CFPB's 1033 rule sparks ire from banks over data security

Img

CFPB Director Rohit Chopra speaks Tuesday.
American Banker

The Consumer Financial Protection Bureau's open banking rule provided no additional liability protection for banks, putting the financial institutions on the hook for potential fraud and data breaches of third-party fintechs and setting up a clash with the bureau. 

JPMorgan Chase, the American Bankers Association, the Bank Policy Institute and the Consumer Bankers Association all issued terse statements criticizing the rule, which is named after section 1033 in the Dodd-Frank Act that gave the CFPB the authority in 2010 to implement personal financial data rights. 

"This isn't open banking — it's open season for more fraud and scams," said Trish Wexler, a spokeswoman for JPMorgan Chase. "By mandating banks must hand over sensitive customer account data to any third party that got someone to click 'I accept' on their app, this rule handcuffs banks' ability to demand high security standards from third parties."

The CFPB's final open banking rule requires that banks safely share financial data on checking accounts, prepaid cards, credit cards, mobile wallets, payment apps and other financial products at the request of a customer. 

The bureau made several major changes to the rule from its proposal a year ago. It exempted community banks with under $850 million in assets from compliance, extended the compliance date for the largest banks by 10 months to early 2026, and allowed only a sliver of secondary uses of data, excluding uses for research. Instead, the bureau drew a line in the sand by defining a primary use of data to include third parties improving an existing product but not developing new ones. 

Banks had asked for a liability regime due to concerns about fraud and scams and what they perceive as inadequate security measures in the final rule. The CFPB changed language from the proposal that described how banks could deny access to a third party based on risk-management concerns.

"The CFPB provided a little less wiggle room for when banks can refuse data requests, but it's still not open-and-shut by any means," said David Silberman, senior adviser at the Financial Health Network and the Center for Responsible Lending and a former acting deputy director at the CFPB.

In an appearance on CNBC Tuesday morning, CFPB Director Rohit Chopra was asked about the potential for fraud. 

"Well, that will happen in any circumstance in a digital economy," Chopra said. "We have to make sure that there's some degree of rules. And at the end of the day, we should be embracing competition. We should use digital technologies to allow people to switch more easily."

Bankers said Chopra's comments did little to inspire confidence in the CFPB's commitment to its core purpose of protecting consumers. Comments by bank trade groups suggest they are likely to sue the CFPB to stop the rule from taking effect, claiming the bureau exceeded its authority.

Trade groups also have noted that the CFPB created a complicated 594-page rule even though the statute authorizing consumer data rights is only 335 words long. 

Lindsey Johnson, president and CEO of the Consumer Bankers Association, said the CFPB "has contorted this very clear and limited statute into enabling thousands of third parties to access consumers' data. In doing so, the CFPB far exceeds its statutory authority."

All companies involved in data access — not just banks — must comply with the data security requirements of the Gramm-Leach-Bliley Act. Banks are concerned that much of the control and oversight of third parties will be pushed to banks and other data providers. But big banks are particularly concerned about scammers being able to work their way around the 1033 rule.

Large banks have negotiated bilateral agreements with data aggregators and expect the aggregators to police third parties. But moving to a world of consumer rights creates additional exposure. Banks still are permitted to deny access to any entity that has not been certified as having adequate data security standards.

"The CFPB abdicates any responsibility for oversight of these third parties to ensure they are adhering to any security standards," said Wexler at JPM. "It is unconscionable that the CFPB would have 'hope' as an oversight strategy for the thousands of third parties that will now have access to sensitive financial account information." 

Rob Nichols, president and CEO of the American Bankers Association, called the rule disappointing and said the CFPB failed to address banks' concerns about liability and costs. 

"Unfortunately, what began two administrations ago as a collaborative exercise in securing consumers' personal financial data has devolved into a press-release-driven, political exercise based on the false premise that consumers lack choices and a misunderstanding of whether Dodd-Frank grants CFPB the authority to radically reshape the financial services marketplace," Nichols said.

Greg Baer, president and CEO of the Bank Policy Institute, said the rule retains many of the "deficiencies and omissions that plagued" the bureau's proposal issued a year ago. 

"Banks have worked for years to establish secure ways to share customer data whenever the customer asks," Baer said in a press release. "The CFPB's rule disrupts this established process, requiring banks to share financial data with any third party without adequate safeguards to ensure the data is protected from fraud, misuse and abuse."

Chopra has said banks are standing in the way of consumers switching accounts though the friction created with pre-programmed auto debits or direct deposits.

"It can be a real pain to switch your bank account or credit card and what these new rules will do is make it easier to switch and to fire that bank or financial company that is not serving you well," he said on CNBC on Tuesday. "Banks are responsible for securing data, and so are fintechs. Banks and nonbanks alike are required to have data security standards."

Chopra said the rule provides strong privacy protections allowing consumers to control their financial data. He reiterated that the rule addresses the barriers involved in switching banks.

"The market is rife with monopolistic practices that enrich incumbent networks at the expense of consumers, businesses and creators, the results of this are that you pay more for loans and you earn less on your deposits," Chopra said in remarks Tuesday at a fintech conference hosted by the Federal Reserve Bank of Philadelphia. "Incumbents just don't want to lose their captive customer base. And like in other sectors of the economy, large firms often have little incentive to make it easy for you to port and share your data. One of the ways to best support a vibrant market is to eliminate roadblocks to competition."

Jim Nussle, president and CEO of America's Credit Unions, said the CFPB has turned open banking into a grab for financial institutions' most valuable asset.   

"From a few lines of text concerning consumer data portability in Dodd-Frank, the CFPB has spun a weighty rule intended to reengineer financial sector competition," Nussle said in a statement. "The rule demands that credit unions share, at no cost, information with fintechs and other third parties who receive permission from consumers. In doing so, the CFPB reduces one of the most valuable assets of a financial institution — its data — to a commodity, which will likely put even greater competitive pressure on credit unions to merge."

With the proliferation of online companies, some experts see the rule as an invitation for criminals disguised as third-party companies to persuade naive consumers to appoint them as their representative to access data. 

"I think a large band of consumers are going to suffer as a result of this rule," said Joe Lynyak, a partner at Dorsey & Whitney. "It's going to be third parties that are misusing the data and every scam artist is going to be sending a thank-you note to the CFPB."


More From Life Style