The Bank Policy Institute and Kentucky Bankers Association filed a lawsuit against the Consumer Financial Protection Bureau (CFPB), challenging aspects of the agency’s rulemaking under Section 1033 of the Dodd-Frank Act, which was developed in order to govern how consumers access their financial data and how that data is protected.
The lawsuit was filled in the US District Court in Lexington, with KY asserting that the CFPB overstepped its statutory authority and finalised a rule that jeopardises consumers’ privacy, financial data, as well as the overall account security.
The lawsuit raises multiple key concerns with the CFPB rule, including the manner in which it requires no oversight of third parties using bank customer data, as the entire responsibility of protecting clients is left to banks, while the CFPB takes no accountability for the oversight or supervision of data recipients. At the same time, it also increases the likelihood of fraud and scams by failing to address weak safeguarding practices, especially without proper oversight and supervision of aggregators and third parties. Exposure to account and routing numbers, alongside with transaction data, could also provide fraudsters with all the details they need to initiate unauthorised transfers and engage in multiple other malicious activities.
Many data aggregators continue to rely on unsafe practices such as screen scraping in order to obtain account and transaction data, often collecting more information that is required to offer a core product. The CFPB has taken no concrete action in order to prohibit screen scraping or other unsafe practices, letting banks to remain limited in their abilities to address this risk and protect their users.
According to the press release, the rule also fails to hold third parties accountable, while allowing them to profit from systems built and maintained by banks, with no costs. In addition, while the final rule provides a longer compliance runway, the new compliance deadline is not tied to the promulgation of any consensus standards that will become the industry’s default standards for compliance under the rule. Until such standards are promulgated, any steps data providers take toward compliance come with the risk of being wasted in the event that they unwind, with the possibility to redo that work in order to adapt to standards that are later adopted as well.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now