The Consumer Financial Protection Bureau's
The CFPB received more than 11,000 comments on its
But bank trade groups want the CFPB to include
Under the CFPB's plan — known as the 1033 rule, for its section in the Consumer Financial Protection Act of 2010 — third parties may not collect, sell, use or retain a consumer's personal financial data for targeted marketing or to cross-sell other products, an issue criticized by fintechs and their trade groups. The proposed rule would require that consumers be made aware of where their data is held and how it is used, sparking a nuanced debate about whether consumers should be given the option to "opt in," or "opt out," of having their data used for secondary purposes.
CFPB Director Rohit Chopra has said the proposal
Rep. Patrick McHenry, chairman of the House Financial Services Committee,
"A guiding principle behind section 1033 is that consumers will benefit from increased control and portability of their data," wrote McHenry, who is
McHenry threw his support behind the CFPB's plan to give consumers the right to revoke access to their data at any time and to limit use by authorized companies to just one year, unless the consumer agrees to further access.
Banks already share consumers' transaction data with fintechs — mostly through data aggregators, and often begrudgingly through
In a
"Absent an express prohibition, it would be unduly costly for data providers to effectively block screen scraping and push usage of safer APIs," Fritzsche wrote, referring to
The American Bankers Association, The Bank Policy Institute and The Clearing House Association all called on the CFPB
"Directly addressing data aggregator risks is a better approach for everyone, including the CFPB's own examiners," wrote Ryan T. Miller, the ABA's vice president and senior counsel of innovation policy. "There should be a clear and unambiguous basis to supervise data aggregators as a separate class."
Fintech and others argue that the CFPB is severely restricting secondary uses of the data that are being used to train underwriting models or for anti-fraud tools as well as research and product development. McHenry wrote that the CFPB should revisit the use of secondary data by implementing either an opt-in or opt-out regime that is part of other data protection laws.
The CFPB's proposal also considers "anonymous" data to be secondary data, subject to the same restrictions. Many fintech commenters said the CFPB goes further than either the European Union's General Data Protection Regulation or
Phil Goldfeder, CEO of the American Fintech Council, said the CFPB's restrictions on secondary uses would stymie innovation. He said the bureau should balance consumer choice with what he called "legitimate business needs."
"We recognize that targeted advertising and cross-selling of products may not always fit the nefarious or deceptive qualities from which the Bureau is seeking to protect consumers," Goldfeder wrote. "In fact, at times, targeted advertising and cross-selling can result in related products and services being offered to a consumer."
Ian P. Moloney, AFC's senior vice president and head of federal and state policy, told American Banker that the restrictions on secondary uses and specifically of anonymous, de-identified data, will severely impact fintechs.
"How do you get consumers in the door other than through marketing, including marketing to existing customers?" Moloney said. "It's a difficult situation for businesses faced with this."
Penny Lee, president and CEO of the Financial Technology Association, urged the CFPB to recognize that fintechs offer consumers benefits such as new payment options and services that can reduce costs.
"Unnecessarily prescriptive regulatory limitations and restrictions on data collection, retention, and use will undermine consumer interests by reducing the ability of third parties to develop new products and services and offer consumers additional products that compete with their legacy providers," Lee wrote.
Compliance with the rule would be phased in depending on the size of the institution. The CFPB has proposed banks with at least $500 billion in assets and nonbanks with $10 billion in revenue comply within six months after a final rule is issued. Banks with less than $850 million in revenue would have four years to comply.
John Pitts, head of policy at data aggregator Plaid and a former CFPB deputy assistant director of intergovernmental affairs, said the CFPB's flexible timeline will ensure that consumers aren't cut off from access as banks build or update existing APIs.
"It is critical that the legacy access method, including screen scraping, remains functional and reliable, both as a primary means of access for consumers who have not yet been migrated, and as a backup access method in the event of a developer interface error during testing," Pitts
Many banks suggested in comment letters that the CFPB allow them to charge fees — not to consumers but to authorized third-parties — to access open banking data in order to offset the costs of developing interfaces. The CFPB estimates a total upfront cost of $250,000 to $500,000 for small depository data providers that choose to build their developer interface in-house. The CFPB also stated in its plan that the cost of establishing and maintaining a developer interface varies widely depending on the institution, from $2 million to $47 million per year, with a median of $21 million per year.
The Independent Community Bankers of America said the CFPB would be imposing "significant technological burdens and financial costs on community banks," without any way for them to recoup costs from third-party companies that are the beneficiaries of data access.
"Banks should be permitted to charge a reasonable fee for providing access to consumer information to third parties," wrote Mickey Marshall, ICBA's assistant vice president and regulatory counsel. "This would permit banks to recoup some of the costs of creating a developer interface without leading to any cost to the consumer."
However, no other country with an open banking regime — including the UK, the European Union, Australia, India and Singapore — allows banks to charge fees.
Several commenters want the CFPB to clarify in its final rule the role of industry standard-setting bodies including recognizing Financial Data Exchange that has established security standards for the industry, to avoid contradictory or competing standards. Some want the bureau to also create a safe harbor for companies that are in compliance with such standards.
It is unclear yet if the CFPB will face legal challenges when its open banking rule is finalized. Fritzsche, at the Consumer Bankers Association, said that while many of the trade group's members are supportive of open banking, they are concerned that the bureau has exceeded its statutory authority with its proposal because costs that were not considered by Congress when it drafted Section 1033 of the Dodd-Frank Act.
"The Bureau particularly misjudges the costs that data providers will face in building out the new data access ecosystem,"' Fritzsche wrote. "There is also a major question as to whether Congress intended to impart such a dramatic mandate, including potential impacts to safe and sound banking practices, to the Bureau through this straightforward, and relatively brief, language regarding consumer access to information."
