Bloomberg Law
Jan. 30, 2023, 10:00 AMUpdated: Jan. 31, 2023, 7:54 PM

Small Banks Urge CFPB to Phase in Open Banking Tech Requirements (Correct)

Evan Weinberger
Evan Weinberger
Andrea Vittorio
Andrea Vittorio

Smaller banks are urging the CFPB to consider a more gradual technological shift and weigh their cost burdens, as the regulator crafts a new “open banking” rule to ease consumers’ sharing of financial information.

The Consumer Financial Protection Bureau’s open banking proposal aims to allow consumers to seamlessly switch between financial service providers by requiring banks and credit card companies to develop technology that consumers can use to share their financial data with fintechs and other upstart competitors. Public comments on the CFPB outline for its plans were due on Jan. 25.

Credit unions and community banks asked the CFPB in particular to slow down on a provision in the rule to eliminate the practice of so-called “screen scraping,” where a third-party app or website uses a consumer’s log-in credentials to access a bank or card issuer account. Big banks and privacy advocates support ending the practice, arguing that scraping poses security and privacy risks.

Consumers’ ability to easily transfer data to their banks’ competitors could spur better and cheaper services. But public comments also show that the agency’s rule-making, required under Section 1033 of the 2010 Dodd-Frank Act, is fraught with concerns about privacy, fairness, and the industry’s readiness to embrace changes.

“In the long run, commoditization of financial data driven by the CFPB’s goal of ‘reducing switching costs’ could have the opposite of its intended effect: rewarding the largest, most technologically, sophisticated companies at the expense of credit unions and other community institutions focused on relationship banking,” the National Association of Federally-Insured Credit Unions (NAFCU) said in a letter to the CFPB.

Scraping Data

Currently data aggregators such as Plaid and Yodlee use screen scraping as a key tool to facilitate data transfers between banks or other financial companies.

Banks and privacy advocates have warned about security and privacy risks associated with scraping, such as letting a third-party misuse consumer credentials or collect more data than authorized.

Data aggregators also have been accused of selling consumer data without consent, according to nonprofit Electronic Privacy Information Center.

The CFPB’s open-banking outline envisions moving away from scraping almost entirely to a system in which banks set up application programming interface (APIs) and data portals for transferring consumer information.

APIs are a type of standardized interface software that data providers would use to authenticate the consumer and transmit requested information without the consumer having to share their credentials with a third party.

But moving to data sharing portals like APIs is expensive and may be beyond the reach of smaller financial institutions, the Independent Community Bankers of America (ICBA) said in a comment letter to the CFPB.

It could put them at a further disadvantage to Wall Street banks and emerging fintechs, NAFCU told the agency.

EPIC supports the adoption of standard APIs to reduce reliance on data aggregators, the group said in a letter to the CFPB.

The industry is steadily moving toward using APIs and data portals instead to allow sharing of customer information. Plaid estimates that more than 60% of its traffic is currently on APIs, largely due to its contracts with the biggest banks, according to its letter to the CFPB.

‘Technology Neutral’

The ICBA said it supports moving to an API standard for sharing customer data. But the community bank advocacy group said in its letter that there is currently “limited adoption” of APIs, largely because purchasing the technology is expensive.

The group and NAFCU urged the CFPB to either consider “technology neutral” requirements that could allow for screen scraping or phase in API requirements. That would allow smaller financial institutions have time to adopt them, while also avoiding a requirement that financial institutions accept all screen-scraping requests.

Other commenters, including the nonprofit Future of Privacy Forum, also urged the agency to tighten data security requirements for firms that receive consumer financial information.

The PNC Financial Services Group Inc., the parent of PNC Bank, told the CFPB it’s concerned about an increased risk of consumer identity theft and financial fraud if data recipients are not subject to bank-grade data security standards and regulatory supervision. Federally regulated financial institutions are subject to strict information security requirements.

“Consumers are entitled to equally rigorous data protection regardless of whether their data is held at a bank or a nonbank,” PNC said in a letter to the agency.

The CFPB could bring data aggregators and fintech apps under its supervision as a way to protect consumer data.

FDATA North America, a trade group representing data aggregators, urged the CFPB to supervise its members.

Wider Scope

The CFPB so far contemplates subjecting banks and credit card companies to increased data sharing requirements.

But other consumer finance players that aren’t part of the CFPB’s plans increasingly play significant roles in the industry. Nonbank mortgage lenders issue the majority of mortgages in the US. Auto lenders owned by car companies issue a large portion of US auto loans. Consumers also increasingly make purchases using “buy now, pay later” and installment loan services.

Including only banks and credit card companies in Section 1033 may provide a glimpse of money flowing in and out of consumers’ bank accounts monthly, but it wouldn’t give a full picture of, say, the interest rate and remaining term on a mortgage, most industry associations said.

“To better assess a consumer’s financial health, it would be logical for industry to pull from a greater scope of financial accounts held by a consumer,” the Consumer Bankers Association said in a comment letter.

The CFPB should broaden the scope of its 1033 rules to provide a more complete picture of a consumer’s financial life, according to the Financial Technology Association, an industry group that includes data aggregators and fintech lenders.

Data-sharing requirements should be phased in for FTA members and other nonbank firms, the FTA said.

“Consumers will enjoy the greatest benefit from Section 1033 to the extent that it provides consumers a holistic ability to assess financial health and wellness, as well as shop for the broadest range of financial products and services,” the FTA said in its letter.

(Corrected the attribution of the fifth paragraph quote. )

To contact the reporters on this story: Evan Weinberger in New York at; Andrea Vittorio in Washington at

To contact the editor responsible for this story: Roger Yu at; Maria Chutchian at