US – Judge temporarily blocks CFPB open banking rule

A US judge has granted a preliminary injunction that temporarily blocks enforcement of the Consumer Financial Protection Bureau’s open banking rule, according to Finextra.

The US District Court for the Eastern District of Kentucky paused compliance deadlines for the Personal Financial Data Rights Rule after a lawsuit brought by local lender Forcht Bank, the Kentucky Bankers Association and the Bank Policy Institute.

The compliance deadlines would have required some financial institutions to be ready for the rule – designed to give Americans the right to instruct their banks to share their financial data with third party providers – by June 2026.

Now, the preliminary injunction prevents enforcement until the CFPB “has completed its reconsideration of the rule”.

Context

The Bank Policy Institute and Kentucky Bankers Association filed a lawsuit against the Consumer Financial Protection Bureau challenging aspects of the agency’s rulemaking under Section 1033 of the Dodd-Frank Act, which governs how consumers access their financial data and how that data is protected. „The lawsuit, filed in U.S. District Court in Lexington, KY asserts that the CFPB overstepped its statutory authority and finalized a rule that jeopardizes consumers’ privacy, financial data and account security.” – according to the press release.

“BPI supports a competitive marketplace where consumers control how their personal financial data is used and with whom it is shared, so long as their data remains protected. Unfortunately, the CFPB delivered a rule that treats sensitive financial data with as little care as a consumer’s web browsing history. If left unchallenged, technology companies subject to little to no oversight will have access to very sensitive information, like how much is in your account and where you spend your money. Banks have a responsibility to protect customers and their data, and this rule compromises these responsibilities, putting bank customers at risk.” — Greg Baer, BPI President & CEO.

“The CFPB’s 1033 rulemaking jeopardizes the safety and soundness of our banking system and fails to protect consumer data. We are challenging the CFPB to ensure that banks can continue to protect their consumers and the integrity of the financial system in a safe and sound manner.” — Ballard W. Cassady, Jr., Kentucky Bankers Association President & CEO.

The lawsuit raises several key concerns with the CFPB rule:

It requires no oversight of third parties using bank customer data. The Treasury Department issued a report in 2022 finding that “…there is virtually no regulatory oversight of data aggregators’ storage of consumer financial information akin to the supervision of [banks’] data security.” The entire responsibility of protecting customers is left to banks under the final rule, while the CFPB takes no accountability for the oversight or supervision of data recipients. Mandating data sharing without requiring third parties to sufficiently protect that data will undermine existing consumer protection laws.

It increases the likelihood of fraud and scams by failing to address weak safeguarding practices. Without proper oversight and supervision of aggregators and third parties, the chances rise of bad actors gaining access to data from third-party entities with weak security practices. Exposure to account and routing numbers, along with transaction data, could provide fraudsters with all the details they need to initiate unauthorized transfers and engage in other malicious activities.

Screen scraping and other unsafe practices are allowed to persist. Many data aggregators continue to rely on unsafe practices such as screen scraping to obtain account and transaction data, often collecting more information than is needed to offer a core product or service. The CFPB has taken no concrete action to prohibit screen scraping and banks would remain limited in their abilities to address this risk and protect their customers.

It fails to hold third parties accountable. When a customer authorizes their data to be shared, the data recipient has an obligation to protect the data and provide the customer with basic customer service when problems arise. Third parties’ use and protection of sensitive consumer data is outside of banks’ control, leaving banks unable to protect their customers from data breaches at third-party companies and fraud that may result from these breaches.

It allows third parties to profit, at no cost, from systems built and maintained by banks. Technology costs are a significant expenditure for every major company in America, and banks have invested billions of dollars in building systems to protect consumers’ data and information and have earned customers’ trust accordingly. Banks should be able to charge third parties who seek access to that sensitive data, just as companies charge one another for products and services routinely in the marketplace. These practices are consistent with developer access offered by Google, Apple, Facebook and other major U.S. companies.

It imposes an unreasonable implementation timeline. While the final rule seemingly provides a longer compliance runway, the new compliance deadline is not tied to the promulgation of any consensus standards that will naturally become the industry’s default standard for compliance under the rule. But banks cannot build toward compliance with standards that do not exist. Until such standards are promulgated, any steps data providers take toward compliance come with the substantial risk of being wasted in the event that they must unwind and redo that work to adapt to standards that are later adopted.

Banks support a regulatory framework that fosters competition and safeguards consumer interests. Our goal is to achieve a resolution that sufficiently protects bank customers’ privacy, data security and control over their personal financial information.

To access a copy of the complaint, please click here.