CFPB faces call for tougher approach to consumer financial data security

Ellie Duncan
04 Jan 2024

The Consumer Financial Protection Bureau’s (CFPB’s) proposed Open Banking rule “does not go far enough” to protect sensitive consumer financial data or to require data recipients to comply, two US associations have claimed.

The Clearing House Association and Bank Policy Institute (BPI) have written to the CFPB with their recommendations in response to the proposed Personal Financial Data Rights rule, which intends to clamp down on “risky” practices, such as screen scraping.

Under the rule, individuals in the US would be able to share data about their use of checking and prepaid accounts, credit cards, and digital wallets, and to access competing products and services, without their data being collected, used, or retained to “serve commercial interests over their own”.

In their joint letter, the associations wrote: “Our members welcome the competition brought about by innovative financial technology firms and are prepared to support the ability of bank customers to connect their bank accounts to the third-party apps of their choice, but such competition cannot come at the expense of data security.

“It is critical that consumers’ personal and financial information remains secure when it is shared between financial institutions and third parties and when it is stored outside of the financial institution.”

The Clearing House Association and BPI have jointly called for a screen scraping ban, which would come into effect once a data provider has made a developer interface available, and for strengthened consumer protections – by which they want the requirements related to consumer authorisation and the permissible uses of consumer data under the CFPB’s rule should apply to all third parties and data aggregators in the ecosystem, and to all data.

Among the associations’ other recommendations are that the CFPB impose “unambiguous” regulatory requirements and supervise for compliance, and that it make aggregators and other data recipients liable for unauthorised transactions, or for failing to protect consumer data once data is within their possession.

Another of the associations’ recommendations is around compensation – specifically, that data providers should be allowed to receive compensation from third parties to recover their “commercially reasonable” costs and a margin to cover the cost of enabling data sharing.

The Clearing House Association and BPI also argue that the CFPB’s final rule, which is expected in 2024, should “continue to recognize that a standard-setting body is best positioned to develop a standardized format for data sharing”.

The CFPB unveiled its proposal for a Personal Financial Data Rights rule in October last year.

At the time, Rohit Chopra, CFPB director, said that it would “give consumers the power to walk away from bad service and choose the financial institutions that offer the best products and prices”.