The Reversal of the CFPB’s Section 1033 Is a Win for Consumer Privacy

At the end of May, the Consumer Financial Protection Bureau (CFPB) decided it would scrap its Section 1033 rule on consumer data sharing, colloquially known as the “Open Banking” rule. While well intentioned, the rule introduced onerous compliance costs, and more importantly, created significant security gaps that eroded users’ data privacy. Reversing course on this rule is a step in the right direction as the agency tries to right its troubled regulatory history.

The rule is the reckless result of the CFPB’s attempt to implement Section 1033 of the Dodd-Frank Act. This provision mandated the agency allow consumers to obtain “transaction data and other information concerning a consumer financial product or service that the consumer obtained from” banks. The rationale behind the law and the rule is that, if consumers have easier access to their financial data through a standardized format, it would be easier for them to take their business to a competing institution. This would, in theory, make it easier for different financial institutions to compete with each other.

But, in the realm of regulatory overreach, theory seldom resembles reality. Studies demonstrate that the rule implemented by the CFPB lacked significant privacy protections for consumers, leaving them exposed to increased risks of privacy breaches and making them more susceptible to fraud and theft.

In practice, large data aggregators have abused the implementation of this rule to put consumer data at risk. The aggregators have built their business model off of accessing this open data for free, then turning around and charging others for the use of their trove. Further, it has been noted that 90 percent of data requests from these aggregators are in circumstances where there is no consumer request. Millions of Americans are unaware of how frequently their data is being accessed by third parties and why.

Some have attempted to construe this change as an attempt to bar access to cryptocurrencies and digital wallets. Nothing could be further from the truth. Repealing the rule will stop the aforementioned over-collection of consumer data. It will ensure that data aggregators will pull this data only as much as they need to, trimming down the excessive pulls without a consumer request. Customers will still be able to access their digital wallets and aggregators will be able to pull their info when they seek to do so.

Another major drawback of the rule was its redundance with current industry-led efforts, such as the Financial Data Exchange, a privately-led standards-setting body that aims to create a safe, secure, and free technical standard for financial institutions to transfer financial data. This standard would allow users, if they desired, to transfer their financial data between institutions in a safe and efficient way with little cost to any of the institutions involved.

The CFPB rule tried to accelerate the adoption of a common standardized format for the seamless exchange of consumer information. In doing so, it established a draconian top-down rule framework. That system imposed needless costs on financial institutions and created unnecessary risks. It failed to address how to safeguard consumers from additional surveillance and data collection from financial institutions.

Unlike voluntary standard-setting bodies, taxpayer-funded bureaucracies tend to be rigid and often push companies to comply with requirements even when regulators acknowledge it is to the detriment of consumers and their businesses. With private standard-setting bodies, institutions have the freedom to opt in and out as they wish and can quickly address any grievances or oversights because they are not subject to the same political constraints that accompany an institution such as the CFPB.

The CFPB made the right call in pulling back its Section 1033 rule. Consumer data is safer as a result. As the agency mulls any potential future implementation of the rule (barring any changes to the Dodd-Frank Act), it should try to apply some of the lessons learnt from this first bungled attempt. Instead of trying to establish its own set of top-down and inflexible rules, the agency should look to empower existing private sector standardization efforts. In essence, let the market decide. This approach would ensure compliance with the Dodd-Frank Act without compromising user safety and privacy.