CFPB Requests that Kentucky Federal Court Vacate Personal Financial Data Rights Rule

In litigation filed in the U.S. District Court for the Eastern District of Kentucky by a national bank and two banking associations challenging the CFPB’s Personal Financial Data Rights Rule, the Bureau recently reversed course in a summary judgment motion and concluded that the rule exceeds its statutory authority.

The rule implements section 1033 of the Consumer Financial Protection Act, which directs the Bureau to promote consumers’ ability to have access to their own financial information through rulemaking.  WBK covered the rule’s issuance here.

Now, the CFPB argues that four aspects of the rule are legally problematic.  According to the Bureau:

• The rule exceeds the Bureau’s authority under section 1033 because the rule requires that authorized third parties have access to consumer data, even though section 1033 contemplates only consumers having access to their own data.
• Section 1033 does not grant the CFPB authority to preclude covered persons from charging a fee for enabling access to consumer data through the prescribed developer interfaces.  Moreover, the Bureau had previously concluded when it promulgated the rule that data providers’ charging any fee — even if reasonable — would obstruct consumers’ access to their own financial data.  However, that conclusion lacked adequate reasoning.
• The rule enables more parties to access sensitive consumer information, which would in fact pose a greater risk to consumer privacy and data security.
• The rule’s deadlines are arbitrary and capricious because the rule provides that standard-setting bodies will develop consensus standards for access to consumer data but requires compliance before such standards can be set.

Thus, the CFPB has asked the court to vacate the rule in its entirety.  But given this change in position, the court has allowed the Financial Technology Association (a trade association for fintech companies) to intervene and defend the rule.