The Consumer Financial Protection Bureau has asked a federal court to vacate its own open banking rule because it believes the rule exceeds the bureau's authority and is arbitrary and capricious in its scope.
In a motion for summary judgment filed Friday evening in the U.S. District Court for the Eastern District of Kentucky, the CFPB said it reviewed the legal complaint filed last year by the Bank Policy Institute over the agency's
"In light of the president's directive to review existing regulations, the bureau's new leadership has considered the rule and the arguments set forth in plaintiffs' complaint … and has concluded that the rule exceeds the bureau's statutory authority and is arbitrary and capricious," the CFPB said in its court filing. "Accordingly, Defendants agree with Plaintiffs that the Rule is unlawful and should be set aside under the Administrative Procedure Act."
BPI also filed a motion for summary judgment Friday evening, arguing that the rule is based on a fundamentally flawed reading of Section 1033 of the Dodd-Frank Act. The group, which represents the largest U.S. banks, said Section 1033 merely says that banks "'shall make available to a consumer' certain information about the 'financial product or service' the consumer obtains from the bank" — a far more limited and straightforward mandate than the regime the rule envisions.
"In the Rule challenged here, the Consumer Financial Protection Bureau appointed itself as the czar of open banking in the United States," BPI's motion stated. "Ignoring the industry-developed solutions, the Bureau dictated a complex and highly burdensome regime mandating that banks share their customers' sensitive financial data with any third party that can obtain customer authorization. The first and most fundamental problem is that Congress never authorized the Bureau to do any of this."
Section 1033 of Dodd-Frank requires banks and other financial institutions to provide a customer's financial data — including "information relating to any transaction, series of transactions, or to the account including costs, charges and usage data," according to the statute — in "an electronic form usable by consumers" upon their request. The purpose of the provision was to allow customers' financial data to be portable from one financial institution to another.
The CFPB issued a
The final rule requires banks to share financial data on checking accounts, prepaid cards, credit cards, mobile wallets, payment apps and other financial products through an approved application programming interface, or API. Payment apps and other financial products were added to the scope of the final rule, bringing nonbank payment platforms like Apple Pay, Google Pay, PayPal, Zelle and Venmo under the regulatory umbrella.
Banks had long expressed concerns about the proposal, specifically about what might happen to a customer's account if opening that account to a third party of the customer's choosing — but not the bank's — enables fraud or other malfeasance. The statute explicitly allows banks to deny authorization on certain specific grounds, such as confidential commercial information, data collected as part of anti-money-laundering due diligence or information the bank doesn't regularly collect. But the final rule does not make any special provision absolving banks from liabilities stemming from 1033-mandated disclosures, a choice that BPI said in its motion is arbitrary.
"The Bureau's reasoning as to unauthorized payments dodges the key problem: that in a regime that requires banks to share 'information to initiate payment' with thousands of unregulated third-party companies with very limited ability to control that sharing, adherence to the 'applicable payment authorization requirements' referenced by the rule is orders of magnitude more costly and complex," BPI stated in its motion. "Neither existing liability principles nor private network rules were designed — or are suited — for the Bureau's mass data-sharing mandate."
The CFPB said in its motion for summary judgement that the rule is arbitrary and capricious under the terms of the Administrative Procedure Act because it exceeds the plain language of the statute, which requires only that banks divulge a customer's data to the customer in an electronic, usable format.
"Nothing in the language of Section 1033 or its legislative history suggest that Congress intended to delegate to the Bureau free-ranging authority to regulate the entire open banking system — that is, the intricate network of commercial entities sharing a consumer's personal financial data well beyond sharing it with the consumer directly," the CFPB said in its motion. "Here, the disconnect between the narrow scope of Section 1033 and the ambitious reach of the Rule makes clear that the Bureau exceeded its authority in attempting to regulate the open banking system."
The Financial Technology Association — an advocacy group for fintechs — filed a motion to intervene in the case in defense of the rule and was
