Section 1033
Banks Challenge CFPB Rule Jeopardizing Security and Privacy of Consumer Financial Data
The Bank Policy Institute and Kentucky Bankers Association filed a lawsuit against the Consumer Financial Protection Bureau challenging aspects of the agency’s rulemaking under Section 1033 of the Dodd-Frank Act, which governs how consumers access their financial data and how that data is protected. The lawsuit, filed in U.S. District Court in Lexington, KY asserts that the CFPB overstepped its statutory authority and finalized a rule that jeopardizes consumers’ privacy, financial data and account security.
The lawsuit raises several key concerns with the CFPB rule:
- It requires no oversight of third parties using bank customer data. The Treasury Department issued a report in 2022 finding that “…there is virtually no regulatory oversight of data aggregators’ storage of consumer financial information akin to the supervision of [banks’] data security.” The entire responsibility of protecting customers is left to banks under the final rule, while the CFPB takes no accountability for the oversight or supervision of data recipients. Mandating data sharing without requiring third parties to sufficiently protect that data will undermine existing consumer protection laws.
- It increases the likelihood of fraud and scams by failing to address weak safeguarding practices. Without proper oversight and supervision of aggregators and third parties, the chances rise of bad actors gaining access to data from third-party entities with weak security practices. Exposure to account and routing numbers, along with transaction data, could provide fraudsters with all the details they need to initiate unauthorized transfers and engage in other malicious activities.
- Screen scraping and other unsafe practices are allowed to persist. Many data aggregators continue to rely on unsafe practices such as screen scraping to obtain account and transaction data, often collecting more information than is needed to offer a core product or service. The CFPB has taken no concrete action to prohibit screen scraping and banks would remain limited in their abilities to address this risk and protect their customers.
- It fails to hold third parties accountable. When a customer authorizes their data to be shared, the data recipient has an obligation to protect the data and provide the customer with basic customer service when problems arise. Third parties’ use and protection of sensitive consumer data is outside of banks’ control, leaving banks unable to protect their customers from data breaches at third-party companies and fraud that may result from these breaches.
- It allows third parties to profit, at no cost, from systems built and maintained by banks. Technology costs are a significant expenditure for every major company in America, and banks have invested billions of dollars in building systems to protect consumers’ data and information and have earned customers’ trust accordingly. Banks should be able to charge third parties who seek access to that sensitive data, just as companies charge one another for products and services routinely in the marketplace. These practices are consistent with developer access offered by Google, Apple, Facebook and other major U.S. companies.
- It imposes an unreasonable implementation timeline. While the final rule seemingly provides a longer compliance runway, the new compliance deadline is not tied to the promulgation of any consensus standards that will naturally become the industry’s default standard for compliance under the rule. But banks cannot build toward compliance with standards that do not exist. Until such standards are promulgated, any steps data providers take toward compliance come with the substantial risk of being wasted in the event that they must unwind and redo that work to adapt to standards that are later adopted.
Banks support a regulatory framework that fosters competition and safeguards consumer interests. Our goal is to achieve a resolution that sufficiently protects bank customers’ privacy, data security and control over their personal financial information.
To access a copy of the complaint, please click here.
Litigation Timeline
The CFPB proposed its rule on October 31, 2023. It received over 11,000 comments, many of which criticized fundamental aspects of the Bureau’s proposal. Yet the CFPB proceeded to finalize the rule largely as proposed on October 22, 2024. The CFPB has since acknowledged the rule violates the law, and the Financial Technology Association has intervened to defend the rule. A timeline for the case is outlined below.
Resource Center
Section 1033: What it Means and Why Banks are Challenging the Rule
The CFPB’s Section 1033 rule jeopardizes the security and privacy of consumer financial data. Hear from Paige Pidano Paridon, BPI’s Co-Head of Regulatory Affairs, on the shortcomings of this rule and learn more at KeepBankingSafe.comRecent One-Pagers
Screen Scraping: Visual Resources
Recommendations:
- Data aggregators should be held to the same rigorous data security and privacy standards as banks
Banks have legal obligations to safeguard customer data and comply with strict regulatory requirements related to privacy and security, and have put decades of effort into protecting their customers and institutions. In comparison, aggregators’ security controls vary, some may lack the capability to comply with disclosures required under privacy laws, and they are not subject to supervision by regulators similar to that of banks. At a minimum, the CFPB and other agencies should clarify that data aggregators should have in place similar standards as those provided under Regulation P[1] and the lnteragency Guidelines Establishing Information Security Standards[2] , the implementing regulations of GLBA, for the purposes of consumer data security and privacy. - Data aggregators should be transparent in how they access and use consumer data
Screen-scraping allows an aggregator to obtain significantly more data than needed by the underlying FinTech app, including sensitive personal information, which could subsequently be stolen. Consumers should have a better understanding of the risks associated with sharing their financial data. To that end, aggregators should be required to obtain affirmative consent to access consumers’ financial data that is narrowly tailored to and commensurate with how the data will be accessed, obtained and used. - Liability for unauthorized transactions and cyber breaches must be addressed
BPI believes there is a lack of clarity around the level of responsibilities aggregators share in the event of unauthorized transactions and cyber breaches and supports clarification of liability during such occurrences. Banks should practice due diligence on data aggregators and manage connectivity risk but should not be held liable for a loss of customer data due to the activities of a data aggregator. - Industry should adopt APls for data sharing
BPI applauds efforts by FDX to create a common API and by TCH to promote safe methods of sharing customer financial data, but more must be done to move away from the practice of screen-scraping. BPI encourages banks, data aggregators and interested stakeholders to work together to enable migration towards APl-based data sharing. Data sharing should consider the adoption of secure token standards and provide customers visibility and control into personal data shared between FinTech apps and banks.
Data Aggregators Issue Summary
Press and Media
Data Privacy
October 22, 2024
Washington, D.C. – The Bank Policy Institute and Kentucky Bankers Association filed a lawsuit today against the Consumer Financial Protection Bureau challenging aspects of the agency’s rulemaking under Section 1033 of the Dodd-Frank Act, which governs how consumers access their financial data and how that data is protected. The lawsuit, filed in U.S. District Court in …
Read More
