The Bank Policy Institute (BPI) and Kentucky Bankers Association filed a lawsuit against the Consumer Financial Protection Bureau (CFPB) over a rule that governs financial data protection.
The lawsuit, filed in U.S. District Court in Lexington, Kent., asserts that the CFPB overstepped its authority and jeopardized consumers’ privacy, financial data and account security with this rule.
The CFPB rule, under Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, says that a financial services provider must make available to a consumer information concerning the consumer financial product or service that the consumer obtained from the provider.
BPI and Kentucky Bankers have several concerns about the rule.
“BPI supports a competitive marketplace where consumers control how their personal financial data is used and with whom it is shared, so long as their data remains protected. Unfortunately, the CFPB delivered a rule that treats sensitive financial data with as little care as a consumer’s web browsing history. If left unchallenged, technology companies subject to little to no oversight will have access to very sensitive information, like how much is in your account and where you spend your money. Banks have a responsibility to protect customers and their data, and this rule compromises these responsibilities, putting bank customers at risk,” Greg Baer, BPI president and CEO, said.
Among their concerns, BPI and Kentucky Bankers said:
- It requires no oversight of third parties using bank customer data. The Treasury Department issued a report in 2022 finding that “…there is virtually no regulatory oversight of data aggregators’ storage of consumer financial information akin to the supervision of [banks’] data security.” The entire responsibility of protecting customers is left to banks under the final rule, while the CFPB takes no accountability. Mandating data sharing without requiring third parties to protect that data will undermine existing consumer protection laws.
- It increases the likelihood of fraud and scams by failing to address weak safeguarding practices. Without proper oversight and supervision of aggregators and third parties, the chances rise of bad actors gaining access to data from third-party entities with weak security practices.
- Screen scraping and other unsafe practices are allowed to persist. Many data aggregators continue to rely on unsafe practices such as screen scraping to obtain account and transaction data, often collecting more information than is needed to offer a core product or service. The CFPB has taken no concrete action to prohibit screen scraping and banks would remain limited in their abilities to address this risk and protect their customers.
- It fails to hold third parties accountable. When a customer authorizes their data to be shared, the data recipient has an obligation to protect the data and provide the customer with basic customer service when problems arise. Third parties’ use and protection of sensitive consumer data is outside of banks’ control, leaving banks unable to protect their customers from data breaches at third-party companies and fraud that may result from these breaches.
- It allows third parties to profit, at no cost, from systems built and maintained by banks. Technology costs are a significant expenditure for every major company, and banks have invested billions of dollars in building systems to protect consumers’ data and information and have earned customers’ trust accordingly. Banks should be able to charge third parties who seek access to that sensitive data, just as companies charge one another for products and services routinely in the marketplace.
- It imposes an unreasonable implementation timeline. While the final rule seemingly provides a longer compliance runway, the new compliance deadline is not tied to the promulgation of any consensus standards that will naturally become the industry’s default standard for compliance under the rule. But banks cannot build toward compliance with standards that do not exist.
“The CFPB’s 1033 rulemaking jeopardizes the safety and soundness of our banking system and fails to protect consumer data. We are challenging the CFPB to ensure that banks can continue to protect their consumers and the integrity of the financial system in a safe and sound manner,” Ballard W. Cassady, Jr., Kentucky Bankers Association President & CEO.