The Bank Policy Institute and the Kentucky Bankers Association yesterday filed a lawsuit challenging the Consumer Financial Protection Bureau’s final rule implementing Section 1033 of the Dodd-Frank Act, which establishes standards for sharing and safeguarding financial data. The lawsuit, filed in U.S. District Court in Lexington, Kentucky, alleges that the CFPB overstepped its authority by finalizing a rule “that jeopardizes consumers’ privacy, financial data and account security,” according to a joint statement by the two associations.
“The CFPB’s 1033 rulemaking jeopardizes the safety and soundness of our banking system and fails to protect consumer data,” KBA President and CEO Ballard Cassady said. “We are challenging the CFPB to ensure that banks can continue to protect their consumers and the integrity of the financial system in a safe and sound manner.”
Among the concerns raised in the lawsuit is that the final rule requires no oversight of third parties using bank customer data, according to a summary by BPI and KBA. The rule also increases the likelihood of fraud and scams by failing to address weak safeguarding practices, allows screen scraping and other unsafe practices to continue to exist, fails to hold third parties accountable, allows those same third parties to profit from systems built by banks, and imposes an unreasonable implementation timeline, they said.
“If left unchallenged, technology companies subject to little to no oversight will have access to very sensitive information, like how much is in your account and where you spend your money,” BPI President and CEO Greg Baer said. “ Banks have a responsibility to protect customers and their data, and this rule compromises these responsibilities, putting bank customers at risk.”
The American Bankers Association issued a statement identifying problems with the proposal before the lawsuit was filed and will continue to coordinate closely with BPI and KBA as the litigation moves forward.