Banks want liability risk clarified in CFPB’s open banking rule

Bloomberg News

Bankers are concerned that the Consumer Financial Protection Bureau’s proposed open banking rule isn’t clear enough about whether banks or third-party service providers will be held liable for data breaches or fraudulent transactions, and fear they’ll be forced to reimburse consumers for the errors that are not their fault.

As financial institutions prepare to implement CFPBs the open banking rule, which is expected to be finalized in Octoberbanks are trying to figure out how to manage third-party risk, a tall order in an ecosystem full of data and a burgeoning industry of upstarts calling themselves financial technology providers.

The CFPB is expected to complete his proposal 1033 of open banking in October, giving consumers the legal right to give third parties access to their banking data. The bureau’s plan — authorized by Section 1033 of the Consumer Financial Protection Act of 2010 — will require banks to hand over sensitive transaction data on checking accounts, prepaid cards, credit cards and digital wallets to competitors.

Some experts believe Rule 1033 will empower community banks and fintechs to better compete with big banks and reshape how consumers use their personal financial data. But the window of time is closing for banks to get their message across about the difficulties of 1033 implementation.

“It would be helpful if the industry knew what to expect with liability and how it would be allocated, but the proposal doesn’t have that,” said Brian Fritzsche, vice president and associate general counsel at the Consumer Bankers Association. “It’s like hitting a blindfolded moving target.”

While the move to open banking is expected to increase competition for financial products and services, banks are raising alarms about specific problems with the CFPB’s proposal that they believe need to be fleshed out in a final rule. Banks’ liability is not addressed with sufficient specificity to ensure that it is apportioned fairly and generally “follows the data”. As major data providers, banks want the CFPB to allow data providers to deny access to third parties and data aggregators based on risk management concerns.

“When you have these other parties, is there liability between the parties? If a data aggregator suffers a data breach, should there be some kind of liability to the data provider if a consumer has been harmed?” asked Fritzsche.

Banks do not want to be held liable for incidents such as data breaches that occur after data has left a bank’s control. Banks generally want each entity to be responsible for – and be required to indemnify other entities for – losses resulting from unauthorized transactions, damages resulting from data breaches or other issues. Assigning shared responsibility would provide an incentive for third parties to implement and maintain robust data security programs.

Bradley Wallace, chief compliance officer at core processor CSI, said existing regulations make it clear that banks are able to supervise third parties.

“It was made clear in the third-party risk management guidance that the financial institution is ultimately responsible for the data, and the only way to mitigate the risk of liability is to have strict due diligence,” Wallace said. He advises companies to review their boards and senior management interagency guidance on third-party risk.

In a recent quarterly compliance call with 400 community bank representatives to discuss the CFPB’s 1033 final rule, Wallace said he found “glaring deficiencies” in banks that do not have adequate risk management processes.

Many small community banks have executives who wear “a lot of different hats,” he said, and need to understand what the market is doing, including “learning the 1033 jargon.” That includes being able to explain to boards how the rule applies. it works and how it is implemented.

“They should be able to define what an API means to management, industry business partners, and then make sure they develop a solid risk assessment and vendor due diligence program to ask the right questions of third parties,” Wallace. said.

Third-party data sharing is already widely used for a range of banking activities, including paying bills, sending money, getting a loan, paying taxes and investing. But not all payment methods and systems have the same consumer liability rules or risks. The CFPB’s Proposition 1033 states that the current liability framework should be similar to the regulations implementing the Electronic Funds Transfer Act and the Truth in Lending Act. The office also refers in its proposal to bilateral contracts between companies.

But Fritsche said banks want clear rules of liability and indemnification to ensure they don’t bear additional risks or costs that can arise when a third-party provider fails to protect or misuses data after receiving a consumer’s instructions.

In addition, banks face more than just a technical challenge in providing the data consumers demand. The largest banks, which must implement 1033s within six months of a rule taking effect, are currently in the process of building internal systems to automatically respond to requests for information.

Jim McCarthy, a former CFPB official and president of McCarthy-Hatch, a risk and compliance firm, said the bureau is already testing banks’ readiness to provide consumer data. McCarthy said he has a theory about how the CFPB uses consumer complaints to make sure banks respond to data requests.

Earlier this year, the CFPB added two data points to its non-public complaint form, asking consumers whether they requested information from their bank and whether they received all the data in a timely manner.

“They’re using the request for information to determine banks’ 1033 readiness,” McCarthy said. “If they find that banks don’t have the ability to identify and respond to requests for information, that would be an example of an absolutely huge increase that a bank, especially (the largest) banks, will have to implement 1033 “.

McCarthy, whose firm examines consumer communications with individual banks, said it found that each of the top banks had “a massive shortfall in responding to requests for information in accordance with the rule’s guidance.”

“It’s a big deal and it’s going to be a big increase,” he added.

The massive scope and technological complexity of the rule has led the CFPB to break it down into at least two parts so far. In June, the office completed part of its open banking rule which established criteria for recognizes organizations that set technology standards. The Bureau has made references in notices and its unified order to subsequent rules.

Banks and some data aggregators have asked the CFPB for an extended two-year deadline to comply with the final rule on the rights to personal financial data.

So far, however, the CFPB is taking a cascading approach to implementation. Banks with at least $500 billion in assets and non-banks with at least $10 billion in assets must comply within six months. Banks with between $50 billion and $500 billion in assets and all other nonbanks have one year to comply. Banks with $850 million to $50 billion in assets have two and a half years, while the smallest depositories have four years to comply.

The timing of the rule’s implementation is also important because banks have asked the CFPB to initiate a larger participant rule that would bring the largest data aggregators under the bureau’s oversight.

“Who’s going to review and oversee those entities to make sure they’re in compliance?” asked Fritzsche.

Wallace sees open banking as an opportunity for community banks to offer better products and services.

“Community banks now have the ability to compete head-to-head with the data-collecting big boys that they’ve held hostage for many years,” Wallace said. “I think community banks will gain far more customers than they will ever lose from open banking, which is the door to giving them the right technology and consumer information.”