ARTICLE
1 November 2024

Banks Find Little Solace In CFPB Rule, But It Could Be Worse

CW
Cadwalader, Wickersham & Taft LLP

Contributor

Cadwalader, established in 1792, serves a diverse client base, including many of the world's leading financial institutions, funds and corporations. With offices in the United States and Europe, Cadwalader offers legal representation in antitrust, banking, corporate finance, corporate governance, executive compensation, financial restructuring, intellectual property, litigation, mergers and acquisitions, private equity, private wealth, real estate, regulation, securitization, structured finance, tax and white collar defense.
The Consumer Financial Protection Bureau is confident that newcomer fintechs have built a better mousetrap for consumers to manage their day-to-day finances, as compared to the banks and credit unions that have been.
United States Kentucky Finance and Banking

The Consumer Financial Protection Bureau is confident that newcomer fintechs have built a better mousetrap for consumers to manage their day-to-day finances, as compared to the banks and credit unions that have been serving consumers for many years.

The CFPB's new Personal Financial Data Rights rule, also known as the "open banking" rule, creates a primrose path for consumers to authorize non-banks to access their transactional and account data in search of "better rates and service on bank accounts, credit cards, and more," as Director Rohit Chopra said. "Americans are stuck in financial products with lousy rates and service" offered by traditional providers of financial services, he said.

In return for providing access to this data, banks and credit unions are prohibited from charging fees and are subject to a raft of hyper-technical compliance obligations—to be enforced by the CFPB—and must accept liability more times than not if unauthorized transactions or identity theft occur as a result of the data transfer.

If ever there were a winter of discontent in consumer banking, this rule would seem to be the reason. However, the final open banking rule did make some important changes over the proposed rule.

First, the CFPB agreed that banks have privacy and security requirements to meet under several other laws and regulations. The rule was revised to allow them to meet those requirements and not be found in violation of this new rule.

This point mostly alleviates concerns that banks were going to need to choose the lesser of two evils—maintaining safety and soundness by protecting data, or complying with the CFPB's rule.

Second, the proposed rule required the largest banks to comply with the rule within six months of publication; smaller banks and credit unions had more time to comply. But now the largest banks have until April 2026 to comply, and the smallest banks and credit unions that are subject to the rule (banks with less than $850 million in assets are fully exempt) won't need to comply until April 2030.

While it's more likely that the largest banks could achieve compliance with the extra year, the CFPB continues to underestimate the complexity of the systems the largest banks maintain and how that complexity means that the largest banks probably need more time than others that have much simpler systems.

Third, the CFPB provided a crucial clarification, indicating that when banks or credit unions provide this data, they aren't acting as a "furnisher" for purposes of the Fair Credit Reporting Act. The FCRA, which allows for private rights of action, imposes a high level of additional obligations on parties that are deemed to be furnishers of data.

Finally, the new rule arms banks with arguments to forbid screen-scraping of their sites, a technology that allows third parties (such as companies selling consumer financial management tools or investment brokers who import information to provide net worth information) to directly access consumer online bank accounts by using individuals' online credentials.

While screen-scraping has allowed consumers to share information about their accounts with third parties, the technology presents a high level of security risk.

Those are the only bright spots for traditional banks and credit unions throughout the 594-page Federal Register notice announcing the final rule. The rule illustrates the CFPB's skepticism about banks and credit unions, but one wonders exactly which fintechs and non-banks the CFPB thinks will be so much better for consumers.

After all, one day after this rule was published, the CFPB announced an enforcement action against both Apple and Goldman Sachs for the Apple credit card—highlighting that the card was rolled out even though some systems weren't ready, just because Apple had the market power to penalize Goldman Sachs $25 million for missing the rollout deadline.

Meanwhile, this summer, Synapse Financial, a middleware provider for fintechs (exactly the kind of company that will be acting as an authorized third party under the Open Banking Rule), went bankrupt, causing their fintech customers to lose track of the deposit amounts that belonged to their consumers—some of whom three months later still haven't been given access to their funds.

This spooked the prudential banking regulators, and led to the introduction of multiple new rules designed to address the risks of non-banks being so closely involved in our financial system.

And, while Chopra decried the Synapse fiasco, there is little evidence of changes to the open banking rule to indicate the CFPB understands that harms to consumers like those affected by Synapse are much more likely as more consumers migrate to untested, unregulated fintechs from banks and credit unions.

The Bank Policy Institute, a trade association representing the banking industry, already filed a lawsuit against the CFPB, along with Forcht Bank, N.A. and the Kentucky Bankers Association. The suit alleges the final rule will "impede banks' ability to protect consumers, stifle growth and innovation in open banking, and increase risks to consumers' deposits and data."

While the final rule improved the proposed rule, there are still some significant problems, with uncertain legal challenges and implementation. Meanwhile, unless the Eastern District Court of Kentucky issues injunctive relief against the rule's provisions soon, banks and credit unions should start figuring out how to comply now.

Originally published by Bloomberg Law

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Finance Law and Banking Law

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More