The Consumer Financial Protection Bureau’s final open banking rule didn’t go a full day before facing a legal challenge from the banking industry Tuesday.

The Bank Policy Institute, the Kentucky Bankers Association and Lexington, Kentucky-based Forcht Bank filed a lawsuit Tuesday in the U.S. District Court for the Eastern District of Kentucky, charging the CFPB with overstepping its authority and asserting the rule would put consumers and the banking system at risk.

The CFPB declined to comment on the lawsuit Wednesday.

David Sewell, a partner and U.S. head of the financial services regulatory practice at law firm Freshfields, said the lawsuit “will be a really interesting test case,” since the open banking rule is one of the highest-profile and most controversial regulatory moves announced since the Supreme Court overturned the Chevron doctrine in June. 

That the lawsuit was filed in Kentucky, rather than in Washington, D.C., points to a “much greater willingness of the industry to sort of test what are perceived to be more friendly circuits and district courts and bring challenges there,” Sewell said.

The rule, rolled out Tuesday, is nearly 600 pages, and much of it seems to address comments the CFPB received during the rulemaking process – indicating the agency expected litigation and may have been trying to get ahead of it, Sewell said.

The rule requires financial institutions, credit card issuers and other firms to transfer personal financial data to other providers for free at the consumer’s request. That applies to data linked to bank accounts, credit cards, mobile wallets and payment apps. 

The CFPB argues the rule will give consumers greater control over their financial data by requiring banks to share deposit account and credit card data. The greater freedom of movement can stoke competition, enabling consumers to comparison-shop which, in turn, will prod providers into offering better products, the bureau said.

Consumer advocacy groups and fintech trade associations praised the requirement Tuesday, but banking industry groups such as the Consumer Bankers Association and the American Bankers Association blasted the rule, saying it “misses the mark” and “longstanding concerns about scope, liability, and cost remain largely unaddressed.”

The banking industry’s willingness to challenge financial services regulators has skyrocketed in recent years, and almost any rule of consequence is likely to be challenged at this point, particularly one as high-priority and potentially costly to the industry as the open banking rule, Sewell said.

One big concern on the part of banks is the liability question: Once data leaves a bank’s environment, will a consumer affected by a breach somewhere downstream look to blame the bank? It’s not hard to imagine class-action litigation, said Jonah Crane, a partner at financial services advisory firm Klaros Group. 

Sewell said he wasn’t surprised that banks didn’t get more liability protection in the final rule, since that’s an argument the bureau and its director, Rohit Chopra, haven’t seemed to display patience for. However, Sewell said he does see it as a meaningful risk for banks. 

Bank trade groups Tuesday were quick to note the potential data security issues they see with the requirement, if they’re forced to hand over sensitive customer data to any third party; it was a key issue flagged in the lawsuit. 

However, third-party oversight frameworks have been developed in other industries, such as healthcare, to address these downstream concerns, Crane noted, so there are likely solutions to such issues in the banking arena.

“It’s not a trivial challenge,” but it’s “not the kind of challenge we haven’t faced in other areas,” Crane said.

Industry rhetoric around open banking has been mostly around bank switching, but Crane said he “just [doesn’t] see that as the primary impact.”

“Open banking is really about allowing all those different solutions to be connected to each other in a way that makes it more seamless, and hopefully secure,” he said.

Interpretations around secondary use of data and consumer requests to delete it – and how far those extend – will be crucial, Crane said. 

Banks and credit unions with less than $850 million in assets are exempt from the rule. However, Crane expressed concern that that would leave them behind in the long run. 

If bank customers come to expect that their data can be made available, and small banks don’t take part because they’re not required to, those lenders could fall behind in “a new, unbundled world,” rather than figuring out how to survive in it, he said. 

“Banks have, for a long time, been kind of missing out on the opportunity side of this equation, and always seeing open banking as a threat rather than an opportunity,” he said. 

Crane expressed hope, though, that, as open banking standards are adopted across the industry, solutions will become available to small banks through their core providers.

By Caitlin Mullen on Oct 23, 2024
Original link