.svg)
Two US banking groups filed a lawsuit against the Consumer Financial Protection Bureau (CFPB) just a day after the regulator published the open banking final rule, challenging the agency’s rulemaking under Section 1033 of the Dodd-Frank Act.
The lawsuit, filed in US District Court in Lexington, Kentucky, by the Bank Policy Institute (BPI) and the Kentucky Bankers Association (KBA), accuses the CFPB of exceeding its statutory authority and implementing rules that could jeopardise consumer privacy, data security and overall account protection.
“Unfortunately, the CFPB delivered a rule that treats sensitive financial data with as little care as a consumer’s web browsing history,” commented Greg Baer, BPI president and CEO.
Baer said that if left unchallenged, “technology companies subject to little to no oversight will have access to very sensitive information, like how much is in your account and where you spend your money”.
“Banks have a responsibility to protect customers and their data, and this rule compromises these responsibilities, putting bank customers at risk,” he cautioned.
According to the lawsuit, the CFPB’s “bureaucratic intervention into a well-functioning area that is rapidly developing and improving through private initiatives is not just unnecessary; it is counterproductive, and it will ultimately harm consumers, the very group the Bureau is charged with protecting”.
Third-party data use
The lawsuit says that the CFPB rule mandates “the sharing of sensitive customer data such as transaction history, account balances, and even account and routing numbers through APIs with a seemingly unlimited number of third parties”.
It contends that the CFPB has failed to establish proper oversight for third-party data aggregators and recipients, pointing out that a 2022 report undertaken by the US Treasury Department highlighted the absence of regulatory scrutiny over how these entities store consumer financial data.
The responsibility for safeguarding this data, the lawsuit argues, falls solely on banks, while the CFPB has taken no steps to ensure that third-party entities are held accountable for the security and protection of consumer data.
Despite this section of the lawsuit, remarks by CFPB chair Rohit Chopra appeared to defend the data protections in the rule, which he said “are essential to ensuring the rule works to advance competition in financial markets”.
“This rule will help to dramatically improve privacy and security, ending the problematic credential sharing and invasive surveillance that we too often see,” he said during a speech at Georgetown University’s DC Fintech Week conference, where he described the new rule as a “simple, but much different approach”.
“To obtain data on a consumer’s behalf, a bank, fintech, or other financial company will need to adhere to federal data security requirements,” he said.
“This means they can’t have shoddy security like we saw at companies like Equifax, and if they fail to meet their obligations, they can face enforcement actions and can even get shut down by the licensing or chartering authority.”
Increased fraud risk
The BPI and the KBA warn that the rule increases the likelihood of fraud and scams, “forcing banks to liberally share customers’ sensitive financial information while handcuffing banks from managing the risks of doing so is a recipe for fraud and misuse of customer data”.
Without strong oversight of third-party entities, the plaintiffs claim, malicious actors could exploit weak security practices, gaining access to consumers’ financial information.
They suggest that account and routing numbers, along with transaction data, could be exposed, making unauthorised transfers and other forms of fraud easier to execute.
Continued screen scraping
The lawsuit also criticises the CFPB for allowing the continued use of what it says are unsafe practices such as screen scraping.
This occurs when a company collects a consumer’s username and password to log in to online banking on the consumer’s behalf to scrape away data.
Regulators in other jurisdictions have attempted to rein in the practice with their own open banking regulations, such as the EU’s revised Payment Services Directive (PSD2).
“These methods necessarily entail giving those third-party companies access to more data than they need, including the customer’s login credentials,” the lawsuit says.
“This form of data access, as well as the continued storage of the customer’s credentials, expose consumers to serious risks of unauthorised access to and misuse of their accounts and sensitive data.”
In his remarks on Wednesday (October 23), Chopra said that he hoped that the proposal “works towards ending the practice”, which he acknowledged is “risky”.
Poor accountability at no cost?
Another major issue raised in the lawsuit is the lack of accountability for third parties that receive consumers’ data.
According to the BPI and the KBA, once a customer authorises their data to be shared, banks are no longer able to protect that data from breaches or misuse at third-party companies, and they claim that the rule leaves consumers vulnerable and puts the onus on banks without giving them adequate control over security measures.
The banking groups also allege that the rule allows third parties to profit from systems that banks have spent billions of dollars developing, with no compensation in return.
“Having imposed these enormous out-of-pocket costs and exposed banks to a substantial and unreasonable risk of liability, the Rule impermissibly bans banks from charging any fees designed to recoup those costs to the third-party fintechs and aggregators who will profit from the new framework,” the lawsuit says.
It also points out that technology giants such as Google and Apple charge for third-party access to their systems, arguing that banks should have the same right to charge for access to sensitive customer data.
“Section 1033 does not authorise the Bureau to adopt such a one-sided fee prohibition that effectively gives a windfall to commercial entities like fintechs and data aggregators,” the lawsuit argues.
Unworkable compliance timelines
Finally, the lawsuit asserts that the CFPB’s rule imposes an unreasonable implementation timeline, even though the rule provides a compliance runway that is more flexible than that in jurisdictions that have already implemented open banking rules.
The bank groups argue that the timeline is disconnected from the development of any consensus standards for compliance, warning that financial institutions risk wasting resources by attempting to comply with standards that could change, forcing them to redo their efforts.
According to the lawsuit, the CFPB rule is “fundamentally incompatible with its dependence on standard setters to determine rules for compliance”.
The lawsuit says that the CFPB will “depend heavily on private standard-setting organizations to give particularized content to many more general provisions of the rule”, adding that no such “consensus standards” exist today.
Indeed, the CFPB has yet to recognise any standard-setters, despite an application being filed by the Financial Data Exchange (FDX), which includes Amazon Web Services, Mastercard, Visa and Bank of America, in September.
“The Bureau’s decision to set compliance deadlines on dates certain, without regard to when any such standard setter issues any such “consensus standard,” is arbitrary and irrational because it starts a clock for compliance with entirely unknown standards,” the lawsuit says.
