Imagine a rule that forced banks to hand over your bank account credentials and sensitive transaction information to third parties with no guarantee of security, and all for free.
It’s no fantasy–this is exactly what the Biden CFPB attempted in its 2024 Open Banking rule. It would have sanctioned state-mandated data expropriation in the name of consumer empowerment.
The Biden-era Open Banking rule would have forced banks to hand over their data to any third-party that customers authorize, without compensation. The rule, based off section 1033 of the Wall Street Reform Act of 2010 (Dodd-Frank), was never intended to create an open banking regime. The law simply stated that banks had to make account information accessible to customers; it did not permit unfettered data-sharing with FinTechs and third-parties.
FinTechs such as Plaid, connect users’ bank accounts with applications that aggregate, visualize, and display data based on a user’s bank account information. These apps also track and manage spending or analyze brokerage accounts by accessing a customer’s bank account, exposing them to security risks.
To protect against data leaks, banks have invested heavily in infrastructure to safeguard data against bad actors. Banks have changed their approach to handling data in the interest of their customers. They transitioned from allowing third parties to screen-scrape data using customer login credentials to secure Applied Programming Interfaces (APIs).
Banks and FinTechs established bilateral agreements and partnerships on data pricing and data security safeguards to better serve their consumers. Regulators should not intervene in a market space characterized by competition and collaboration by uprooting private contracts.
The rule bodes ill for consumer privacy and data protection. Private sector efforts to protect consumers would have been undermined by the Biden Open Banking rule. FinTechs could harvest unlimited amounts of data for free without any liability for security failures. Since the Biden rule failed to comment on who would bear liability in the event of a data leak, banks could be left on the hook for third parties’ reckless negligence.
To offset the costs of maintaining API infrastructure capable of handling billions of data requests, it is likely that banks will raise prices on consumer services to compensate for the losses they would incur under the 1033 rule. FinTechs benefiting from 1033 already charge their consumers via subscriptions to use their services. If anyone should bear the cost of data access, it should be fintech users. Since not all bank customers use fintech applications, they should not be forced to shoulder their costs.
The Biden Open Banking rule represents a broader agenda to treat the financial sector like a public utility, subjecting it to compelled disclosures and price controls in the name of consumer empowerment. It forces banks to give away data for free and bear all the costs, explicit and implicit, to subsidize FinTechs. That is not consumer empowerment; that is pure rent seeking. Such a rule, if enacted, represents a blatant disregard for market incentives and contractual frameworks that allow modern finance to function.
Under the Trump administration, the CFPB chose to revisit the issue, inviting stakeholders to comment on a revised rulemaking considering the concerns raised by the original Biden-era rule.
The CFPB should end this ill-conceived experiment in open banking and move to rescind the rule in its entirety. Innovation should be the product of market actors, not Washington mandates.
