The Consumer Financial Protection Bureau (CFPB) recently issued a final rule implementing section 1033 of the Dodd-Frank Act, which promises to give consumers more control of their financial data.
Almost immediately upon release of the rule, the Bank Policy Institute – an association representing the nation’s largest banks – filed a lawsuit in Kentucky to stop the implementation of the rule. The lawsuit alleges that:
- The bureau exceeded its statutory authority by requiring banks to provide their customers’ financial data to third parties like fintech companies and data aggregators.
- The bureau designed the rule in a way that substantially increases security risk to consumers.
- The rule requires banks to document third-party security practices and regulatory compliance, delegating regulatory authority to the banks in an illegal way.
- The rule imposes a compliance timeline that is “fundamentally incompatible with its dependence on standard setters to determine rules for compliance.”
- The rule oversteps in its prohibition of banks from charging fees to fintech companies and data aggregators for the transmission of the data.
IBAT has been outspoken in raising concerns about the “open banking” rules over the last year. IBAT pushed for an exemption for banks with less than $1 billion in assets citing the operational challenges and lack of discernible benefit for the nation’s smallest banks. The final rule exempted banks with less than $850 million in assets.
“When you haven’t had a bite of bread in four years, half a loaf looks pretty good,” said IBAT President and CEO Christopher Williston. “The proposed rule, released in 2023, had no exemptions and a maximum compliance date of four years for the smallest banks,” Williston added. “We have to celebrate that years of pushback and lawsuits against the bureau have led it to take seriously its requirement under the law to tailor rules to banks of various sizes.”
IBAT will continue to push back against the rule on legal, legislative and public relations fronts.
