During his recent congressional testimony,
While Director Chopra's work on this score has been admirable and fintechs across the country await a final rule that permits pro-consumer secondary data use, there exists a significant risk that the CFPB's Section 1033 rule will unintentionally create a different kind of moat for large, incumbent financial institutions in non-card payments. As currently contemplated, the rule would allow banks — and not consumers — to control what types of payment account numbers can be shared via open banking.
The CFPB's proposal contains a few lines on optional tokenized account numbers or "TANs" and opaque references to so-called consumer benefits. However, consumers, merchants and processors encountering TANs today have only experienced frustration from this new technology.
The biggest source of this frustration comes from fraud. Some large banks are deploying TANs in a manner that allows fraudsters to present the TAN for ACH payment processing, and then immediately cancel the number before the ACH debit can be completed. Based on Trustly's own data, we estimate the market currently sees tens of millions of dollars in TAN-related fraud losses each year. This number will continue to grow as more large banks deploy TANs in open banking as currently contemplated by the CFPB's Section 1033 rule.
While merchants and processors bear the brunt of this fraud, it also harms consumers. These consumers must be viewed by payment risk management systems with skepticism when they present TANs for ACH payments, which leads to lower transaction limits and, in some cases, denial of service.
Banks are concerned about the lack of clarity regarding legal liability in the Consumer Financial Protection Bureau's open banking rule, and fear that they will end up on the hook for data breaches or unauthorized transactions caused by a fintech or data provider.
In addition to allowing fraudsters to hide their records in commercially available fraud databases, TANs also create a host of other issues, such as artificially inflating a merchant's NACHA return ratios, thereby putting them at risk to be barred from using the mainstream ACH network, as well as breaking merchant customer support systems, thereby degrading a consumer's ACH payment experience.
Consumers are also simply and legitimately confused by TANs. Some accidentally cancel their TAN and end up with late or missed utility payments and debt collection issues. For these consumers, TANs are anything but a benefit. Similar to products seeking FDA approval, financial regulation should abide by high testing standards, to eliminate all obvious flaws, before going to market. Can the technology staff for the large banks that offer TANs confirm that they have done acceptance testing on themselves and have never been confused when paying with ACH using TANs?
TANs also prevent consumers from choosing what types of payments they can make and receive. This is because bank-created TANs are not interoperable with the FedNow payment system. It is inconceivable that Director Chopra would finalize a rule that prevents the use of FedNow, which would have the effect of enriching the largest U.S. banks that operate the competing and privately owned RTP payment system.
The proposed Inclusion of TANs within the CFPB's Section 1033 rule is a mistake that threatens to undermine the security of financial transactions and undercut consumer choice and competition in the payments marketplace. From consumer confusion and heightened fraud risks to operational inefficiencies and the very real risk of creating further concentration in favor of large credit card issuers, the evidence against the inclusion of TANs in the CFPB's Section 1033 rulemaking context is overwhelming.