Bloomberg Law
Oct. 31, 2022, 9:00 AM

Banks Seek Guidance on Who’s Liable for Open Banking Data Fraud

Evan Weinberger
Evan Weinberger

Banks are voicing concerns that the CFPB’s plans for consumer data sharing with fintech upstarts failed to spell out how to spread liability in the event of fraud.

The Consumer Financial Protection Bureau issued an outline of a plan that would allow consumers to more easily share personal financial information with third-party fintechs, including data aggregators.

The “open banking” policy is aimed at easing consumers’ ability to switch banks and lenders, as well as link accounts with other service providers. Data aggregators, such as Plaid and MX, would work as a middleman that eases consumers’ process of switching banks by centrally keeping their data.

The agency’s outline, released Oct. 27, addresses data security, dispute resolution and other problems that could arise in banks’ sharing of sensitive information. But it falls short of disclosing the bureau’s thinking about who’s responsible if a data aggregator is hacked or a consumer is tricked into sharing data with fraudsters that loot accounts or commit identity theft.

“The outline is half a loaf,” Scott Talbott, senior vice president for government affairs at the Electronic Transactions Association. “By not including provisions addressing liability fraud, it creates uncertainty for consumer as well as industry participants.”

The CFPB may not yet have good answers for banks given the complexities of the issue, said David Stein, a former CFPB official.

“Drawing bright lines could be a challenging undertaken. I just don’t see a model for it,” Stein, now of counsel at Covington & Burling LLP, said.

Who’s Responsible?

Banks are mostly responsible for making consumers whole if money or personal data, such as a Social Security number, is stolen in an account hack.

The liability concerns inherent to the CFPB’s data protection rule are different.

Under the CFPB’s forthcoming rules, banks would be sharing data with aggregators and other firms, who then would be responsible for protecting it.

Fraudsters are also using technology to pretend to be the IRS, a local utility or other trusted third party or masking a relative’s voice—to trick people into turning over account information or wire funds directly.

“Scam artists have always been out there. They just have more tools available to them,” said Kim Phan, a partner at Troutman Pepper Hamilton Sanders LLP.

The CFPB’s forthcoming rules for data sharing, mandated by the 2010 Dodd-Frank Act, could increase the number of targets and opportunities for fraudsters, she said.

Banks are currently facing pressure from Democratic lawmakers, consumer groups and the CFPB over the way they handle authorized frauds on peer-to-peer payments services like Zelle and PayPal Holdings Inc.’s Venmo.

Banks could face similar calls for compensating consumers if their data get hijacked by criminals who hack and impersonate a trusted data aggregator to trick customers.

A data aggregator that’s hacked or allowed fraudulent activity to occur “should be liable for that breach,” the Bank Policy Institute said in an Oct. 27 response to the CFPB’s outline.

Data aggregators largely agree with that approach, said Steve Boms, executive director of FDATA North America, an industry group whose members include MX and Plaid.

“FDATA and its member companies have long advocated for an open banking framework in the US under which the entity responsible for a breach that results in financial loss to a consumer is responsible for making the consumer whole,” he said.

Case Closed?

The CFPB may have said all that it plans to say about fraud liability in consumer data sharing, said Lauren Saunders of the National Consumer Law Center.

The agency released an FAQ on electronic fund transfers in June 2021 that said banks are liable if consumers provide account credentials to a data aggregator that is subsequently hacked and allows unauthorized charges, Saunders said.

Banks and other service providers remain liable even if a consumer is tricked into handing over account credentials by a fraudster, she added.

“The CFPB seems to have concluded that it did not need to address the liability question in the data sharing outline because it was already answered by the FAQs,” Saunders said.

The CFPB didn’t immediately respond to a request for comment Friday.

Banks say that’s unfair.

In other instances, banks and other financial services providers have negotiated their own liability arrangements for credit cards and ACH transfers, the system of electronic deposits and debits into and out of bank accounts.

Those liability schemes only came after a push from Congress or regulators, Phan said.

The CFPB could set parameters for liability or set safe harbors for banks and other data providers. These parameters could include laying out indemnification principles so that banks that do things correctly don’t face consumer lawsuits or accrediting data aggregators and other firms to engender consumers and banks’ trust, she said.

Banks could theoretically then figure out more detailed questions on liability on their own, as they have in the past, Phan said.

To contact the reporter on this story: Evan Weinberger in New York at

To contact the editor responsible for this story: Roger Yu at

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.