CFPB open-banking plan would restrict sale or misuse of consumer data

CFPB
"When a consumer permits their data to be used by a company for a specific purpose, it is not a free pass for that company to exploit the data for other uses," CFPB Director Rohit Chopra said after his agency proposed rules governing the sharing of consumer financial information between banks and third parties.
Joshua Roberts/Bloomberg

The Consumer Financial Protection Bureau has released a long-awaited proposal on open banking that seeks to give consumers more control over their data while limiting the ability of third-party companies to sell or misuse personal financial information. 

The plan, issued Thursday, would give consumers a legal right to grant third parties access to bank account transaction data. The data access proposal — authorized by section 1033 of the Consumer Financial Protection Act of 2010 — would require financial institutions that offer checking accounts, prepaid cards, credit cards and digital wallets to allow customers to share their data safely with, or transfer the information to, another provider.

CFPB Director Rohit Chopra said that companies that gain access to a consumer's data would only be able to use it for the specific reason authorized by the consumer. Companies that received the data cannot use or sell it for their own benefit — including by feeding it into algorithms or artificial intelligence for unrelated activities such as targeted marketing.

"Companies receiving data can only use it to provide the product people ask for — and for nothing else," Chopra said on a press call with reporters. "When a consumer permits their data to be used by a company for a specific purpose, it is not a free pass for that company to exploit the data for other uses."

Chopra said third-party fintech companies will not be able to hold on to personal financial data indefinitely. If a consumer chooses to end a relationship with — or cancel services from — a third party, that entity would have to stop collecting and using the consumer's data, and would be required to delete the data it already possesses. Still, it is unclear yet how the CFPB would police fintechs and other Big Tech firms in this area.

In announcing the notice of proposed rulemaking, the CFPB said that "people could be certain that their data would be used only for their own preferred purpose — and not for financial institutions or tech companies to surveil and manipulate."

A senior CFPB official, who spoke on condition of anonymity, provided an example: A company cannot get access to a consumer's data in order to give that customer a loan and then sell the data to another firm. The official said the rule differs from past approaches in which consumer disclosures have been the primary means of protecting privacy.

The open-banking rule is viewed as one of the most important rulemakings that will be undertaken by Chopra. The bureau's proposal hews closely to an outline of its plan that the agency released last year. Chopra said the CFPB expects to finalize the rule by late 2024.

Rob Nichols, president and CEO of the American Bankers Association, said the CFPB needs to address the issue of liability because nonbanks are not currently held to the same standards as banks on data security, privacy and consumer protection. Last year, banks urged the CFPB to issue a larger participant rule that would subject data aggregators to regulatory supervision on par with banks.

"Entities that are granted access to consumers' data must be held not only to the same high standards but also to the same level of supervision related to data security, privacy and consumer protection that banks must meet every day," Nichols said. "America's banks firmly believe that customers own their own financial data, and no industry goes to greater lengths to protect that data than the banking sector."

Nichols also said banks are concerned about "the significant implementation costs" that would be imposed by the plan. He said there also is "ambiguity" caused by the CFPB's parallel effort, announced last month, to amend the Fair Credit Reporting Act.

The proposal would apply to "covered data providers," which include banks, credit unions and other entities that hold consumer financial services accounts, issue access to devices or provide electronic transfer services. But the proposed rule excludes mandates to share data on mortgage, student, auto and other credit accounts. The CFPB said it is prioritizing bank accounts, credit cards and payments in its proposal to promote competition across a broad range of markets. The bureau said it may expand data rights in other rulemakings. 

"The CFPB intends to implement CFPA section 1033 with respect to other covered persons and consumer financial products or services through supplemental rulemaking," the bureau said in the proposal. 

Chopra sought to reframe the proposal as an effort to improve competition by making it easier for consumers to switch banks. He alleged that banks currently are not providing their own customers with competitive interest rates.

"Millions of families are being paid interest rates as low as 0.01% on their bank accounts, even though others are offering rates that are way higher. This reflects the current reality that many banks design their products, sometimes purposely, so that it's a hassle to switch," he said. "On average, Americans had the same checking account for 17 years. If switching were easier Americans could earn billions of dollars more in interest each year."

Lindsey Johnson, president and CEO of the Consumer Bankers Association, cautioned that the widespread use of third-party apps has already put sensitive financial data at risk.

"The financial services industry landscape has evolved drastically due to the increasing prevalence of nonbank third parties and data aggregators. Consumer data, logins and passwords are collected and monetized by 'agents,' 'trustees,' and 'representatives,' presumably acting on their behalf, but operating without consumers' control or even awareness," Johnson said in a press release. 

"Many of these entities that are collecting, storing and selling this consumer information are not subject to the same rigorous data security and privacy standards as well-regulated and supervised financial institutions, putting consumers and their sensitive financial information at risk," Johnson said.

Rebeca Romero Rainey, president and CEO of the Independent Community Bankers of America, said nonbanks should be held liable for data breaches and for any consumer harm that could be caused by accessing consumer data. 

"Nonbank entities — which access customer information and store bank login credentials — do not take the same care in protecting consumer privacy and data that community banks do, which should be the focus of the CFPB's proposal," Romero Rainey said in a press release.

The Bank Policy Institute said that roughly 80% of consumers who responded to a survey were unaware that data aggregators had access to their data even when an app was closed or deleted.

Nonbanks — including smaller middlemen — are expected to raise concerns, too.

Joann Needleman, a member and senior director at Clark Hill Public Strategies, said the proposal would create huge barriers to entry for small companies including debt collectors and servicers that rely on information on consumers' bank transaction data.

"Larger banks will not be willing to work with third parties unless they have significant controls in place to comply with the rules," Needleman said. "Small companies will not survive, which will result in consumers not having a lot of choice with respect to which third-party providers they will use to assist in accessing their data."

A key takeaway from the proposal is the shift away from the practice of screen scraping, whereby consumers provide a third party with their username and passwords to access their financial data. The proposal seeks to move the market away from risky data collection practices. Most of the largest banks and data providers are already routing all inquiries from third-party apps and services through secure application programming interfaces instead of allowing data to be collected through screen scraping.

"Screen scraping would not be a way that a data provider under the proposal could comply with the obligation to make data available to an authorized third party accessing on the consumer's behalf," the senior CFPB official told reporters.

The senior official also said that by moving away from screen scraping, the proposed rule would "greatly mitigate concerns about data-breach liability by moving the open-banking system to a more secure developer interface connection, away from screen scraping. In addition, the rule would still allow the external data providers to deny access where there are legitimate concerns."

Amy Mushahwar, a partner at the law firm Alston & Bird, said companies that currently engage in screen scraping would have to find a different solution to gain access to data.

"The proposed rule is a significant departure in favor of getting rid of screen scraping practices and in favor of developing a standardized consumer interface for data access," said Mushahwar, a privacy expert. "Companies will continue to transition away from screen scraping because we want to make data access far more secure and actively discourage the sharing of credentials where there is no other viable solution."

Because of rampant fraud in payments, banks and others have suggested that the CFPB clarify which entity is responsible if a consumer suffers any loss or harm. Many have suggested that liability should travel with the data, to ensure that third-party technology companies are responsible for any crime, hack or other loss or harm to consumers. 

Many third parties are already subject to "statutory and regulatory data privacy and security obligations," the CFPB said in the 299-page proposal, adding that "third parties have adopted or would adopt some basic standards related to risk management, data security, and data use."

The CFPB does not have data on the number of third parties or on the amount of revenue generated by financial firms selling consumer data. While the CFPB's proposal does not specifically include steep fines for violators, similar to those under Europe's General Data Protection Regulation, the CFPB official said that violating the final rule would subject a company to the penalty provisions of the Dodd-Frank Act. 

"Our proposed rule builds on existing efforts in the industry today to promote open banking," Chopra said. "For firms operating globally, it also aligns with many of the guidelines in place or under consideration in major jurisdictions around the world." 

The proposed rule prohibits providers from imposing fees on third parties for costs associated with providing data access. 

In his remarks, Chopra emphasized that consumers currently have a patchwork of experiences among financial institutions and that there remains a "lack of norms" that can be detrimental to customers, including efforts by some financial institutions to hide information on prices and costs of services and fees. 

The CFPB did not mandate specific technical standards in its open-banking proposal. Instead, the proposal contains several requirements to ensure that industry standards are "fair, open and inclusive," and the bureau said it intends to assess future standards developed by the private sector under the terms described in the rule.

For reprint and licensing requests for this article, click here.
Regulation and compliance Consumer banking Data sharing Fintech CFPB News & Analysis
MORE FROM AMERICAN BANKER