-
Key insights: The CFPB is sorting through numerous comments as it drafts new rules about personal financial data rights.
What’s going wrong: The CFPB initiated new rulemaking after JPMorgan Chase began imposing fees on data aggregators.
- Support data: Small banks want an exemption for institutions with assets of $10 billion or less from the responsibilities of creating and maintaining third-party developer interfaces.
The Consumer Financial Protection Bureau has gathered nearly 14,000 comments on its proposal to establish new open banking regulations that would enable banks to charge fees for accessing personal financial data.
Open banking lets consumers share their financial transaction information with payment apps and other service providers. Right now, over 100 million Americans are involved in sharing their data.
The comments include many form letters urging the CFPB to adhere to rules from the Biden administration, which the Trump administration is looking to revise, mainly focusing on whether banks should be allowed to charge for data access. That said, many individuals have recounted experiences of being scammed when granting access to their data, expressing uncertainty about how their information is being used.
“My family and I use Open Banking apps quite a bit… since they’re an easy and quick way to send money,” shared a commenter named Melanie White. “I ended up getting more than I bargained for. I had no clue my personal data would be shared with data brokers who would hold onto it and sell it.”
“Now my information might be out there, maybe even on the dark web,” she continued. “I didn’t realize I was agreeing to such practices. The consent forms are so convoluted and filled with legal jargon that I’d probably need a lawyer to decipher them.”
The 1033 rule, part of the Dodd-Frank Act, was introduced in 2016 and enjoyed bipartisan support in Congress under former CFPB Director Rohit Chopra. But the CFPB faced a lawsuit from the Bank Policy Institute, Kentucky Bankers Association, and Forcht Bank—a community bank with $1.5 billion in assets, located in Lexington, Kentucky. The banks contended that the CFPB exceeded its legal authority and labeled the open banking regulations as “arbitrary and capricious,” breaching the Administrative Procedure Act.
Recently, as the Trump administration advances its rulemaking concerning personal financial data rights, a district court judge sided with the banks, establishing a compliance deadline and pausing the enforcement of rules set during the Biden era.
This ruling was a significant win for banks, as the previous open banking regulations forbade banks from charging fees. However, bank lawsuits challenging this rule, along with intense lobbying, led the CFPB to reconsider its stance.
Currently, the CFPB is led by Acting Director Russ Vought, who is tasked with rewriting these rules that were first initiated during the Trump era when JPMorgan Chase set up billing data access fees.
The CFPB noted that the legal text of Section 1033 is “very thin” and does not directly address some crucial questions. This section of the Dodd-Frank Act states that “a covered person must, upon request, provide to a consumer, upon request, information in the covered person’s control or possession regarding a consumer financial product or service that the consumer has obtained from the covered person.”
The CFPB specifically sought public commentary on several issues, including who can act on behalf of consumers, how costs are assessed, potential negative impacts on consumers, the risk of malicious actors trying to access data, and the potential benefits of competition.
While much of the discussion surrounding the new proposals emphasizes fees, many consumers seem more worried about the risk of fraud and potential misuse of their data.
“I’m really concerned about the security of my personal information,” another commenter expressed. “Honestly, I don’t completely understand who’s accessing my data or how it’s being used. I’m sure I’m not the only one like that. Many folks don’t grasp the risks associated with open banking or what they’re actually consenting to.”
In the meantime, Chi Chi Wu from the National Consumer Law Center and Adam Last from the Consumer Federation of America urged the CFPB to keep data privacy protections as outlined in the Biden-era regulations.
These safeguards include banning secondary uses of data, limiting authorization to a year, ensuring compliance with revocation and data deletion requirements, and providing clear disclosures.
Interestingly, banks are not entirely united on this issue.
Mickey Marshall, a vice president and regulatory counsel for Independent Community Bankers of America, argued for the CFPB to exempt community banks with assets below $10 billion from the proposed regulations. Under previous rules during the Biden administration, banks with less than $850 million in assets were also exempt from obligations related to third-party developer interfaces.
In contrast, larger banks are against any exemptions for smaller banks. The American Bankers Association has called for the elimination of exemptions for community banks and credit unions.
“While we see the good intentions behind exempting small entities, this would leave a significant number of community banks and credit unions outside the rules governing data providers, leading to issues like persistent screen scraping, which injects more risk into the system and reduces competitive fairness,” commented Ryan T. Miller from the ABA.
Miller also indicated that allowing the CFPB to impose fees on banks and other data providers “might ease the burden of exemption for small depository institutions.” He believes the rules established during the Biden administration are becoming outdated and appear to favor certain entities over others.
Many bankers have called for the CFPB to put an end to screen scraping, suggesting this practice should be categorized as “unfair, deceptive, or abusive.”
The Financial Technology Association and the FinTech Council have urged the CFPB to uphold its previous regulations prohibiting banks from levying fees.
“Legacy data providers have a vested economic interest in charging exorbitant fees to hinder data transfer,” stated Penny Lee, president of the FTA. “Constitutional and statutory rights in America shouldn’t be subject to gatekeeping fees, and the language in Section 1033 makes it clear that fees shouldn’t serve as a barrier to exercising this right.”
Community bankers contest fintech providers’ claims and argue they shouldn’t be compelled to subsidize nonbank financial companies.
Rose Oswald Pauls, president of the Wisconsin Bankers Association, highlighted that the previous ban on fees imposes an unnecessary burden on financial institutions, especially since many third parties that benefit from the data they receive are unregulated.
“Financial institutions are expected to create and maintain complex interfaces for third-party access, while these third parties aren’t held to the same regulatory standards,” she pointed out. “This imbalance forces regulated institutions to financially support the operations of unregulated entities.”
The CFPB is moving swiftly to finalize new open banking regulations. The agency will issue a formal notice, inviting public input before finalizing the rules.
