InfoBytes Blog
Banking groups seek to halt CFPB’s 1033 rule
On October 23, one bank and two banking industry groups challenged the CFPB’s 1033 Rule that would mandate banks to share sensitive customer data, such as transaction history, account balances, and account and routing numbers with third parties through application programming interfaces (APIs). The lawsuit was filed in the U.S. District Court for the Eastern District of Kentucky and sought both declaratory and injunctive relief.
The plaintiffs alleged the CFPB exceeded its statutory authority under the Dodd-Frank Act by requiring banks to provide customer financial information to third parties without proper authorization from Congress. They claimed that Section 1033 of Dodd-Frank, which the CFPB cites as its authority, only requires banks to provide information to consumers, their agents, trustees, and to representatives — and not to third parties. Plaintiffs asserted that the rule unlawfully expands the definition of “consumer” to include innumerable, as-yet unidentified third-party entities with unknown credentials or security protocols and no special relationship to the consumer, which is not supported by the statutory language.
Additionally, plaintiffs contended the rule imposes significant compliance costs on banks, including the development and maintenance of APIs, and increased security risks by mandating the sharing of sensitive financial data with less-regulated third parties. They averred this could lead to unauthorized access and misuse of customer data, as these third parties may not have the same level of security and regulatory oversight as banks. Further, the complaint highlighted data breaches at fintech companies, underscoring the potential risks to consumers.
The plaintiffs also claimed the 1033 rule would be arbitrary and capricious because it fails to adequately address the security concerns associated with sharing sensitive financial data. They argue that the CFPB did not provide a sufficient rationale for its decision and ignored the substantial risks and costs identified by industry stakeholders during the rulemaking process. Furthermore, the plaintiffs asserted the rule’s compliance deadlines are “unrealistic” and do not account for the time needed to develop and implement the required APIs.