CFPB Faces Fraud, Privacy Concerns in Open Banking Rules

On April 26 and 27, during his testimonies at the Senate and the House, Rohit Chopra, Director of the Consumer Financial Protection Bureau (CFPB) offered important insights into the regulator’s next moves. One of them was open banking. 

Mr. Chopra said that he would like to push for new regulation under section 1033 of the Consumer Financial Protection Act to promote competition in financial markets via open banking. This is a priority for the bureau — but for the moment, the CFPB has only issued in October 2020 an “advance notice of proposed rulemaking” seeking feedback on a potential rule. 

A new rule would allow consumers to easily share their financial data with third parties, which would eventually facilitate switching service providers. However, the CFPB is grappling with how to handle consumer privacy and data protection issues, according to sources with knowledge on the matter, Reuters reported on May 4. Additionally, the bureau will also need to tackle the problem of authorized push payments (APP) fraud and determine who may be responsible for possible compensations. 

Privacy, Data Concerns 

Chopra’s privacy concerns focus in part on how Big Tech companies may use the data, a concern that he also flagged during his testimony in the Senate and the House. During his time at the Federal Trade Commission as Commissioner from 2018-2021, Chopra took a tough stance on Big Tech companies’ data privacy practices — and he may be wary that these companies could exploit personal consumer data to entrench their services. 

The law will have to strike the right balance between how to protect security, privacy and effective consumer control over their data and how to best advance competition. An agency source said that the CFPB “feels the pinch” to propose the rule but is struggling to “strike the right balance,” Reuters reported. 

APP Fraud 

The new rule may also need to address the question of responsibility in case of APP fraud, when victims are tricked into voluntarily, but unknowingly, sending money to fraudsters under false pretexts. A new rule that allows consumers to share data with many providers will bring many benefits, but it may also increase the risk of fraud as banks will need to provide data to payment service providers (PSPs) and process payments when the user provides his/her consent. Even if banks and PSPs have good AML and KYC programs in place, this type of fraud is difficult to detect before it happens. It isn’t clear yet whether banks and financial institutions (FI) should be held responsible and compensate victims when an APP fraud has occurred.  

In the U.K., banks and FIs have a duty to exercise reasonable care with their customers to avoid APP fraud. However, there is not a legal mandate for PSPs, banks and FIs to compensate victims of an APP fraud if they have exercised reasonable care — typically, if they have AML and KYC programs that haven’t detected anything unusual.  

However, the U.K. Payment Systems Regulator (PSR) has been working with the industry to introduce new tools and a new code to reduce APP fraud and compensate victims in some circumstances.  For instance, the PSR created in 2019 a Contingent Reimbursement Model Code that PSPs can voluntarily adopt — in fact, the largest U.K. banks are signatories of the code — to compensate victims if they have done nothing wrong.  

In January 2022, the PSR proposed several measures to fight APP fraud. Under the proposal, some of the largest banks will have to publish data on their performance in relation to APP scams, reimbursement levels for victims, and which banks and building societies’ accounts are being used to receive the fraudulent funds. 

The regulator is also seeking to make reimbursements mandatory to victims of APP scams, although it needs the assistance of the government to change some laws first as the current legal framework would not allow mandatory reimbursement. 

Next Steps 

The next step in the CFPB’s rulemaking process is a small business panel review. The CFPB will conduct the panel review “by year’s end‚” according to an agency’s spokesperson. 

The Small Business Regulatory Enforcement Fairness Act requires the CFPB to seek feedback from a panel of small businesses about new regulations that may affect them. 

The panel has 60 days to submit a report to the CFPB, after which the agency can issue a draft rule.