CFPB finalizes personal financial data rights rule
138 points by hn_acker 8 days ago | 68 comments
  • toomuchtodo 8 days ago |
  • arunabha 8 days ago |
    And right on cue, wall street fights back! Expected, but still rankles as bit.

    'JPMorgan CEO Jamie Dimon says 'it's time to fight back' on regulation' from https://www.reuters.com/business/finance/jpmorgan-ceo-says-i...

    The comment from Dimon is the cherry on top.

    'Dimon said he was not against open banking but noted that it could compromise consumer data and lead to fraudulent money transfers and he was set to fight it.'

    His bank is happy to accept fraudulent checks and ACH transfers all day long, but his primary opposition to open banking rules is his overwhelming concern for his customers. Riiiight.

    • toomuchtodo 8 days ago |
      "It is difficult to get a man to understand something, when his salary depends on his not understanding it."

      You have an entire commercial banking industry that has been dependent on being able to capture inexpensive deposits from unsophisticated financial services consumers (they make the spread between the ~0% they offer on demand deposits and what they can lend at), as well as charging exorbitant fees to move value around, and that is all coming to an end with open banking and FedNow instant payments. Sad folks gonna sad. You're a utility, sorry to say.

      (obligatory credit union plug here)

      • SoftTalker 8 days ago |
        Credit Unions are typically better, but not always. Fees can still be high and interest rates low. You still have to comparison shop and do some due diligence.
        • toomuchtodo 8 days ago |
          Certainly, but they are not profit motivated in the same way a commercial bank is. Do your due diligence.

          https://mycreditunion.gov/about-credit-unions/find-join-star...

          • wbl 8 days ago |
            Yeah and S&Ls would never participate in the credit cycle.
          • PittleyDunkin 8 days ago |
            > Certainly, but they are not profit motivated in the same way a commercial bank is. Do your due diligence.

            How is profit motivation supposed to help the customers of a bank? On paper this is just as customer-hostile as with any other industry—profit is waste that fundamentally should be going to employees and customers.

      • tivert 8 days ago |
        > "It is difficult to get a man to understand something, when his salary depends on his not understanding it."

        I don't think the issue here is that he doesn't understand. I think the issue is he's lying.

        He's almost certainly starting with the policy that he wants for his own self-interest, then working backwards from that to come up with BS arguments for it that sound good. He's not an idiot so almost certainly knows full well what he's doing.

      • politician 8 days ago |
        Banks are really dragging their heels on FedNow support.
        • toomuchtodo 8 days ago |
          It will arrive eventually (lots of concern around fraud due to potential value velocity). It only took a year for the first ~1k institutions to onboard, the last few thousand will onboard with time. The US Treasury is a participant, as is JP Morgan Chase and FiServ.

          https://www.frbservices.org/financial-services/fednow/organi...

    • jfengel 8 days ago |
      Yeah, it was nice having a Consumer Financial Protection Bureau. It's on the chopping block under Project 2025:

      "the next conservative President should order the immediate dissolution of the agency—pull down its prior rules, regulations and guidance"

      So don't get too used to your new financial data rights. We'll know Tuesday if you'll ever get a chance to apply them.

      • sailfast 8 days ago |
        The notion that a president can do this unilaterally without Congress is very strange. While I understand the laws and norms around executive authority are often pushed against, you cannot legally defund an entire agency by executive order. (Or create one for that matter - I'm looking at you "Government Efficiency Administration" or whatever the heck they keep talking about.

        "Down with bureaucracy!" "Isn't that bureaucracy? A whole organization that focuses on waste?" "Yeah, but it's MINE. I only want down with YOUR bureaucracy."

        • jkaplowitz 8 days ago |
          It’s true that an executive order cannot legally defund the CFPB, but since SCOTUS gave the President the right to remove the CFPB Director without cause, the President absolutely can cripple the agency by that type of executive action rather than by defunding it.
          • mikeyouse 8 days ago |
            Even his chosen appointee was a big fan of $1 fines to companies who defrauded customers. One of great 'victories' of the small government types who've been in power is rendering many of the agencies they were responsible for to be completely ineffective. Why fight to protect the CFPB if they're a tool of the companies they're supposed to police? It's extremely important to keep these agencies independent and aggressive in seeking justice/recompensation.
            • jshier 8 days ago |
              Yeah, we saw exactly this across the executive branch the last time this guy was in power. Intentionally corrupt or feckless appointees who blocked or simply failed to approve any action on the part of the agencies they nominally ran. What does it matter if you don't completely dissolve the EPA if you just have your stooge redefine the EPA's job, or what pollution means? Of course, that's been the typical Republican approach for decades. Now they're full mask off for round two and will be working to completely dismantle the administrative state altogether.
          • throwway120385 7 days ago |
            Yeah -- essentially all he has to do is enact the OMB rule that he enacted at the end of his first administration that classifies any employee of a federal agency that creates policy as a political appointee, and then he can literally fire the entire staff of any federal agency. Even just firing the senior staff would be enough to erase the power of the agency.

            So while it's true the CFPB would remain funded, it would also struggle to act effectively without senior staff to sign off on projects and pay salaries. This OMB rule is how Project 2025 is going to be executed, and it will go beyond chaos as they erase every federal agency including several that we all rely on within less than a year.

          • Suppafly 7 days ago |
            Plus now you can basically cripple any agency by suing them since the supreme court's view is that agencies can't do anything that isn't explicitly dictated by congress now.
        • dylan604 8 days ago |
          Why do you think the next conservative president would need to do it unilaterally without Congress? There's a good chance that the next conservative president would also have a conservative Congress.

          It's not outlandish at all

          • sangnoir 8 days ago |
            They could also flex their newly found immunity when executing "official duties"
        • PittleyDunkin 8 days ago |
          > you cannot legally defund an entire agency by executive order.

          Of course you can, if people accept it. This dynamic is massive in the last three decades and is only going to grow.

        • immibis 7 days ago |
          You can do it, just not legally. Who distributes the funds, who decides who gets hired? It ultimately comes down to the president, who is immune from any consequences for illegal things he does in the course of his presidential duties, right?
    • mmooss 8 days ago |
      To add context:

      The large banks just destroyed, through intense lobbying, what was called Basel III Endgame - a long-planned, carefully implemented regulatory structure designed to prevent future catastrophes like 2008. The Federal Reserve pretty much openly said they gave into pressure.

      The problem with capitulating to make peace is that you don't get peace: The attacker is emboldened and tries for more, and now has precedent and momentum in the eyes of third parties.

      • skybrian 8 days ago |
        Declaring defeat seems a bit much, considering that we haven't had another catastrophe similar to 2008. That seems pretty successful, so far? (The pandemic was bad, but banks mostly didn't collapse.)
        • arunabha 8 days ago |
          But by the same metric, The great recession hadn't happened before 2008 so it would imply that the rules up to 2008 were sound?

          With hindsight we know that the rules were far from sound and allowed banks to take on massive risk which they dumped on the taxpayers as usual.

        • immibis 7 days ago |
          IIRC 2020 was about to be one, then the Fed tripled/quadrupled the money supply.
  • teeray 8 days ago |
    So does this mean we can finally have APIs for personal financial software without resorting to the ickiness of putting credentials in Plaid?
    • ryandrake 8 days ago |
      Giving a third party your banking credentials is not just icky, it probably violates your online banking terms of service, and is obviously terrible for security. This practice really needs to die yesterday.
      • hollerith 8 days ago |
        Of course it violates the terms of service written by your bank.

        Your bank would make it illegal to even talk about your banking transactions with anyone other than your bank if they could.

        • dylan604 8 days ago |
          at the same time, the banks are happy they don't have to spend the money to develop those APIs themselves.
        • _boffin_ 8 days ago |
          Actually… not as much as you think. Go read Wells Fargo’s policies.

          The gist of it: if you give it to someone, that’s on you.

          • sjtgraham 8 days ago |
            It's not on you though. Banks have Reg E obligations that cannot be waived by contract.
            • _boffin_ 7 days ago |
              I wasn't talking about Regulation E. My point was that banks like Wells Fargo have effectively "allowed" companies like Plaid and MX to log in using user credentials .
      • sq_ 8 days ago |
        I’ve been happy to see more and more of the banking-related services that I use stop requiring that and give each other actual API access.

        I absolutely refuse to hand over my credentials and cannot wait for the practice to die.

      • Aspos 8 days ago |
        The fact that plaid was allowed to exist and grow into a monster tells a lot about incompetence/impotence of the regulators.
      • eternityforest 8 days ago |
        What would actually happen if Plaid or the like was hacked? Would people lose money or would they be able to reverse it all?
        • teeray 8 days ago |
          Probably “thoughts and prayers” from a heartfelt apology written by their CEO who “takes full responsibility,” and free identity theft monitoring for a year.
      • sjtgraham 8 days ago |
        It doesn't matter if it violates your bank's terms of service, it's not an enforceable term. For example, banks cannot refuse to pay out if you were a victim of fraud because you gave your credentials to an aggregator (regardless of whether or not the fraud was related). The EFTA has anti-waiver provisions that state a bank's Reg E obligation to make customers whole after unauthorized transactions cannot be waived by contract.
  • hggigg 8 days ago |
    Having seen how this shit works behind the scenes I’d rather do it manually.
    • buffington 8 days ago |
      I'd love to hear what you saw that motivated this. Care to share?
      • hggigg 8 days ago |
        Account holder migration between two major international banks. Subcontracted out to the lowest bidding outsourcer who operate some major enterprise messaging bespoke piece of crap bought from IBM which is held together with sticky tape, string and smeared in dog shit and requires hand holding 24/7 due to the sheer amount of bugs in it.

        I found this out because the company I was contracting for was trying to get the open banking API working against one of the banks and we ended up having to speak to four parties over an simple encoding issue that no one at any org could understand. It was basically the spider man pointing meme. One set of outsourcers blaming another set of outsourcers while their local managers were doing the same. No one even understood or communicated the issues.

        When you do something at a bank and it takes longer than expected it’s that sort of shit happening.

      • Suppafly 7 days ago |
        >I'd love to hear what you saw that motivated this. Care to share?

        Working adjacent to medicine,banking, supply chain, and some other fields, I'd say that most people don't realize that everything is just csv files and sftp servers underneath. You'd assume these fields would be using realtime web services to communicate with each other, but even the ones that seem roughly realtime are often using scheduled file transfers of batched data. A lot of the integration is essentially bat files and shell scripts converting between one type of csv to another. It's bandaids and bailing wire all the way down.

  • AshamedCaptain 8 days ago |
    ah, you mean there are still more than two banks customer can choose from? and for how long?
    • stronglikedan 8 days ago |
      Unless you have a very narrow use case, there has always been a plethora of banks to choose from.
      • bob1029 8 days ago |
        Banking with a more local institution can make all of the difference in the experience. It would probably blow your mind if you've never done it. Maybe try a mid-size bank that operates in a few states if you are concerned with going too small.

        If you are banking with Wells Fargo or BoA, you are getting exactly what you signed up for. A customer base so large that they have no choice but to treat you like a row in a database (i.e., a piece of shit).

        • mindslight 7 days ago |
          > Maybe try a mid-size bank that operates in a few states if you are concerned with going too small

          I disagree with this. Medium/regional banks often have the same dynamic where the people in the branches have to call in to centralized help lines to get anything done, rather than employees being empowered to exercise judgement and act. But yet their systems can be way less polished than the megabanks. And from what I've seen their fees are often higher and less forgiving (not that you should be paying fees anywhere though, as an individual retail customer)

          My main combo is local bank/creditunion for cash/notary/medallion/safedepositbox/cashierschecks and then online-only large bank because it pays real interest and has a less janky UI. (although with the ever-ratcheting SMS login nags, I'm starting to question that last bit). Both refund third party ATM fees.

          On the larger topic, I'm disappointed to see this regulatory push has very little to do with making sure users can get frequent automated access to their own transaction data. Continually verifying the transactions on your account is basically the necessary and sufficient condition for preventing the bank making you responsible for their being defrauded.

      • koolba 8 days ago |
        There's four banks with over $1T in assets, eight with over $500B, nineteen with over $200B, and 29 with over $100B: https://www.federalreserve.gov/releases/lbr/current/

        I'd argue there's exactly four banks to choose from if you plan on holding more than the FDIC limits at any one bank as I'm not as confident the rest would have an implicit "too-big-to-fail" guarantee.

        • barryrandall 8 days ago |
          Most of those banks' customers would be better off at one of the thousands of credit unions in the US.
        • naniwaduni 8 days ago |
          - If you demand more than an FDIC limit of liquidity in cash, you're not really in the same market for banking services as most natural persons. If the off-the-shelf banking products don't do it for you, you should probably be shopping around and negotiating.

          - Private insurance is stil a thing. Banks are like some of the most underwriter-legible institutions known to man.

          - Four is a bigger number than two anyway.

        • kasey_junk 8 days ago |
          If you are going to hold more than the fdic limits you should use one of the myriad of products designed for that rather than using hope as a risk management technique. They’ve been around for decades and are a normal part of any wealth protection strategy.

          For better or worse US governmental policy is to encourage myriad amounts of banks, and it’s worked given we have more than any other nation by a long stretch.

          In fact a lot of the disfunction in our banking system comes from the fact that we have too many banks.

          No knowledgeable person thinks Americans lack for choice in banking.

          • TheCoelacanth 7 days ago |
            People who have more than the FDIC limits probably have the most choice of banks because they are such desirable customers.
  • 0cf8612b2e1e 8 days ago |
    I hate that I am so pessimistic, but I will hold my breath until the Supreme Court says why nobody has the authority to tell banks what to do.
    • Molitor5901 8 days ago |
      Unfortunately it will still come down to the bank wanting to do business with you. I believe at the end of the day, if you don't agree to what the bank wants of you, and from you, they will debank you. There is no right, or even a law, that the bank has to give you an account.

      This is a good decision by the CFPB but it's a drop in the bucket.

    • jerf 8 days ago |
      The Supreme Court did not say that no Federal agency can do anything, ever.

      You can tell by the way the Federal agencies are still, you know, there. Doing things.

  • skybrian 8 days ago |
    Dismissing fraud as a problem makes it sound like there’s no tradeoff here. I think we all know that in real life, fraud actually is a pretty big problem? Though they’re self-interested, I expect that banks know it too.

    It doesn’t mean you shouldn’t be able to export your data, but this is a sensitive operation that maybe shouldn’t be too easy. People are definitely going to be tricked. The individualistic, libertarian assumption (that customers are responsible adults who know what they’re doing) is known to be false by anyone who has worked in a customer support role.

    • throwaway48476 8 days ago |
      Fraud is only a problem for international transactions. The rest can be handled by lawyers.
      • Nifty3929 8 days ago |
        At great time and expense, while you have bills to pay and someone else has your money.
  • ilaksh 8 days ago |
    If you don't like what banks do, then learn about the technologies that can replace them today.
    • barumrho 8 days ago |
      Do you mean bitcoin/crypto or did you have something else in mind?
      • ilaksh 8 days ago |
        I think most people don't really know what those things are, or what the fundamental concepts are, so I recommend people research decentralized technologies that are related to money from scratch.
    • politician 8 days ago |
      Banks are 95% law and maybe 5% technology.
    • immibis 7 days ago |
      Although you're obviously talking about crypto, I support the message of learning how shit things work underneath and maybe someone will come up with a way to improve them.
  • renewiltord 8 days ago |
    This seems impossible without Chevron Deference. I doubt one can exercise one’s rights under this.
    • monocularvision 8 days ago |
      What does Chevron Deference have to do with this?

      Congress passed an explicit law saying financial companies have to offer the ability outlined in this rule. They state the CFPB needs to make rules to enable it and now they are doing so.

      This entirely fits within the current Supreme Court doctrine around regulatory agencies.

      Now, that’s not to say there might not be some other constitutional objection the the law itself…

      • sjtgraham 8 days ago |
        > Congress passed an explicit law saying financial companies have to offer the ability outlined in this rule. They state the CFPB needs to make rules to enable it and now they are doing so.

        Actually it didn't. S1033 of the CFPA states a financial institution will upon request of a consumer provide covered information about their financial accounts in a digital format usable by consumers. The rule relies on an expansive interpretation of the statutory definition of "consumer", which is a natural person or "an agent, trustee, or representative" thereof. The agency asserts that representative can be any third party and off of this says banks have to make a developer interface available for them to access, that ironically it does not mandate actual consumers, i.e. natural persons like you and I, can access.

        This expansive interpretation will not survive judicial review. The canons of statutory interpretation do not allow it, e.g. agent and trustee are fiduciary relationships, as they are mentioned before "representative" it limits the potential scope to other types of fiduciary relationship (ejusdem generis and noscitur a sociis). A fintech is not a fiduciary and has no obligation to act in your interest. It's a typical arms-length commercial transaction.

        Whether or not the agency's goal is noble is besides the point. It has plainly and obviously gone way beyond the statutory authority granted to it by Congress.

        • monocularvision 7 days ago |
          Thank you for the additional information. I should be more careful when wading into legal topics. I read section 1033 and I am not sure I agree that the final rule is destined to failure but I am definitely not a lawyer.
  • daft_pink 8 days ago |
    Does anyone else feel like Apple’s app store rules have more teeth than this? Lobbyists have already or will soon be gutting this for sure.
  • Snuupy 8 days ago |
    Until this comes to fruition and banks actually implement it with software (like Actual Budget) supporting it, I will continue using SimpleFIN Bridge. Hopefully this becomes ubiquitous like GoCardless in the EU.
  • fowl2 7 days ago |
    Wonder how this compares with the Consumer Data Right in Australia. The standards and discussions around them are right there on GitHub [1] - pretty surreal seeing accounts for the big banks. Of course it's mostly completely useless for anything DIY as semi-understandably access to any real data is gated behind certification requirements.

    [1] https://consumerdatastandardsaustralia.github.io/standards/#...