Banks and credit unions are raising concerns about data security risks and monitoring from third-party partners as the Consumer Financial Protection Bureau draws up rules about how much control consumers have over their own financial data.
The CFPB is in the midst of drafting a rule that will determine how financial institutions will make the data available to consumers who request it. Banks say the rule could create an uneven playing field because financial firms are overseen and scrutinized by regulators for compliance with consumer protection laws, while hundreds of big tech and nonbank fintech companies are not. The explosive growth of data aggregation services has created risks for consumers that could result in uneven application, banks say.
“Non-banks increasingly provide financial products and services, but their activities are largely not overseen by the Bureau,” said Brian Fritzsche, vice president and regulatory counsel for the Consumer Bankers Association.
Fritzsche and Shelley Thompson, vice president and associate general counsel for CBA, wrote a comment letter last week stating that the CFPB “does not adequately supervise these non-bank participants even though they make up a significant and continually growing segment of the consumer financial products and services market.”
Rule 1033, named for the section of the Dodd-Frank Act that authorizes it, is considered one of the most important regulations to be completed under the direction of CFPB Director Rohit Chopra. The office released a scheme of his plan in October, and is expected to issue a proposal later this year with a rule finalized in 2024.
Last year, eight banking trade groups asked the CFPB to define data aggregators as larger players subject to regulatory oversight. Some experts believe the bureau will issue a so-called larger participants rule before completing its data access rule, sometimes called an “open banking rule.”
Although the statute’s language focuses on information about consumer use of a product or service, bankers are concerned that the rule seems one-sided and anti-competitive because it stems from the view that only banks have the data that consumers want. access to, without requirements that non-bank financial companies, such as mortgage lenders or buy-now/pay-later companies, give consumers the same access to data as banks.
Ryan Miller, vice president of innovation policy for the American Bankers Association, wrote that “without regular and ongoing oversight of the largest data aggregators and data recipients, implementation of Section 1033 will increase the risk of harm to consumers and competition.
The CFPB listed more than 100 questions last year in a advance notice of proposed regulation which the final rule is supposed to answer, including: Does the consumer understand what is happening with their data? How can the consumer revoke access after giving their initial consent to the use of their data? And will the data be monetized for additional downstream uses?
Millions of consumers have already given third-party companies access to their bank account transaction data that banks and credit unions say puts them in a bind. Although the Gramm-Leach-Bliley Act allows consumers to opt out of sharing their data, experts say consumers rarely read the fine print buried in deals with fintechs and data aggregators.
“Consumers should have control over the amount and type of data they choose to share,” said Andrew Morris, senior research and policy adviser for the National Association of Federally Insured Credit Unions.
Consumers need to know “exactly what data will be requested by a third party on their behalf, for what purpose it is being used [and] how often it will be accessed,” he said. Consumers should also be given information about how long their data will be stored, with whom it will be shared, and under what conditions, including how the consumer can exercise any rights they may have if their data is lost. or it is stolen, he said.
Rampant payment fraud has forced banks and credit unions to sound the alarm about liability risk. The CFPB’s 71-page outline, published as part of a small business advisory review panel, makes no mention of liability.
Banks and others want the CFPB to create clear guidelines on which entity is liable if a consumer suffers any loss or damage. Many argue that liability should travel with the data to ensure that third-party technology companies are held accountable for any criminal, hacking, or other loss or damage to consumers.
“Data providers should not be required to make data available to third parties who are unwilling to accept responsibility for loss or damage that results after the data leaves the data provider’s portal,” said Paige Pidano Paridon. , Senior Vice President and Senior Associate General Counsel. at the Banking Policy Institute.
Many experts agree that consumers have little or no understanding of how bank account transaction data is accessed by extracting the information with a consumer’s login credentials. Some banks like JPMorgan Chase have removed screen scraping and now route all third-party application queries through a secure application programming interface instead of allowing companies to collect data via screen scraping. The CFPB has suggested that it could set a specific date after which screen-scraping would be prohibited. But some experts suggest that cutting screen scraping would be problematic, similar to when the Federal Communications Commission in 2009 required TV stations to switch from analog to digital broadcasting.
“Authorized login approaches generally serve as a fallback option when a financial institution doesn’t have an API, which is common for smaller institutions,” said Penny Lee, executive director of the Financial Technology Association.
Another bone of contention appears to be whether the CFPB has enough staff to oversee data aggregators and other third parties. It is unclear if the CFPB has any mechanism to determine whether third parties comply with a consumer’s specific request for data sharing. In December, the CFPB announced that it planned to create a record from non-bank entities that have been subject to state or local law enforcement warrants or prosecutions. The CFPB also said last year that it would conduct supervisory reviews of non-bank fintech companies. that present risks to consumers.
“Regulatory standards to discourage screen scraping can help mitigate fraud and account takeover risks,” Morris said. “The CFPB could explore regulatory incentives to abandon screen scraping and set minimum data security standards for third parties.”