Happy birthday! The Consumer Financial Protection Bureau (CFPB) is celebrating its 10th anniversary, and after some challenging years, its scope of work remains more relevant than ever and its legal authority finally is widely accepted. Last week, Massachusetts Senator Elizabeth Warren (who is perceived as the architect of the CFPB) discussed the CFPB’s accomplishments and scope of work at a virtual event, and suggested that the bureau has more work to do, as there are many areas where it “can make a difference.” One of these areas, undoubtedly, is the access to, and the sharing of consumer financial data.
As I have written in the past, American banks, unlike their European or British counterparts, can refuse to let their customers easily share their financial data with other banks or FinTech providers. Although that opposition has somewhat declined with the rise of API industry standards for sharing consumer data, such as the one created by the Financial Data Exchange (FDX), data portability and open banking are among the areas where the CFPB needs to step in and add clarity.
The CFPB has been dancing around the issue of consumer financial data for several years now. In 2017, the CFPB released a set of non-binding principles on consumer-authorized use of financial data. The principles, however, were broad, generic, and did not confirm if Section 1033 of the Dodd Frank Act grants third-parties the legal ability to pull customers’ financial data directly from their bank accounts on behalf of the customers, or if only customers can access, download and handle that data. Essentially, the CFPB merely recommended that all sides act in an ethical and fair way, but has shied away from taking any official stance on the issue despite other agencies weighing in more deeply. For example, in 2018, the Financial Industry Regulatory Authority (FINRA) issued a warning to investors about a specific type of third-parties – data aggregators – and their activities in the context of open banking and consumer financial data portability. Similarly, in early 2019, the Federal Deposit Insurance Corporation’s (FDIC) inspector general expressed concerns about unsupervised logins in attempts to get customer bank data.
Despite other agencies weighing in, the CFPB remained silent regarding Section 1033 until 2020, when it organized a symposium dedicated to financial data sharing. In that context, it also issued an advanced notice of proposed rulemaking soliciting public comment by February 2021. Unfortunately, no action followed; the CFPB has not officially addressed the issue in the five months since the public comment period ended.
The CFPB’s lack of action has not gone unnoticed. For example, in May 2021, many groups of consumer financial advocacy sent an angry letter to the CFPB, demanding the bureau complete the rulemaking of Section 1033. The consumer financial advocacy groups’ anger is justified. Much has happened in the area of consumer financial data since Congress passed Section 1033 as part of the Dodd Frank Act – the massive financial regulation that followed the 2008 financial crisis. For instance, the FinTech revolution post-dates the Dodd Frank Act and has intensified during the Covid-19 pandemic – with customers flocking to banking apps, and U.S. banks closing more than 250 branches – anchoring the realization that the future of banking is digital.
Yet the CFPB’s authority to regulate FinTech companies is a complicated issue because typically these companies are not banks, and are not subject to the same regulation as banks. Instead, consumer finance apps are merely digital interfaces that typically pass the actual banking work to regulated financial institutions. Because the FinTech companies are not banks, they enjoy a regulatory arbitrage and often do not have a primary regulator. For example, in certain areas of consumer finance operation, FinTech apps are primarily regulated as vendors to the banks they work with. As such, the responsibility for their conduct falls on the banks who are legally obligated to manage their vendors and are thus accountable for their third-party relationships. That legal responsibility is intimidating to banks and is a major contributor to their lack of support for the open banking and data portability trends.
CFPB open banking rulemaking can help bring clarity to this regulatory complexity. Even the White House has tried to prod the CFPB into action on these issue. Earlier this month, the White House issued an executive order (EO) that touches upon the issue of open banking, or to be exact, the portability of consumers’ financial data. This is not to say that the EO focuses on financial regulation. The EO attempts to increase competition across the U.S. economy in general – not just in the consumer finance area. But the EO is particularly relevant to consumer finance because it nudges the relevant stakeholders to step up consumers’ ability to access, use, share and transfer their financial data. Such access and ability to share financial data increases competition because it allows consumers to easily switch financial service providers as they see fit. And although the EO encourages data portability from the perspective of consumers’ ability to share their own data, it also emphasizes consumers’ privacy and cybersecurity by cracking down on Big Techs’ ability to use and transfer consumer data, encouraging the Federal Trade Commission to “establish rules on surveillance and the accumulation of data.”
President Biden’s EO makes it clear that the CFPB should have a role in regulating consumer financial data portability. More specifically, in Section 5, which describes “Further Agency Responsibilities,” the EO states that the CFPB’s director is encouraged to consider “commencing or continuing a rulemaking under section 1033 of the Dodd Frank Act to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products.”
But while this EO is an indication that consumer financial data is on the Biden Administration’s radar screen and that it expects the CFPB to address important issues relating to open banking and security, it is not clear how (and when) the CFPB would go about its rulemaking.
The CFPB has several regulatory routes to address the issue of consumer financial data sharing, and each route has different consequences for consumers and the financial industry. The CFPB has to decide whether to prioritize data access, which means giving consumers the right to access their financial data, or data portability, which means requiring full data portability among financial service providers. The two approaches might seem similar, as they both deal with consumer financial data sharing, but they are not the same. They entail different consequences for data aggregators, which have become extremely important in the consumer finance industry. Data aggregators have built a plumbing system that allows them to transmit consumers’ account information between financial institutions and third-party apps via screen scraping or application programming interfaces (APIs). Screen scraping, which is fairly unregulated, has been the more commonly used method by data aggregators, but is also the more concerning one, given security and reliability of connections related issues. Therefore, data aggregators, which effectively connect thousands of banks with FinTech companies, would have to carefully navigate any data access / portability regulation, because enabling consumers to serve themselves, or banks to easily exchange data with one another, could challenge the data aggregators’ business models. And while some data aggregators have faced lawsuits alleging that they have violated customers’ privacy, used customers’ data in inappropriate manners, and misled consumers, data aggregators also have been credited for helping level the playing field for smaller or community banks, which do not have the resources to write data-sharing APIs.
Whichever route the CFPB ends up taking, one thing is for sure – the bureau must act, and it must act soon. It should focus on the consumer-at-the-center principle, and empower American consumers with their data. Control over that data means more choice, and more choice means more competition resulting in better products and services for us all. CFPB, you’re 10 years old now, how about some Section 1033 rulemaking?