Digital Transactions Authoritative, insightful and timely information for payments professionals
No sooner had the Consumer Financial Protection Bureau released its personal financial data rights rule Tuesday than the rule was legally challenged by the banking industry.
The lawsuit, filed late Tuesday by the Bank Policy Institute and the Kentucky Bankers Association, alleges the CFPB has overstepped its bounds by issuing a rule that fails to properly safeguard consumer accounts and financial data accessed by third parties, such as fintech and data aggregators, and puts at risk the infrastructure banks have built to support opening banking.
The lawsuit was filed in the United States District Court for the Eastern District of Kentucky, Lexington Division.
“This is a case about a federal agency overstepping its statutory mandate and injecting itself into a developing, well-functioning ecosystem that is thriving under private initiatives,” the complaint says in its opening statement.
“The rule that Plaintiffs challenge seeks to cut off that private development and replace it with a complicated, expensive, mandatory regulatory framework that Congress never authorized,” says the complaint. “Worse yet, the framework the agency has adopted is fundamentally unsafe, so the primary result of its overreach will be to harm the very consumers it is charged with protecting.”
The CFPB’s rule requires financial institutions, credit card issuers, and other financial providers to share data at a consumer’s direction with companies offering competing products.
The plaintiffs argue that in designing the rule, the CFPB not only required banks to “provide access not only to information about a customer’s account” but “information enabling third parties to initiate payment from that account.”
That provision within the rule, the plaintiffs say, does two things. First it “imposes upon banks a vague duty to document the compliance with consumer authorization requirements of potentially thousands of fintechs and data aggregators, which are not subject to the same data security requirements and expectations as banks.”
Second, the provision “substantially limits banks’ ability to deny access to those third parties on risk management grounds by purporting to confine that discretion to narrowly prescribed circumstances.”
As a result, the responsibility of protecting customers is to be borne by banks under the final rule, “while the CFPB takes no accountability for the oversight or supervision of data recipients,” according to the plaintiffs.
The alleged lack of proper oversight and supervision of data aggregators and fintechs increases the risk of “bad actors gaining access to data from third-party entities” that have weak data security, which in turn can expose sensitive consumer financial data, such as account and routing numbers and transaction data to fraudsters, the plaintiffs charge.
“BPI supports a competitive marketplace where consumers control how their personal financial data is used and with whom it is shared, so long as their data remains protected,” Greg Baer, president and chief executive of the Bank Policy Institute, says in a statement. “Unfortunately, the CFPB delivered a rule that treats sensitive financial data with as little care as a consumer’s Web browsing history.”
Baer goes on to argue that if the CFPB’s personal financial data rights rule is left unchallenged, technology companies subject “to little to no oversight” will have access to sensitive consumer financial data.
“Banks have a responsibility to protect customers and their data, and this rule compromises these responsibilities, putting bank customers at risk,” Baer adds.
To remedy the situation, plaintiffs are asking the court to, among other things, declare the CFPB’s rule was developed outside of the CFPB’s statutory authority, as it is “arbitrary, capricious, or otherwise contrary to law within the meaning of the Administrative Procedure Act.”
Plaintiffs also ask the court to set aside the CFPB’s proposed rule in its entirety for now and declare that the CFPB’s prohibition on access fees exceeds the agency’s statutory authority.
