Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
Last year, the Consumer Financial Protection Bureau (CFPB) revealed its new open banking rules, but soon after they were presented, the rules faced criticism from two industry groups. According to their comments, the planned rules do not go far enough to adequately protect consumer data, and the CFPB was urged to rework them.
CFPB rules do not protect the users adequately
The CFPB proposed its long-awaited open banking rules in October 2023, with the goal of improving competition in the banking and payments sector in the United States. The rules were designed to ensure that consumer financial service providers would share data with other companies in the ecosystem, which offer more attractive services and products, at the users’ discretion.
However, two entities — the Clearing House Association and Bank Policy Institute — have since responded to the recommendations, arguing that they do not go far enough when it comes to protecting consumers’ sensitive financial data. Furthermore, they also do not require data recipients to comply with the rules in place, which is also seen as a major oversight.
Since expressing their disagreements, the two organizations have said that many of the requirements in the rule proposal seem to be designed to protect consumers and their data, which is a good thing. One such requirement relates to consumer authorization, while another concerns the permissible uses of data. However, the two organizations argue that the rules should apply to all third parties and aggregators in the ecosystem, as well as to all data.
Comments and suggestions regarding the rules
In addition to these suggestions and criticisms, they also called for a ban on screen scraping after the data provider had made a developer interface available. They argue that it is critical for consumers’ financial and personal information to stay secure, even when it gets shared between financial institutions and various third parties, but also when it is stored outside of financial institutions.
It was also suggested that the CFPB impose direct requirements on data aggregators and third parties and clearly voice its intent to supervise these entities to ensure compliance. Apart from that, it should also define liability for any unauthorized transactions that might take place or for failure to adequately protect consumer data.
Finally, the pair noted that data providers need to be allowed to receive compensation from any third party that recovers their commercially reasonable costs and a margin to cover the cost of enabling data sharing.
The American Fintech Council responded to the proposal as well, raising its own somewhat different concerns. The Council is worried about the limitations imposed on data providers and third parties regarding the acceptable use of the received user data.
CFPB clearly expected that it would have to modify its rules, and it previously stated that it expected that the rules would be finalized by 2024. However, given the warnings, comments, criticisms, and concerns, it appears that there is a lot more work left to be done in order to ensure adequate protection of consumer data.