When autocomplete results are available use up and down arrows to review and enter to select.
ICBA supports responsible financial services innovation and urges policymakers to carefully consider the privacy, regulatory compliance burden, data security, and legal implications presented by permissioned third-party access to consumer bank accounts.
We support the CFPB’s decision to exempt banks below $850 million in assets from the requirement to create and maintain an API-enabled developer interface.
Banks should be permitted to charge a reasonable fee for providing access to consumer information to third parties. This would permit banks to recoup some of the costs of creating a developer interface without leading to any cost to the consumer.
The CFPB should create a list of third-party data recipients that it examines and supervises to ensure they are in compliance with the requirements of this rule, including the data security requirements. Data providers should be exempt from conducting third-party due diligence when sharing customer data with whitelisted third-party companies.
ICBA strongly supports limiting the use, sharing, and storage of data to that which is authorized by the consumer. We believe the CFPB’s Section 1033 rule is adequate in this regard but that the Bureau must take an active role in supervision and enforcement to ensure the compliance of third-party companies.
Data aggregators should be brought under the supervision of the CFPB which would result in consumer protection compliance obligations and subject these entities to annual examinations. Furthermore, BA firmly asserts that liability should follow the custody of the data and that all costs associated with a breach or system intrusion should be borne by the entity that incurs the breach.
ICBA supports the rule’s approach of allowing industry standard-setting bodies to set technical standards for developer interfaces and will play an active role in standard-setting.
Section 1033 of the Dodd-Frank Act gives consumers the right to access their financial records in electronic form. In 2024 the CFPB finalized a rule implementing Section 1033. This rule requires banks over $850 million in assets to create and maintain an API-enabled “developer interface” that third parties can use to access customer data. The rule prohibits banks from charging any fee associated with the creation or use of the portal. The rule also imposes limitations on third party use of customer data and requires them to implement GLBA-equivalent data security requirements.
While the rule imposes data security requirements on third parties, questions remain as to whether they will sufficiently comply with these requirements. If they do not, it could result in customer data being compromised, with blame and financial liability falling on the bank.
Furthermore, we believe banks must be permitted to charge reasonable fees to third parties – who will financially benefit from access to customer data – in order to offset the significant costs of compliance with this rule.