Banks say CFPB’s data access rule ratchets up liability risks    

March 06, 2023 Windstream Enterprise 6 min

Editor’s Note: Nonbank financial firms offering services like buy now/pay later are proliferating as is the popularity of open banking, which allows for seamless sharing of customer data between institutions. To address concerns about fraud, the Consumer Financial Protection Bureau is crafting a rule that addresses how consumers can control their own financial data.

Your financial institution must pay close attention to the consumer data that it handles, especially as data protection scrutiny is only likely to increase in the coming years. The exciting potential of digital upgrades in the financial industry can be a double-edged sword if you aren’t doing what is necessary to keep your sensitive data and systems safe.


Amid preparations for a new Consumer Financial Protection Bureau rule to address how financial institutions make data available to consumers, banks and credit unions are voicing their concern about its effects on security, liability and competition.

Banks and credit unions are raising concerns about data security risks and oversight of third-party partners as the Consumer Financial Protection Bureau crafts rules around how much control consumers have over their own financial data.

The CFPB is in the midst of writing a rule that will determine how financial institutions make data available to consumers on request. Banks say the rule could create an uneven playing field because financial firms are supervised and examined by regulators for compliance with consumer protection laws while hundreds of large technology and nonbank fintechs are not. The explosive growth of data aggregation services has created risks for consumers that could result in uneven enforcement.

“Nonbanks are increasingly providing financial products and services, yet their activities are largely unsupervised by the Bureau,” said Brian Fritzsche, vice president and regulatory counsel at the Consumer Bankers Association.

Fritzsche and Shelley Thompson, CBA’s vice president and associate general counsel, wrote a comment letter stating that the CFPB “does not adequately oversee these nonbank participants even though they compose a significant, continuously growing segment of the market for consumer financial products and services.”

The 1033 rule—so named for the section of the Dodd-Frank Act that authorizes it—is viewed as one of the most important rulemakings that will be completed under CFPB Director Rohit Chopra. The bureau released an outline of its plan in October and is expected to issue a proposal later this year with a rule finalized in 2024.

Last year, eight bank trade groups petitioned the CFPB to define data aggregators as larger participants subject to regulatory supervision. Some experts think the bureau will issue a so-called larger participant rule before it completes its data-access rule, sometimes referred to as an “open banking rule.”

Bankers are concerned the rule appears to be one-sided and anti-competitive because it comes from the view that only banks hold data that consumers want.  

Though the language of the statute is focused on information about a consumer’s use of a product or service, bankers are concerned that the rule appears to be one-sided and anti-competitive because it comes from the view that only banks hold data that consumers want access to, with no requirements that nonbank financial firms such as mortgage lenders or buy now/pay later companies provide consumers the same data access to banks.

Ryan Miller, vice president of innovation policy at the American Bankers Association, wrote that “without regular and ongoing supervision of larger data aggregators and data recipients, implementation of Section 1033 will increase the risk of harm to consumers and competition.”

The CFPB listed more than 100 questions last year in an advance notice of proposed rulemaking that the final rule is supposed to answer, including: Does the consumer understand what is happening to their data? How can the consumer revoke access after initially consenting for their data to be used? And will the data be monetized for additional downstream uses?

Millions of consumers have already provided third-party firms access to their bank account transaction data that banks and credit unions say puts them in a bind. Although the Gramm-Leach-Bliley Act allows consumers to opt out of having their data shared, experts say consumers rarely read the small typeface buried in agreements with fintechs and data aggregators.

“Consumers should be given control over how much and what type of data they choose to share,” said Andrew Morris, senior counsel for research and policy at the National Association of Federally-Insured Credit Unions.

Consumers should know “exactly what data a third party will be requesting on their behalf, for what purpose it is being used [and] how frequently it will be accessed,” he said. Consumers also should be given information on how long their data will be stored, with whom it might be shared and under what conditions including how the consumer can exert any rights they may have if their data is lost or stolen, he said.

Rampant fraud in payments has forced banks and credit unions to sound the alarm about liability risk, but the CFPB’s 71-page outline makes no mention of liability.

Many banks and credit unions argue that liability should travel with data to ensure that third-party technology companies are responsible for any harm to consumers. 

Banks and others want the CFPB to create clear guidelines around which entity is responsible if a consumer suffers any loss or harm. Liability should travel with the data, many argue, to ensure that third-party technology companies are responsible for any crime, hack or other loss or harm to consumers.

“Data providers should not be required to make data available to any third party that is unwilling to accept liability for loss or harm that results after the data leaves the data provider’s portal,” said Paige Pidano Paridon, senior vice president and senior associate general counsel at the Bank Policy Institute.

Many experts agree that consumers have little or no understanding of the way bank account transaction data is accessed by scraping the information with a consumer’s login credentials. Some banks have eliminated screen scraping and now route all inquiries from third-party apps through a secure application programming interface, instead of allowing companies to collect data through screen-scraping.

The CFPB has suggested that it could set a specific date beyond which screen-scraping would be banned. But some experts suggest that cutting off screen-scraping would be problematic, akin to when the Federal Communications Commission in 2009 required televisions stations to switch from analog to digital-only transmission.

“Permissioned login approaches generally serve as a fallback option when a financial institution does not have an API, which is common for smaller institutions,” said Penny Lee, CEO of the Financial Technology Association.

Another bone of contention appears to be whether the CFPB has enough manpower to oversee data aggregators and other third parties. It is unclear if the CFPB has any mechanism to determine if third parties are abiding by a consumer’s specific request around data-sharing. In December, the CFPB announced that it planned to create a registry of nonbanks that have been subject to state or local orders or judgments to police lawbreakers. The CFPB also said last year that it will conduct supervisory exams of nonbank fintech companies that pose risks to consumers.

“Regulatory standards to discourage screen scraping can help mitigate fraud and account takeover risks,” Morris said. “The CFPB might explore regulatory incentives to abandon screen scraping and establish minimum data security standards for third parties.”

This article was written by Kate Berry from National Mortgage News and was legally licensed through the Industry Dive Content Marketplace. Please direct all licensing questions to

Work with a partner like Windstream Enterprise to defend your network.

Learn more

Key Takeaway
As the CFPB readies a proposal to implement a new data access rule for financial institutions, banks and credit unions are expressing concerns about how it will apply to third-party organizations.

Mortgage lenders should avoid the trap of old technology