TCH: CFPB Data Rule Will Require Stronger Public-Private Collaboration to Safeguard Consumer Interests

Anticipation looms within the financial industry as the Consumer Financial Protection Bureau gears up to implement a rule governing consumer data sharing.

The CFPB said the proposed rule will accelerate a shift to open banking and empower consumers to switch to new financial institutions that provide better service. It mandates the sharing of consumer financial data by banks, data aggregators and third parties with consumers and authorized third parties.

In response to the proposed rule, many groups submitted comment letters to the CFPB in late December. In a letter submitted by The Clearing House, the banking-payments trade association raised concerns about the upcoming regulation, asserting that it does not adequately ensure the proper safeguarding of consumer data privacy and security.

Specifically, the financial industry body advocated for the inclusion of restrictions on credential-based access and screen scraping, arguing that these practices should be prohibited once a data provider offers a developer interface, commonly known as an API.

“Effective and informed consumer consent and control has to be at the heart of this regulation, and we think that screen scraping and credential-based access should end so that consumers are able to effectively control who has access to their data and who has access to moving money in and out of their accounts,” Rodney Abele, vice president and director of legislative and regulatory affairs at TCH, told PYMNTS in an interview.

In the case of credential-based access, consumers provide their login credentials to third parties, which then use this information to access the consumer’s online banking portal, essentially posing as the consumer. According to Abele, this makes it challenging for banks to distinguish between the actual consumer, a legitimate third party and a potential fraudster.

“Credential-based access represents a real significant risk to consumers because their credentials could be compromised when they’re saved by the third party, and someone else could use them to break into their online bank account and drain their funds,” he said.

On the other hand, he described screen scraping as “an all-or-nothing approach” to gathering data, whereby third parties, once they gain access to a customer’s account using their credentials, can gather and download any data visible on the customer’s online banking website, leaving consumers with no control over which specific financial details they want to share with third parties.

“So, if a consumer only wanted to share their checking account information, but also had a credit card, screen scraping doesn’t allow the consumer to prevent the third party from seeing their credit card information,” Abele said.

Adopting a Preventive Approach

Expanding on TCH’s position, Abele pointed out a key difference: while financial institutions diligently adhere to stringent cybersecurity measures to protect sensitive customer data, the same cannot be said for data aggregators and numerous third-party entities.

“Currently, data aggregators and most third parties are not held to any supervisory or examination standards on cybersecurity protections once the customer shares it with them,” he said.

It’s the reason why Abele emphasized that the CFPB must ensure that all companies handling consumer data — not just financial institutions — abide by the same security standards on how consumers authorize data use and what data can be used. This way, everyone plays by the same rules.

He also stressed the importance of adopting a proactive approach in the effort to regulate access to consumer data.

“When there’s a data breach or financial information is leaked on the internet, there’s no way to take it back, so supervision and enforcement are really important to ensure that the breach doesn’t happen in the first place,” Abele said.

Using Public-Private Partnerships

Looking ahead, Abele said a pivotal aspect of this proposal revolves around public-private partnerships. He particularly highlighted the need for the CFPB to acknowledge the importance of a standard-setting body to regulate compliant data sharing as outlined in the proposed rule.

As he said, “that legal certainty and regulatory appreciation of the role of an industry body will go a long way to [instilling confidence] in the whole U.S. market” and will provide clear guidance to data holders, data providers and third-party data recipients, aligning them with the right approach and technical standards.

Overall, Abele acknowledged the comprehensive nature of this regulatory proposal, describing it as a “soup-to-nuts” approach marking the government’s first attempt to create a thorough framework regulating and safeguarding consumers sharing financial data.

Although the rule aims to cover all bases, Abele underscored the importance of a thorough review of the details in collaboration with private-sector industry bodies before advancing to a final rule. This meticulous process is essential and cannot be rushed.

“It’s going to take longer than the CFPB proposed in the proposal [estimated October 2024],” he said. “And it’s important that the bureau gives financial institutions the time to get it right so that we can all protect consumers uniformly after this rule becomes effective.”