These debates will dominate regulatory meetings and congressional hearings in the months ahead. Key disagreements over data privacy, access scope, competitive fairness and the practical burdens for innovators are already shaping the course for open banking in the United States.
The CFPB said in an advance notice of proposed rulemaking (ANPR) that it is looking for comments and data related to four issues.
“These issues are: the proper understanding of who can serve as a ‘representative’ making a request on behalf of the consumer; the optimal approach to the assessment of fees to defray the costs incurred by a ‘covered person’ in responding to a customer driven request; the threat and cost-benefit pictures for data security associated with section 1033 compliance; and the threat picture for data privacy associated with section 1033 compliance,” the CFPB said in the ANPR.
Generally speaking, the rule requires banks, credit unions and other financial institutions to make consumers’ financial data available upon request to consumers and authorized third parties. It also establishes strict guidelines for third parties seeking to access that data.
The Debate
The CFPB’s Section 1033 rulemaking, designed to set standards for consumer access and sharing of financial data, has already garnered comment letters from industry groups, banks, FinTechs and advocacy organizations. Many comments cite the need for strong privacy protections, arguing that the current rule exposes consumers to risk if data security requirements for FinTechs and aggregators lag behind those of traditional banks.
Advertisement: Scroll to Continue
Even before the latest commentary period was opened, trade groups weighed in on data sharing. In a statement July 25, the American Bankers Association, Bank Policy Institute, America’s Credit Unions, Consumer Bankers Association and the Independent Community Bankers of America said that “aggregators profit from obtaining data from banks, saving that data into their own systems and selling access to FinTech developers building financial applications. FinTechs then offer a variety of other products and services that rely on consumers’ financial data, for which they too are paid. Without the ability to obtain consumer data securely, aggregators’ and FinTechs’ business models would be significantly undermined.”
That statement came in response to the American FinTech Council’s July 23 letter to President Donald Trump.
“Some of the nation’s largest banks have raised legal and operational challenges to the open banking standards, including filing lawsuits to delay the rule’s implementation and introducing new fees and restrictions that could limit how consumers share their financial data,” the council said in a July 24 press release announcing the letter. “Such measures threaten to reduce consumer choice, hinder competition, and slow the pace of innovation that benefits Americans nationwide.”
More recently, at the end of August, the AFC wrote to lawmakers regarding the House Committee on Financial Services’ request for feedback on federal data privacy laws, where the Gramm-Leach-Bliley Act has set up a framework that helps inform 1033. The group said in the Aug. 27 letter that it advocates for a federal privacy law with state preemption.
The letter said 20 states have passed data privacy laws, and “their provisions [have] given rise to inconsistent state regulations that create significant challenges for responsible financial services companies seeking to comply with the myriad and nuanced requirements.”
On the CFPB’s commentary page, through communications submitted by Joshua Orenstein, head of Stripe’s consumer legal operations, the FinTech stated Aug. 29 that JPMorgan Chase’s proposed data fees “would violate both the [open banking] statute, which requires access to be provided ‘upon request,’ and the existing final rule, which expressly prohibits such fees.
“That rule is currently in effect and will remain so while the CFPB considers revisions,” Stripe continued. “If Chase is allowed to do an end-run around the process by charging fees during the interim, it will cause significant damage to the marketplace and consumers.”
“Moreover, such unreasonable data access fees will also push the industry away from secure data access interfaces and back to insecure and unreliable screen scraping, which industry stakeholders uniformly disfavor,” Stripe added in the letter.
Among some of the CFPB’s options, Stripe said, would be the ability for the agency to use emergency rulemaking powers “to immediately halt any fees that would cause irrevocable harm to the marketplace…”
Additionally, per Central State Bank in its own comments to the CFPB Aug. 21, the recommendation is that “the bureau will reconsider the asset size thresholds put forth in the original rule. The cost to stand this up, passed on from core software providers for community banks, is going to be substantial. That cost can easily be absorbed by mega banks, but not as easily for smaller institutions that are focused more on serving their communities rather than dominating the financial world of the entire country. Additionally, there are great concerns among peers that data will fall into the wrong hands in connection with this, further damaging the people we serve and the bank as well.”
