In its motion for a summary judgment in a lawsuit challenging the regulation, the CFPB stated it has concluded that the Section 1033 Rule (Rule) exceeds the agency’s statutory authority to create an open banking system by—among other things—requiring that consumer data be shared with third parties.
The motion states that “the limited legislative history confirms what the statute’s text and structure make clear: the statute was intended simply to ensure that consumers would have access to their own information.”
Therefore, the CFPB requested that the court grant plaintiff’s motion for summary judgment.
“In light of the President’s directive to review existing regulations, the Bureau’s new leadership has considered the Rule and the arguments set forth in Plaintiffs’ complaint and amended complaint and has concluded that the Rule exceeds the Bureau’s statutory authority and is arbitrary and capricious,” the CFPB said, in its motion, in the lawsuit filed by the Bank Policy Institute (BPI) and Kentucky Bankers Association. “Accordingly, Defendants agree with Plaintiffs that the Rule is unlawful and should be set aside under the Administrative Procedure Act.”
The CFPB recently announced that it planned to kill the rule and ask for a summary judgment in the case. The motion formally asks for the summary judgment, and sets forth the CFPB’s reasoning behind that request.
The Rule would have had far-reaching implications for financial institutions, fintech companies, and consumers alike. This previously untapped legal authority would have given consumers the right to control their personal financial data and assign the task of implementing personal financial data sharing standards and protections to the CFPB.
The CFPB said that due to the legal issues involving the Rule, U.S. District Court Judge Danny C. Reeves should find that the Rule violates the APA.
The CFPB gives several reasons for why Trump Administration officials believe the Rule is illegal. According to the CFPB, it unlawfully:
- Seeks to regulate open banking by mandating the sharing of data with “authorized third parties,” whereas Section 1033 is limited to ensuring that consumers can access their own data. Nothing in the law or its legislative history delegates to the CFPB “free-ranging authority to regulate the entire open banking system—that is, the intricate network of commercial entities sharing a consumer’s personal financial data well beyond sharing it with the consumer directly,” according to the CFPB. The Rule allows an authorized third-party to use consumer’s data for the purpose of improving the product or service requested.
- Prohibits data providers from charging fees to offset burdens the Rule imposes on them, even though Section 1033 does not expressly authorize the CFPB to prohibit the charging of fees. “To start, the Rule’s fee prohibition is in excess of the Bureau’s authority,” the bureau said, in its motion. “Congress’s silence on fees is a particularly shaky foundation for the Rule’s absolute fee prohibitions. Even if the Bureau had statutory authority to prohibit data providers from charging fees, it was unreasonable for the Bureau to impose that prohibition in the Rule, and the prohibition is therefore arbitrary and capricious.”
- Places consumer data at risk. The Rule greatly expanded Section 1033 to encompass a vast data-sharing framework. That, the CFPB said, invites greater risk to consumer privacy and data security.
- Arbitrarily and capriciously sets compliance deadlines that do not account for the development of consensus standards. Instead, the CFPB tied compliance dates based on the Rule’s publication in the Federal Register.
Even though the CFPB is withdrawing the Rule, Section 1033 requires the CFPB to issue rules that would allow consumers to obtain transaction data and other information concerning a consumer financial product or service that the consumer obtained from the covered entity. It is unclear whether the CFPB plans to re-initiate the rulemaking process to meet its Section 1033 mandate.
[View source.]
