Position
- ICBA supports responsible financial services innovation and urges policymakers to carefully consider the privacy, regulatory compliance burden, data security, and legal implications presented by permissioned third-party access to consumer bank accounts.
- The CFPB’s proposed implementation of Section 1033 should exempt community banks below $850 million in assets – those banks defined as small businesses by the SBA – from the requirement to create and maintain a third-party developer
portal.
- Banks should be permitted to charge a reasonable fee for providing access to consumer information to third parties. This would permit banks to recoup some of the costs of creating a developer interface without leading to any cost to the consumer.
- The CFPB should create a list of third-party data recipients that it examines and supervises to ensure they are in compliance with the requirements of this rule, including the data security requirements. Data providers should be exempt from conducting
third-party due diligence when sharing customer data with whitelisted third-party companies.
- ICBA strongly supports limiting the use, sharing, and storage of data to that which is authorized by the consumer. We believe the CFPB’s proposed rule is adequate in this regard.
- Data aggregators should be brought under the supervision of the CFPB which would result in consumer protection compliance obligations and subject these entities to annual examinations. Furthermore, BA firmly asserts that liability should follow the
custody of the data and that all costs associated with a breach or system intrusion should be borne by the entity that incurs the breach.
Background
Section 1033 of the Dodd-Frank Act gives consumers the right to access their financial records in electronic form. In 2023, the CFPB issued a proposed rule implementing Section 1033. This proposed rule requires banks of all sizes to create and maintain an API-enabled “developer portal” that third parties could use to access customer data – and prohibits banks from charging any fee associated with the creation or use of the portal. On the positive side, the proposed rule does impose limitations on third party use of customer data and requires them to implement GLBA-equivalent data security requirements.
While the proposed rule imposes data security requirements on third parties, questions remain as to whether they will sufficiently comply with these requirements. If they do not, it could result in customer data being compromised, with blame and financial liability falling on the bank. Furthermore, we believe banks must be permitted to charge reasonable fees to third parties – who will financially benefit from access to customer data – in order to offset the significant costs of compliance with this rule.