Section 1033 May Fall Short of its Data Security and Open Banking Goals

There’s a rule of thumb in law that states that hard cases make bad law. The sentiment can be reworked a bit to extend to regulations, where bad policy translates into bad rule-making.

Much remains in flux when it comes to regulatory agencies — their staffing and what will happen to various enforcement and legal actions.

Section 1033 — part of the Dodd-Frank Act, and which is being implemented within a final rule from the Consumer Financial Protection Bureau (CFPB) that was announced in October — took effect in January.

While the compliance timeline is staggered, stretching out over 2026 and 2027, the “open banking rule” may fall short of fomenting the data security and data sharing that is supposed to underpin new use cases and innovation in financial services. There’s an arguably unbalanced playing field among the financial services providers, such as banks and FinTechs, a fractious standards-setting process and a lack of economic incentive for data sharing.

Broadly speaking, Section 1033 mandates that consumers have the right to access their financial data and permission that data to be shared between their banks and third parties.

In the final rule, there’s mention of the fact that data sharing has traditionally relied on screen scraping, which collects data from websites.

“Screen scraping became a significant point of contention between third parties and data providers, in part due to its inherent risks, such as the proliferation of shared consumer credentials and overcollection of data,” the final rule stated. “Based on feedback received through public comments and stakeholder outreach, there is nearly universal consensus that safer forms of data access should supplant screen scraping.”

And yet, there is no explicit prohibition of the practice contained within the rule, which implies that scraping may still exist — and in fact, co-exist — alongside the consumer authorized sharing of financial data, done directly through APIs and connections between banks and FinTechs. In 2022, the Treasury Department stated that in assessing non-bank firms’ impact in consumer finance, “there is virtually no regulatory oversight of data aggregators’ storage of consumer financial information akin to the supervision of [insured depository institutions’] data security.”

The range of activities covered by 1033 is vast, touching on everything from checking and savings accounts (and the funds flowing in and out of those accounts via payments) and credit cards.

Banks, through the Bank Policy Institute and the Kentucky Bankers Association, filed a suit challenging 1033 as soon as it was announced by the CFPB.

In that suit, they contended that the financial services industry has seen strong results through “a private, market-based ‘consumer data sharing ecosystem’ in which members have been participating,” which stands in contrast to the “complicated, costly, and fundamentally insecure mandatory data-sharing framework” set in motion by the 1033 rule. The banks are tasked, the suit alleged, with overseeing third-party risk practices, without having the ability to curtail data sharing amid risk concerns.

“The CFPB has determined it would not be appropriate for this rule to impose a comprehensive approach to assigning liability among commercial entities or safe harbors from the requirements of EFTA and Regulation E or TILA and Regulation Z,” the rule stated, effectively leaving it up to the stakeholders to decide.

Earlier this year, the CFPB recognized Financial Data Exchange (FDX) as a standard-setting body. The standards-setting process is focused on technical requirements — the actual formatting and transmission of data — but, per the banks does not actually address legal and liability concerns.

The rule also prohibits the banks from levying any “fees or charges on a consumer or an authorized third party” for data access, where banks say they are effectively shouldering compliance costs for free. The final rule indicated that the fee “prohibition ensures that data providers do not inhibit consumers’ ability to access their data, authorize third parties to access their data, or choose which third parties to authorize to access their data.”

But charging for the data access would help offset the infrastructure/connectivity buildouts for the banks, while helping ensure FinTechs have some economic “skin in the game” as to how they use that data to innovate and digitize financial services — which is needed to keep pushing the rise of open banking.

In terms of uncertainty, there’s still a chance that Congress, through the Congressional Review Act (CRA) may set the machinery in motion to essentially kill the open banking rule, but set the stage for data sharing and liabilities (and economic models) to be revisited and refashioned.

The post Section 1033 May Fall Short of its Data Security and Open Banking Goals appeared first on PYMNTS.com.