On Compliance: CFPB Could Propose Giving Big Tech Access to Credit Unions’ Core Systems

The Consumer Financial Protection Bureau is in the process of writing new regulations that will likely mandate a de facto “open banking” system where financial technology companies have virtually unrestricted access to credit unions’ core banking systems. If CFPB continues to move forward with these new rules, it is certain to give fintechs a new competitive advantage that allows them to ride credit unions’ rails for free while sticking credit unions with the bill for the implementation costs as well as ongoing cybersecurity and other operational expenses.

What Dodd-Frank Says

It is doubtful that Congress intended to authorize “open banking” for fintechs when it adopted Section 1033 of the Dodd-Frank Act in 2010. Titled “Consumer Rights to Access Information,” the key provisions of Section 1033 read:

“Subject to rules prescribed by the Bureau, a covered person [such as a credit union] shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers…The Bureau, by rule, shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information, including through the use of machine readable files, to be made available to consumers under this section.”

Taken on its face, Section 1033 appears reasonable because it seems fair that consumers should have a right to access their own financial account information. The statute also includes exceptions for trade secrets, such as underwriting standards, and for Bank Secrecy Act compliance information.

The issue therefore is really with the final part of the statutory provision quoted above: “standardized formats for information, including through the use of machine readable files, to be made available to consumers…” This provision clearly gives consumers access to their own data. It is silent, however, on financial institutions being required to provide this data to third parties such as fintech companies. 

The Data-Sharing Portion of CFPB’s Proposal

While it is doubtful that Congress in 2010 intended Section 1033 to allow fintechs to directly hook into credit unions’ core banking systems, that is exactly what CFPB Is proposing today. After issuing a voluminous Advanced Notice of Proposed Rulemaking in 2020, the agency in October 2022 issued for public comment an “Outline of Proposals and Alternatives” for its “Required Rulemaking on Personal Financial Data Rights,” which provides a preview of what the CFPB’s Notice of Proposed Rulemaking will look like once it is issued probably later this year. 

The outline specified six areas of data that credit unions would have to disclose to third parties based on a consumer’s authorization which, among other things, would allow fintechs to review settled and pending transactions, see if there are sufficient funds in the member’s account to withdraw funds by automated clearinghouse, receive copies of the member’s credit reports that the credit union has on file, and know the rates the member is receiving on loans and savings:

• “Periodic statement information regarding transactions and deposits that have settled, including fees, account terms and conditions, and the annual percentage yield of an asset account or the annual percentage rate of a credit card account;
• “Information regarding prior transactions and deposits that have not yet settled;
• “Information about prior transactions not typically shown on periodic statements or online financial account management portals;
• “Online banking transactions that the consumer has set up but that have not yet occurred;
• “Account identity information; and
• “Other information, including consumer reports obtained and used by the covered data provider [including a credit union] in deciding whether to provide an account or other financial product or service to a consumer; fees that the covered data provider assesses on its consumer accounts; bonuses, rewards, discounts, or other incentives that the covered data provider gives to consumers; and information about security breaches that exposed a consumer’s identity or financial information.”

The Internet Infrastructure in CFPB’s Proposal

CFPB also expects credit unions to build and bear the costs of the internet technology infrastructure to allow these fintech companies access to credit unions’ core banking systems. CFPB’s high-level summary of its outline explains: 

“[T]he CFPB is considering proposing that covered data providers [including credit unions] must establish and maintain a third-party access portal that does not require the authorized third party to possess or retain consumer credentials. The CFPB is also considering what role screen scraping should play in the context of a covered data provider’s compliance with the rule.”

So credit unions would presumably have to bear the cost and operational challenges of implementing a “third-party access portal” to allow fintechs to hook into their core banking systems without the third-party fintechs being vetted by the credit unions or even needing members’ logins and passwords. “Screen scraping” would mean that the fintechs could be continuously logged into the credit unions’ core banking systems and could copy and save members’ account data in real time. 

This CFPB rulemaking, if it results in a final rule, is sure to create compliance headaches, security concerns and increased operational expenses for credit unions, in addition to handing fintech companies a huge competitive advantage. It is no surprise that credit union trade associations including the Credit Union National Association and the National Association of Federal Credit Unions filed extensive comments with CFPB opposing most aspects of this not-yet-quite-proposed regulation. We will have to wait and see, however, whether CFPB incorporates the trades’ suggestions into the agency’s upcoming proposed rule.

Michael S. Edwards is an attorney-at-law with extensive experience representing credit unions, community banks and credit union organizations in the United States and around the world on a wide range of regulatory, compliance and other legal matters. Now with his own law firm based in the Washington, D.C., area, Edwards previously served as SVP/advocacy and general counsel of the World Council of Credit Unions and was senior assistant general counsel in the regulatory advocacy section of the Credit Union National Association.