Banks, Fintechs Battle Over Customer Data in Open Banking Plan

Banks’ ability to charge fees and control how much customer data they share with financial technology startups are among the key sticking points for industry groups weighing in on a coming open banking rule from the Consumer Financial Protection Bureau.

The CFPB’s open banking proposal, required under Section 1033 of the 2010 Dodd-Frank Act, would allow consumers to easily share their bank and credit card account data with third-party fintech apps like Wealthfront or Venmo. Fintechs would need to have baseline data-security protocols, and banks couldn’t charge fintechs for accessing the customer data.

Banks want the option to impose small fees on fintechs for data access, saying they need to recover the costs of designing or purchasing and maintaining new programmable interfaces. Fintechs say those fees would only throttle customer data, according to comment letters trade groups submitted ahead of a Dec. 29 deadline that garnered nearly 940 submissions.

The CFPB will continue weighing arguments from all sides as it aims to finalize the highly anticipated open banking rule later this year. Banking and fintech groups could eventually ask the courts to block a final rule if they decide the consumer regulator hasn’t done enough to address their concerns, but industry watchers think stakeholders will find enough to support in a final rule to give it some staying power.

Among other issues, banks asked how they’ll be expected to manage competing risk-management requirements from the CFPB and from prudential regulators focused on ensuring lenders are viable and resilient. Traditional lenders could use that concern as another reason to restrict information flows, fintechs warned.

Fintechs, for their part, urged the CFPB to ease proposed restrictions on the use of customer data for advertising and product development.

The comment letters also revealed a split, including between big and small banks, over a practice known as screen scraping, where customers provide their bank account usernames and passwords to third-party fintechs who then collect the account data they need to offer their services.

Fee Fight

The CFPB has been at the forefront of the Biden administration’s push against what they call junk fees, so it’s no surprise the consumer watchdog proposed blocking banks from charging data access fees in its October open banking proposal.

That doesn’t mean banks are happy about it.

Comment letters from the industry’s main trade groups—the American Bankers Association, the Independent Community Bankers of America, the Bank Policy Institute, and the Consumer Bankers Association—all urged the CFPB to let them charge fintechs for access.

“If Congress had intended for information under Section 1033 to be made without the ability to charge a reasonable fee, it would have said so expressly,” the ABA’s letter said.

Larger banks will face the cost of developing data sharing platforms in-house, while smaller banks lacking big tech budgets will have to purchase systems from core services providers, the groups said.

The ICBA asked the CFPB to exempt all banks with $850 million or less in total consolidated assets from the requirement to create and maintain a third-party developer interface. Banks covered by the rule must be allowed to charge fees, the community bank lobbying group said.

“By prohibiting data providers from passing on some of the cost of creating and maintaining a developer portal, the Bureau is essentially forcing banks to recoup the cost of creating a developer portal indirectly—either through annual account fees, higher interest rates on loans, or greater fees for other bank services,” the ICBA said in its letter.

But fintechs see a different motive behind traditional banks’ push for data access fees—blocking competition from fintech rivals.

“The ability of incumbents to assess fees to allow their consumers to access and share access to their financial data, if permitted to propagate within the financial marketplace, would stifle competition and hamper innovation,” the Financial Data and Technology Association of North America said in a comment letter.

Risk Management

Banks say they face competing regulatory pressures as the open banking model develops.

On one hand, the CFPB is pushing banks to allow fintechs to easily access customer account information, and can hit them with penalties for failing to comply. On the other, banks’ prudential regulators at the Federal Reserve, Federal Deposit Insurance Corp., and Office of the Comptroller of the Currency have in place strict risk-management guidelines that also can result in stiff penalties for violations.

Banks want the option to block fintechs from obtaining customer data if there’s a chance that allowing access would get them in trouble with their prudential regulators.

“The final rule should continue to be framed such that data providers have the right, but not the affirmative obligation, to block access for risk management concerns under Section 1033, thereby allowing them to comply with prudential agency guidance,” the ABA letter said.

Once again, fintechs see an effort to restrict access within the open banking framework by giving banks the power to negotiate individual data access agreements with third parties.

The proposal “empowers financial institution data providers to prohibit authorized third parties from accessing their developer interfaces without first executing a bilateral data access agreement, thus overriding their consumers’ consent,” FDATA North America’s letter said.

Product Testing

The CFPB has faced significant pushback on a provision in the proposal that would bar the use of customer data for secondary purposes, such as product development, research, and fraud prevention.

CFPB Director Rohit Chopra indicated a willingness to dial back those restrictions, and several groups urged him to do so, particularly for anonymized consumer data.

“An approach that seeks to preclude providers from collecting and using data for consumer-centric product innovation will have negative consequences on competition, innovation, and the health of financial services in the United States,” the Financial Technology Association, an industry trade group, said in a comment letter.

Consumer groups agreed that some expanded uses were permissible so long as customers’ identities are shielded.

“We acknowledge that effectively de-identified data, which cannot be reasonably re-identified, does not pose the same privacy risks as personal information, and that such data is crucial for research, product improvement, and ecosystem safety,” Consumer Reports said in a comment letter.

The proposal would also bar the use of customer data for targeted advertising, drawing opposition from marketing industry groups.

The Interactive Advertising Bureau and the Network Advertising Initiative both argued the CFPB was overstepping its legal authorities with a blanket ban, and that the agency misunderstood how targeted advertising benefits consumers.

“The Bureau’s attempt to override consumer choice is built upon an unfounded premise that targeted advertising does not primarily benefit consumers,” the NAI wrote in its comments.

Privacy group the Electronic Privacy Information Center argued the targeted-advertising restrictions don’t go far enough, and said the agency should clarify that behavioral profiling “is presumptively not reasonably necessary to provide products or services” under an open banking system.

Screen Scraping

Another digital privacy group, the Electronic Frontier Foundation, cautioned against a total ban on screen scraping. Giving consumers the ability to share their account credentials directly with third-party apps “serves as a last resort against anti-competitive conduct by regulated entities,” EFF wrote.

“As developer interfaces are wound up and third parties access such interfaces, there is potential for collusion between third parties and data providers, as well as difficult-to-detect discrimination against third parties who are potential competitors,” the group said.

Screen scraping also exposed a rift within the banking community.

The big-bank lobbying group BPI submitted a joint comment letter with The Clearing House, which runs a bank payments network, calling for a complete ban on screen scraping. The CFPB’s proposal requires covered companies to set up application programming interfaces that would replace screen scraping across the market, but stops short of a screen scraping prohibition.

The ICBA, representing community lenders, said small financial institutions should have the ability to choose whether they rely on screen scraping or APIs, in part because of the costs of developing the developer-facing interfaces.