Banks Say CFPB Needs to Beef Up Security in Open Banking Plan

The Consumer Financial Protection Bureau faced a key challenge in its long-awaited open banking proposal: allowing the free sharing of customers’ financial data while boosting security.

Banks say the agency came up short.

The open banking proposal the agency released Oct. 19 calls for banks and credit unions to allow customers to easily share their financial information with third-party fintech apps like Wealthfront or Venmo. Typically, that’s done through data aggregators such as Plaid and MX that serve as a bridge between financial institutions and fintechs.

Traditional financial institutions could ultimately file court challenges to block a final open banking rule if they decide it doesn’t go far enough on data security or liability. The CFPB is aiming to finalize the rule, required by Section 1033 of the 2010 Dodd-Frank Act, sometime next fall, Director Rohit Chopra said on a media call Oct. 19.

Banks and credit unions are worried about their potential liability should a data aggregator or fintech suffer a breach. Financial institutions were also concerned about the misuse of customer data by fintechs that would violate privacy rights.

The CFPB attempted to address those issues by proposing to formally extend existing data security laws and regulations to fintechs, change how customer data is shared, and limit the potential uses of that data.

But banks and credit unions say that may not be enough to assuage their concerns.

“The proposal fails to impose proper safeguards to protect consumers from bad actors by only requiring the baseline level of identity information without any oversight or supervision for compliance with the rule of these third-party actors,” Credit Union National Association President and CEO Jim Nussle said in a statement.

Fintechs and privacy advocates hailed those moves as a major step forward.

Financial Data and Technology Association of North America Executive Director Steve Boms said his group is “pleased that the proposed rule creates strong data security and privacy standards to ensure that consumers are protected wherever they choose to manage their finances.”

‘Wildly Insecure’

The CFPB seeks to address concerns about fintechs’ history of mishandling consumer data, including by collecting and selling it to other companies.

Its proposal also targets a practice known as “screen scraping,” which require users to share their banking usernames and passwords with third-party services, such as payment processors, in order to retrieve the banking information needed to use that service. Sharing passwords can put users at greater risk of having their data exposed if one of the services using the password is breached or hacked.

“There’s nothing that’s good for security or privacy about credential sharing,” said Jeremy Grant, coordinator of the Better Identity Coalition, an industry group focused on digital security. “It’s wildly insecure.”

The CFPB wants to eliminate screen scraping entirely within four years by requiring the use of application programming interfaces (APIs) that give users control over the financial data they want to share with third parties without giving up full access.

API tools “allow the consumer to choose on a granular basis what information they’re willing to share, and also what information they want to be private,” Grant said.

Much of the industry has already moved away from screen scraping. The CFPB estimates half of third-party data access currently occurs through APIs, a stark reversal from just two years ago, when the agency found most access occurred via screen scraping.

Additionally, the proposal would place guardrails on what third parties’ use of shared data, including a “brightline rule” prohibiting targeted advertising, an area of abuse that the CFPB has aggressively moved against in recent actions.

To address data security, the CFPB said the Gramm-Leach-Bliley Act’s data protection requirements and the Federal Trade Commission’s Safeguards Rule would apply to the entire financial services ecosystem.

“There’s several good, consensus consumer privacy protections” in the proposal, said Jay Harris, a Hudson Cook LLP partner who advises industry clients on consumer protections.

Banks say even those protections may be insufficient, because fintechs and other data aggregators were already subject to the federal privacy law and the FTC’s rule.

Under the proposal, data aggregators that collect customer data that is then used for credit decisions or other financial activities would be considered credit reporting companies under the Fair Credit Reporting Act. That would bring them under direct CFPB supervision for compliance with, among other things, data security requirements.

Banks and credit unions want a firmer commitment to federal supervision.

“We firmly believe that other entities that are granted access to consumers’ data must be held not only to the same high standards but also to the same level of supervision related to data security, privacy, and consumer protection that banks must meet every day,” American Bankers Association President and CEO Rob Nichols said in a statement.

Liability Concerns

Banks say liability for data breaches and potential customer losses got short shrift in the proposal.

The CFPB said the liability standards set by Regulation E, the implementing rule for the 1978 Electronic Fund Transfer Act, would continue to apply in an open banking context. Under that framework, the party that suffers the breach is the one held liable.

But Kelvin Chen, a senior vice president and head of policy at the Consumer Bankers Association, said the Reg E liability requirements are more complicated when it comes to open banking. If a breach occurs at a fintech, that company may not have the means to cover customer losses, leaving the bank on the hook, he said.

“We have to know that we can make our customers whole,” Chen said.