Smaller banks and credit unions say they’re disappointed the Consumer Financial Protection Bureau’s open banking proposal won’t let them charge customers for sharing financial data—even though free data exchanges are already the industry norm.
Those lenders say the coming requirements will force them to purchase new offerings from core service providers such as
The CFPB wants to get rid of screen scraping in order to better protect bank customers’ data and privacy. The agency says the increased costs banks and credit unions might incur under the proposal, mandated by Section 1033 of the 2010 Dodd-Frank Act, should be relatively modest and fall over time.
While the smaller banks’ pressure is unlikely to force the agency to undo the rule, it could prompt smaller changes, a longer phase-in period, or even a potential lawsuit over the final rule.
Free customer data access is already standard in most existing contracts between financial institutions and fintech apps like Venmo, so the CFPB is largely maintaining the status quo, said Dan Quan, a former CFPB senior adviser who previously worked on the proposal.
“When financial institutions signed bilateral data sharing agreements with data aggregators, they never considered charging a fee for this,” said Quan, the founder of venture capital firm Nevcaut Ventures.
In addition to the open banking proposal, the CFPB recently issued an advisory opinion instructing banks that they can’t charge customers seeking basic account information. Most banks have moved away from charging for that information already.
‘Data is Ours’
At the heart of the CFPB’s Oct. 19 open banking proposal is a right for people to share their financial data free of charge and without any limitations on the number of times third-party fintechs have access to a bank’s servers.
“This data is ours. We as consumers are contributing to products that a lot of these banks are developing,” said Morgan Harper, the director of policy and advocacy at the American Economic Liberties Project, an advocacy group that opposes concentrated economic power.
Many smaller banks and credit unions currently rely on screen scraping, where customers turn over their bank login credentials to third parties, to share financial data.
The CFPB plans to eliminate screen scraping within four years of the open banking rule’s enactment. That means many smaller financial institutions will have to pay core service providers to develop application programming interfaces, or APIs, to facilitate data transfers.
Those new services will cost money, as will unlimited access to bank servers the proposal seeks to mandate, some banks and credit unions say.
For banks and credit unions that create their own APIs, the CFPB estimates a company will have to pay a median $3.37 per customer per year under the proposal, with costs falling as technology matures.
Less than a third of banks and credit unions that rely on core services providers for APIs will have to switch companies to comply with the rule, according to the agency’s estimate. While the cost of switching can range from $50,000 to $350,000, the CFPB said the growing number of core services providers offering APIs is likely to grow, further reducing the number of small banks and credit unions that will have to switch.
“At a time when credit unions are being hit with increasing costs just to serve their communities, we’re very disappointed with requiring credit unions to divert time and resources away from member services to subsidize and provide free services to third parties’ competing businesses,” Credit Union National Association President and CEO Jim Nussle said in a statement last week.
Industry Standards
But most larger banks already offer such services free of charge through contracts with individual data aggregators and fintechs. While those agreements allow for free access to data, they also permit banks and other data providers to cap the amount of data they share and the number of times a fintech can access their servers, said Kelvin Chen, a senior executive vice president and head of policy at the Consumer Bankers Association.
“Those contracts also make representations about uptime and when you can access the servers, limits, and also the types of data you can pull,” he said.
While the move away from screen scraping is generally a boon for privacy, giving consumers more control over their data also creates new opportunities for fraud and cyberattacks, said Vikas Agarwal, managing director and financial services industry leader at
That means banks, credit unions, core services providers, and fintechs will have to accelerate their spending on identity-proofing technologies such as biometrics and AI, which they have been slow to adopt thus far, he said. Those costs of adoption will trickle down to customers, Agarwal said.
Overall, the CFPB estimates the costs are going to be manageable, particularly as companies move to adopt the new framework. Fiserv and Plaid Technologies Inc., a leading data aggregator, earlier this month announced a partnership to boost Fiserv’s API offerings to client banks and credit unions.
Since the CFPB is giving small banks and credit unions four years upon implementation to comply with the rule, there should be more time for compliance costs to go down, said Jay Harris, a Hudson Cook LLP partner who advises industry clients on consumer protections.
“The agency tried to address those cost concerns by having a multi-year phase-in process under this proposal,” he said.
— With assistance from
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.