CFPB is Right to Acknowledge Legal Overreach of Section 1033 Rule

Last week, the Consumer Financial Protection Bureau (CFPB) announced that its “open banking” rule — also known as Section 1033 — is unlawful and “should be set aside.”

The rule was meant to increase consumers’ control of their financial data, but many critics, including 60 Plus, have warned from the start that this exposes banking customers to serious cybersecurity risks from unregulated international companies and data middlemen.

In its announcement, the CFPB acknowledged that the rule exceeded its legal authority and that the agency plans to file a motion for summary judgement as a result.

60 Plus applauds the CFPB’s announcement for recognizing what many in our association have known for some time: the rule, as written, would increase the risk of consumer data falling into the hands of fraudsters with no clear accountability on who is liable in the event of a data breach.

Section 1033 also undermined the existing system that banks already have in place, allowing for customers to safely and securely access and share their data.

Banking Data Exposure Rule Backgrounder

Section 1033 governs how consumers’ financial data is accessed and shared between banks and third parties. The Banking Data Exposure Rule, finalized under Section 1033 of the Dodd Frank Act, was established to improve transparency and innovation within the financial sector. However, the rule failed to provide enough consumer protections, including banning harmful data-sharing practices like screen scraping, leaving customers vulnerable to financial exploitation by third-party data middlemen.

The rule failed to provide any accountability measures for data middlemen in the event of data breaches or misuse, saddling consumers with the burden of risk and seeking resolution.

While the intent of the rule was meant to empower the consumer with greater access to their financial data and control over how it’s shared, the failure to include adequate guardrails for consumers added unnecessary risk into the system. Further, there wasn’t a successful mechanism to adequately educate consumers about the risks from this rule or grant them a say in how their data would be used.

Ultimately, this rule upends the landscape of secure banking data sharing by giving access to consumers’ financial data to unaccountable data middlemen under the guise of consumer empowerment.