem in which large banks, data aggregators and third-party data recipients — in anticipation of a
But in challenging the bureau's
We had eagerly anticipated the bureau's rule. Given our organization's focus on
The CFPB took up the issue soon after, publishing
In its feedback to the bureau,
The rule the CFPB ultimately promulgated follows precisely this approach, articulating core principles while encouraging the continued development of what the rule refers to as "consensus standards" that can guide financial institutions in filling in the details. And yet, on the same day that the CFPB issued the rule, BPI filed a
BPI's argument attacks the core legal foundation underlying data sharing in direct contradiction of the Dodd-Frank provision that consumers' representatives can stand in the shoes of consumers in exercising their rights. If its position were to prevail, the banks would take over the data controls that rightfully belong to their customers, leaving the banks to determine what pieces of a consumer's data the bank will provide, to which customer-designated representatives and under what conditions.
The banks' preference for the status quo is understandable, since it enables them to secure indemnification agreements and other assurances from aggregators and third-party data recipients before allowing access to the banks' APIs. The status quo also enables them to withhold information they might prefer not to share, like payment credentials and product terms and conditions, which might make it easier for competitors to poach bank customers.
The Consumer Financial Protection Bureau issued a final rule that would allow banks to either charge $5 for overdraft fees. Alternatively they can charge a courtesy fee to cover costs, or charge higher fees but send annual percentage rate disclosures to the consumer. Bank trade groups sued the bureau to stop the rule.
In its legal complaint and public statements, BPI depicts the post-rule ecosystem as one that will be radically unsafe for consumers, leaving banks to pick up the costs of fraud, theft and privacy violations against their customers resulting from shoddy and unregulated data security practices at aggregators and third-party data recipients, with no recourse or transfer of liability.
Yet the rule addresses these concerns. It requires any third party that seeks access to consumer data to certify its compliance with both information security and data minimization standards. Even if a third party so certifies, a bank can deny data access if it has reason to believe that the third party is failing to maintain adequate data security. And, the rule permits banks to rely on industry standards in informing those judgments.
It's the sort of light-touch regulatory approach that has proven effective elsewhere and that BPI itself at one time championed. (Witness the credit card networks, which require merchants handling sensitive payment information to obtain certifications that they adhere to certain data security practices.) Moreover, the rule imposes much stronger restrictions than the status quo on how much consumer data third parties can obtain, how and for how long they can use it, and the extent to which they can share it.
BPI similarly condemns the rule for failing to prohibit screen-scraping outright. But to do so would eliminate data access at the vast majority of institutions that have not yet implemented data-sharing APIs. Instead, the rule mandates implementation of APIs among the long tail of regional and midsize institutions that would likely not implement them otherwise, providing more consumers with safe data access, and it strongly signals that screen-scraping would be an unfair practice if the data in question were available through an API. Simply put, there will be a lot less screen-scraping with the rule in place than without it.
Perhaps the most puzzling aspect of the BPI lawsuit is its claim that the rule's reliance on industry standard-setting bodies constitutes an improper "outsourcing" of regulatory oversight. Just weeks before the lawsuit was filed, the Financial Data Exchange, a collaborative effort between the largest banks, aggregators and data users, had applied for recognition by the CFPB as a standard-setting organization in order to continue the work it has been doing for years to develop standardized data formats, specifications and protocols for sharing consumer-permissioned data.
Industries almost universally prefer a principles-based approach to regulation over highly prescriptive rules. And in this case, the CFPB has clearly listened. Rather than seeking "to jettison the developing, industry-driven [data-sharing] system and replace it with a complicated, costly, and fundamentally insecure … framework," the bureau has carefully observed and learned from — and the rule seeks to retain, extend and add consistency to — the many systems and safeguards that the largest banks and data aggregators have already negotiated.
Bureau leadership appointed by the new administration would thus do well to view the banks' faux consumerist arguments with skepticism. Instead, we encourage incoming leaders to embrace the rule and its principles-based approach. The worst outcome would be for a court or the new CFPB director to buy into every claim made in BPI's "everything but the kitchen sink" legal strategy. Consumers would lose a hard-won right that is critical to advancing their financial health.
