In a wild twist of fate, last week the Consumer Financial Protection Bureau (CFPB) filed a motion arguing that its own rule implementing Section 1033 of the Dodd-Frank Act violated the law and should be vacated.
In the brief, the bureau supported its argument with the following rationale:
- The rule mandates that data providers (including banks) share consumer financial data with “authorized third parties,” which goes beyond the scope of Section 1033. The law states that data must be shared with consumers.
- The rule prohibits data providers from charging fees to recover costs associated with maintaining required developer interfaces, even from third parties. Congress did not explicitly forbid fees in Section 1033.
- The bureau failed to consider cumulative risks to consumer data privacy and security posed by the extensive data sharing required by the rule – and limited banks’ ability to deny access to consumer information based on risk management concerns.
- Implementation dates were arbitrary and capricious because they failed to account for the development of consensus standards for data sharing.
The bureau asked that the rule be vacated in its entirety due to these fundamental legal flaws.
