Bank groups flag concerns with CFPB’s open banking proposal

The Consumer Financial Protection Bureau’s open banking proposal doesn’t go far enough to protect sensitive consumer financial data, the Bank Policy Institute and The Clearing House said in a comment letter submitted Friday.

The CFPB, which closed its comment period for the proposed rule last week, unveiled the long-awaited proposal in October. The consumer watchdog asserts the rule will give consumers greater control over their financial data by requiring banks to share such data with third parties like fintechs.

To comply with the rule, banks would be required to make personal financial data available at no charge to consumers through “safe, secure, and reliable” digital interfaces, the CFPB said.

However, groups like the BPI and TCH, say the rule should apply not just to banks, but to all third parties and data aggregators, and to all data.

“Our members welcome the competition brought about by innovative financial technology firms and are prepared to support the ability of bank customers to connect their bank accounts to the third-party apps of their choice, but such competition cannot come at the expense of data security,” the associations wrote in their letter. “It is critical that consumers’ personal and financial information remains secure when it is shared between financial institutions and third parties and when it is stored outside of the financial institution.”

The proposal seeks to move the market away from screen scraping, a practice the CFPB and some industry stakeholders have labeled a “risky data collection practice.”

Screen scraping often requires consumers to share their usernames and passwords with third parties.

In the letter, the groups called on the CFPB to take a stronger stance against screen scraping by prohibiting the practice once a data provider has made a developer interface available.

The associations also asked the CFPB to impose direct requirements on authorized third parties and data aggregators and articulate its intent to supervise those entities for compliance.

The watchdog should also clearly define liability, the groups wrote.

“Aggregators and other data recipients should be liable for unauthorized transactions or failing to protect consumer data once data is within their possession,” they wrote.

Data providers, or banks, should also be allowed to receive compensation from third parties to cover the cost of enabling data sharing, they said.

“By prohibiting only data providers from charging fees, the proposed rule arbitrarily distorts the marketplace and creates an unfair allocation of benefits to data aggregators and an unrecoupable cost to data providers,” the associations wrote.

The CFPB has acknowledged the burden that complying with the rule would impose on some of the nation’s smallest banks.

Smaller institutions may lack the tools and funds to build interfaces in compliance with the rule, the CFPB said.

As a result, the CFPB said the requirements of the rule would be implemented in phases.

The rule’s tiered compliance dates start at six months for the largest banks and fintechs, and extend to four years for the smallest firms, senior CFPB and administration officials said in October.

In its own comment letter submitted last week, the Consumer Bankers Association also highlighted its concerns with the costs and responsibilities that would be imposed on banks under the rule’s current form.

“[The] CBA is concerned by the general trend toward shifting many costs and responsibilities, including the monitoring of certain market participant behavior, onto data providers, including banks,” the trade group wrote.

In addition to banning screen scraping, the group also called for third parties and data aggregators to certify they will accept liability in instances in which a consumer’s credentials are misused to initiate a fraudulent transaction.

“Mandate third parties and data aggregators be adequately capitalized and carry sufficient indemnity insurance to satisfy liability obligations, and also obligate third parties to certify as part of the certification statement that they are adequately capitalized, have accepted their liability obligations, and are carrying sufficient indemnity insurance,” the CBA wrote.

The American Bankers Association also submitted its comment letter last week, calling for the CFPB to remove the proposal’s prohibition of fees, and to “take a more active role in managing the data sharing ecosystem it is creating, while affording data providers flexibility to manage risk and prevent fraud.”

“ABA supports consumers’ right to access their financial information securely, transparently, and subject to their control,” the trade group wrote. “At the same time, it is essential that all participants in the data sharing ecosystem are held to the same high standards as banks in areas such as keeping consumers informed, resolving disputes, and so on. We appreciate the CFPB’s efforts to preserve the best parts of the market-led data sharing ecosystem while seeking to implement guardrails to protect consumers and market participants.”

Congress granted the CFPB the authority to establish the rule more than a decade ago under Section 1033 of the Dodd-Frank Act.

CFPB Director Rohit Chopra said the rule will help accelerate the U.S.’s shift to open banking, aligning the nation more closely with guidelines in place or under consideration in major jurisdictions around the world.

The CFPB said it plans to finalize the rule by the fall.