BPInsights: Oct. 26, 2024

Banks Challenge CFPB Rule That Jeopardizes Security and Privacy of Consumer Financial Data

The Bank Policy Institute and Kentucky Bankers Association filed a lawsuit this week against the Consumer Financial Protection Bureau challenging aspects of the agency's rulemaking under Section 1033 of the Dodd-Frank Act, which governs how consumers access their financial data and how that data is protected. The lawsuit, filed in U.S. District Court in Lexington, KY, asserts that the CFPB overstepped its statutory authority and finalized a rule that jeopardizes consumers' privacy, financial data and account security.

"BPI supports a competitive marketplace where consumers control how their personal financial data is used and with whom it is shared, so long as their data remains protected. Unfortunately, the CFPB delivered a rule that treats sensitive financial data with as little care as a consumer's web browsing history. If left unchallenged, technology companies subject to little to no oversight will have access to very sensitive information, like how much is in your account and where you spend your money. Banks have a responsibility to protect customers and their data, and this rule compromises these responsibilities, putting bank customers at risk." - Greg Baer, BPI President & CEO

"The CFPB's 1033 rulemaking jeopardizes the safety and soundness of our banking system and fails to protect consumer data. We are challenging the CFPB to ensure that banks can continue to protect their consumers and the integrity of the financial system in a safe and sound manner." - Ballard W. Cassady, Jr., Kentucky Bankers Association President & CEO

The lawsuit raises several key concerns with the CFPB rule:

• It requires no oversight of third parties using bank customer data. The Treasury Department issued a report in 2022 finding that "…there is virtually no regulatory oversight of data aggregators' storage of consumer financial information akin to the supervision of [banks'] data security." The entire responsibility of protecting customers is left to banks under the final rule, while the CFPB takes no accountability for the oversight or supervision of data recipients. Mandating data sharing without requiring third parties to sufficiently protect that data will undermine existing consumer protection laws.
• It increases the likelihood of fraud and scams by failing to address weak safeguarding practices. Without proper oversight and supervision of aggregators and third parties, the chances rise of bad actors gaining access to data from third-party entities with weak security practices. Exposure to account and routing numbers, along with transaction data, could provide fraudsters with all the details they need to initiate unauthorized transfers and engage in other malicious activities.
• Screen scraping and other unsafe practices are allowed to persist. Many data aggregators continue to rely on unsafe practices such as screen scraping to obtain account and transaction data, often collecting more information than is needed to offer a core product or service. The CFPB has taken no concrete action to prohibit screen scraping and banks would remain limited in their abilities to address this risk and protect their customers.
• It fails to hold third parties accountable. When a customer authorizes their data to be shared, the data recipient has an obligation to protect the data and provide the customer with basic customer service when problems arise. Third parties' use and protection of sensitive consumer data is outside of banks' control, leaving banks unable to protect their customers from data breaches at third-party companies and fraud that may result from these breaches.
• It allows third parties to profit, at no cost, from systems built and maintained by banks. Technology costs are a significant expenditure for every major company in America, and banks have invested billions of dollars in building systems to protect consumers' data and information and have earned customers' trust accordingly. Banks should be able to charge third parties who seek access to that sensitive data, just as companies charge one another for products and services routinely in the marketplace. These practices are consistent with developer access offered by Google, Apple, Facebook and other major U.S. companies.
• It imposes an unreasonable implementation timeline. While the final rule seemingly provides a longer compliance runway, the new compliance deadline is not tied to the promulgation of any consensus standards that will naturally become the industry's default standard for compliance under the rule. But banks cannot build toward compliance with standards that do not exist. Until such standards are promulgated, any steps data providers take toward compliance come with the substantial risk of being wasted in the event that they must unwind and redo that work to adapt to standards that are later adopted.

Banks support a regulatory framework that fosters competition and safeguards consumer interests. The industry's goal is to achieve a resolution that sufficiently protects bank customers' privacy, data security and control over their personal financial information.

To access a copy of the complaint, please click here.

Five Key Things

1. Correcting the Record on the CFPB's Open Banking Rule

Consumer Financial Protection Bureau Director Rohit Chopra made several appearances this week to announce the release of the Bureau's latest rulemaking, known as Section 1033. The rule governs how consumers access their financial data and how that data is protected. The Director made several statements in his remarks that warrant clarification. For example:

Director Chopra: "[T]he rule also strengthens protections by accelerating the shift away from the industry practice known as 'screen scraping.'" … "By moving things to more secure sharing, we are going to be able to sunset this practice of screen scraping…"

FACT: There is nothing in the rule that would "sunset" the practice of screen scraping. The CFPB suggests in the preamble that it could regulate screen scraping in the future under its existing authority; however, the final rule does nothing to legally prohibit screen scraping practices. Many data aggregators will continue to rely on unsafe practices such as screen scraping to obtain account and transaction data, often collecting and retaining more information than is needed to offer a desired product or service.

Get the facts on Director Chopra's statements here.

2. Chopra Signals Opposition to Reproposing Basel Rule

CFPB Director and FDIC board member Rohit Chopra this week indicated opposition to a reproposal of the Basel capital rule, a stance that has previously been reported in media articles citing deadlock on the FDIC board. "It's very important that the United States finalize this as quickly as possible," Chopra said this week in a POLITICO interview.

3. Hsu Backs Federal Payments Oversight

Acting Comptroller Michael Hsu expressed support for a federal payments oversight regime this week in comments at the D.C. Fintech Week conference. "We do not have a federal payments, e-money payments, regime charter that other countries have," he said. Hsu said such a framework "would be better fit for purposes today." The notion of a federal payments oversight entity was floated by senior Treasury official Nellie Liang in a recent speech. Hsu described a "regulatory gap" in the oversight of banking services provided by nonbanks, such as collapsed fintech Synapse. Too many fintechs operating in the financial services "supply chain" are "not well-regulated" and need federal oversight, Hsu said.

4. Op-Ed: State Efforts to Set Rules for National Banks Are a Dangerous Trend

A uniform set of rules for nationally chartered banks enables efficiency that benefits consumers, businesses and the economy. But a "troubling threat to this system is emerging in both red and blue states across the country," former Comptrollers of the Currency Eugene Ludwig and John Dugan wrote in a recent American Banker op-ed. For example, Illinois and Florida are requiring national banks to comply with new state rules that appear to undermine the principle of national bank preemption. "These measures ignore the fact that, historically, national banks could operate in these states under clear national rules while state-chartered banks could abide by their respective state rules," the former comptrollers wrote. They provide context about the origin of national bank preemption as a solution to decades of banking chaos "resulting in part from weak supervision and conflicting state laws." They also point to the "balkanization" of Europe's banking market, which the European Union is now trying to reverse.

• Bottom line: The two former comptrollers applauded the current OCC for its recent defense of national bank preemption in a legal case in Illinois challenging a state interchange law. "The bottom line is that attempts by states to deprive national banks, consumers and businesses of a uniform set of standards and practices is anti-free market, anti-consumer and contrary to the safe and sound operation of national banks," Ludwig and Dugan wrote. "To allow these state practices to stand will undercut the safety of America's banking system and hurt American businesses and consumers. We should all thank acting Comptroller Hsu and the OCC for drawing the line in Illinois and defending a national banking system that works for all of us."

5. 'Are We There Yet?' A Quick Look at the NY Fed's New Tool for Reserves Monitoring

On Oct. 17, the New York Fed announced that it will be providing the public with a new tool to help predict when quantitative tightening will end. The Fed is shrinking its portfolio of securities by allowing about $40 billion a month to mature without replacement. As the Fed's assets shrink, its liabilities shrink too. The Fed plans to continue to shrink until one of those liabilities - reserve balances, the deposits of banks at Federal Reserve Banks - approaches the level that banks wish to hold to meet their clearing and liquidity risk management needs. The Fed refers to the supply of reserves near banks' structural demand as "ample" and supply above that level as "abundant". QT will stop when reserves are "ample."

The New York Fed's metric - the Reserve Demand Elasticity measure - is designed to be a barometer of how close reserve balances are to the structural demand of banks. Specifically, it uses high-frequency data to estimate how sensitive the federal funds rate - the unsecured interbank lending rate - is to changes in reserve balances. The idea is that as reserve supply starts getting tight, banks will not lend them to each other without some compensation in terms of a slightly higher fed funds rate. The measure fell in advance of September 2019, when the last round of QT ended in a severe episode of turmoil in money markets.

The challenge for the Fed is that they do not know where the structural demand is, they are approaching it from above, and they want to stop before they get there. This new measure, which will be produced monthly, is intended to help them, and the public, estimate how close they are. It will, of course, just be one of many measures that the Fed will monitor.

An added difficulty was demonstrated at the end of the third quarter when period-end shrinkage in broker-dealer balance sheets, which reduced the supply of repo funding, combined with the settlement of Treasury coupon securities, which increased the demand, drove repo rates sharply higher, and rates remained elevated for several days. The spike occurred even though banks have $3.2 trillion in reserve balances, roughly where they have been for a year, but banks still did not seem interested or able to shift into higher-yielding reverse repos. The episode calls into question the entire concept behind the Fed's plan, which is that reserve balances just sit idly on banks' balance sheets when they are more than "ample." In reality, banks choose to hold whatever level of reserves they have because they are using them to manage liquidity risk, in large part at the direction of their examiners.

In Case You Missed It

BPI's Baer Interviews Plaid CEO Zach Perret

BPI President and CEO Greg Baer interviewed Plaid CEO Zach Perret this week at the Philadelphia Fed's Eighth Annual Fintech Conference. The theme of the conversation was "Bolstering Privacy and Trust in the New Age of Open Banking." The two spoke on Wednesday, shortly after the CFPB unveiled its final Section 1033 rule earlier in the week. Here are some key exchanges.

• What Plaid does: Perret gave an overview of what Plaid does: "We wanted to make it really simple to link your bank account to any application out there on the web," he said. He gave examples of new tools aiming to provide financial services to people who may have high income or good cash flow but not a long credit history.
• Fraud: Baer also noted the "the wave of fraud sweeping America," from check fraud to online fraud, and discussed with Perret how Plaid is combating that problem. Perret described Beacon, a fraud-fighting tool that Plaid is using to get a big-picture view across customers' various accounts and detect fraud in that context: "We have this really unique signal coming from all the fintech companies that really hasn't been collected," he said. "And then we've, of course, augmented that with tons of other kind of internal, actionable data points."
• Screen scraping: Baer asked Perret if the company still uses screen scraping, an older and less secure method of gathering data, which is being phased out in favor of more secure APIs. "Ultimately, it really matters to us that any consumer at any bank is able to use fintech, able to use digital finance products," Perret said. "And so while we prefer APIs everywhere, sometimes we do still have to scrape, actually."
• 1033: One question centered on the Section 1033 rule, which Baer noted applies only to banks above $850 million in assets who are largely already using APIs. Perret said the rule is basically a "formalization" of a digital financial ecosystem that already exists and thrives. "As with everything, there are opportunities for improvement," Perret said. "It will continue to evolve."

Fast Runs and Social Media: Takeaways from the FSB's Report on Lessons from 2023

The Financial Stability Board published a report this week outlining findings from assessments it made in the wake of the 2023 banking turmoil. The international regulatory organization focused in particular on depositor behavior, interest rate risk and liquidity. The report highlighted findings from efforts to assess global financial system vulnerabilities from the intersection of solvency and liquidity risks in a higher rate environment; to investigate the 2023 deposit runs, including the role of technology, social media and interest rates on depositor behavior; and to assess how technology use affects banks and authorities in a bank resolution.

• Most vulnerable: The most vulnerable types of firms to a combination of solvency and liquidity risks are a weak subset of banks, life insurers and nonbank real estate investors, according to the report. The FSB is conducting further research to assess the specific vulnerabilities among these types of firms.
• Also worth noting: A second group of entity types also appear vulnerable, to a lesser degree than the most susceptible types of firms. This group includes bond funds, highly leveraged hedge funds invested in fixed-income securities and private credit or equity funds facing delayed losses due to the infrequent valuations of their holdings, the report said.
• Tech in bank runs: Technological advancements have facilitated an easier and faster transfer of deposits in recent years, and there is some evidence to suggest that social media influenced the recent bank runs, according to the report.
• Policy takeaways: The report lays out several policy implications. For example, "central banks may need to be able to react much more quickly to deposit outflows, especially of uninsured deposits, than in the past. For example, banks could be encouraged to prepare in advance for quick access to existing central bank liquidity facilities in the event that they were to face a deposit run." Regulators and supervisors may also need to address run risk ahead of a crisis by focusing on certain liquidity and solvency vulnerabilities before outflows occur. "For example, supervisors may need to scrutinise and address at an early stage any banks with unsustainable business models, inadequate risk governance or other weaknesses that may make the bank prone to a confidence crisis. More work could also be done to manage vulnerabilities linked to deposit outflows, such as a high concentration of deposits, a large share of uninsured deposits, or unrealised losses that may prevent banks from using their assets to raise liquidity." The report also suggests regulators could monitor social media for signs of banking stress, while acknowledging its limitations. In addition, the report flags "data gaps" such as information about unrealized losses on banks' securities portfolios and uninsured deposits.
• Looking ahead: It will be interesting to see what, if any, policy work the international standard setters are tasked with taking forward from this report.

The Crypto Ledger

Here's what's new in crypto.

• Binance exec released: Tigran Gambaryan, head of financial crime compliance at Binance, was released by the Nigerian government after months of detention. Charges against the executive were dropped due to his poor health, according to Bloomberg.
• Legislative view: Rep. Andy Barr (R-KY), a senior member of the House Financial Services Committee who is one of several candidates to succeed Chair Patrick McHenry (R-NC), said he would prioritize advancing the Financial Innovation and Technology for the 21st Century Act if he becomes chair of the Committee. He also said it was "disappointing" Congress did not override President Biden's veto of a bill to overturn the SEC's SAB 121 measure.
• CFTC comments: CFTC Chair Rostin Behnam urged Congress at a conference this week to enact legislation clarifying crypto regulation.

Regions Announces Disaster Relief Grants Helping Communities Affected by Hurricane Milton

Regions Bank recently announced a series of disaster recovery grants totaling $200,000 to support communities affected by Hurricane Milton. The grants will be made by the Regions Foundation, and the bank is also offering special banking services for people and businesses affected by the storm.

Signup for BPInsights.

Public link

Please use the above public link if you want to share this noodl on another website.