Your bank data are being stolen because regulators won’t let banks protect it

.

Owing largely to heavy-handed federal rules, identity thieves have had a field day targeting banking consumers. The Consumer Financial Protection Bureau’s very-much-in-flux Section 1033 “open banking” rule was promoted by the Biden administration as a modernization of the financial system, but in reality, made everyone’s data less secure.

The rule compelled banks to give third-party data aggregators access to consumers’ financial information at no cost, with few limits on how frequently that data could be accessed or how it might ultimately be used. By mandating these data-sharing arrangements, the CFPB overlooked significant consumer privacy and security concerns and saddled banks with extensive compliance obligations.

Fortunately, the CFPB is reportedly considering changes that would allow banks to safeguard consumers’ financial information and limit dealings with unreliable data brokers. It’s time for bureaucrats to stand up for digital security and privacy.

To understand the push for allowing financial institutions to charge volume-based fees for data, it’s critical to examine the myriad risks facing consumers. Every “data call” or digital transaction initiated by a third-party app creates the possibility for data breaches and identity theft. A 2023 report by the Financial Services Information Sharing and Analysis Center highlighted that the financial sector faces an unprecedented rise in sophisticated cyberattacks, many targeting interconnected third-party APIs. Financial services firms reportedly face “malware strains hitting the financial sector, as well as emergent attack methods such as using Microsoft OneNote Attachments, telephone-oriented attack delivery, and “Adversary-in-the-Middle Attacks.’” It takes a hefty chunk of capital to keep these threats at bay. 

By permitting volume-based fees, the CFPB allows depository institutions to fund continuous and real-time threat monitoring and advanced encryption protocols. Without an independent revenue stream tied directly to the volume of data being pulled, banks’ ability to dynamically defend against evolving algorithmic threats and massive data-harvesting operations are severely compromised, endangering the broader financial ecosystem.

Further, the allowance of these fees addresses the critical issue of legal and financial liability when data security fails. Under traditional banking frameworks, the primary financial institution bears the ultimate regulatory and fiduciary responsibility to make a consumer whole in the event of unauthorized fraud or a systemic data leak. If a third-party app with subpar security protocols is breached, the legacy bank is often left holding the bag to investigate, remediate, and insure against the loss. According to research on the operational costs of fraud management, the administrative overhead of resolving cross-institutional data disputes is soaring. Volume-based fees provide the necessary capital banks need to establish robust liability reserves and fund sophisticated forensic accounting teams. Ultimately, allowing banks to price the risk of digital transactions ensures that the institutions legally mandated to safeguard the public’s money possess the financial resources necessary to guarantee that safety in an interconnected world.

Unfortunately, lawmakers and bureaucrats are trying to make it more difficult for financial institutions to fund cybersecurity efforts. For years, Sens. Dick Durbin (D-IL) and Roger Marshall (R-KS) have pushed hard for the Credit Card Competition Act, even though the misguided proposal would impose ill-advised mandates targeting interchange fees. This policy jeopardizes card networks that have the most rigorous anti-fraud programs. The Congressional Research Service notes, “To the extent that the major networks invest in making their infrastructure secure in order to attract customers and profits, if cards are effectively required to be interoperable, networks may be less willing to invest as much in secure payment technologies, as part of the benefit would accrue to their competitors.” 

Additionally, when routing decisions are driven primarily by cost, more transactions could be routed onto networks with weaker risk controls, fewer security investments, and less rigorous dispute-resolution systems.

NO SURPRISES: TRUMP MUST FINISH THE FIGHT WHERE BIDEN FAILED

This is all exceptionally bad news for consumers. Fraud is already a problem in financial services markets, with identity theft posing a constant threat to consumers. Credit card fraud cost consumers $275 million in 2024, up from $45 million in 2015. Less than 10% of phony charges involve stolen or lost credit cards; the rest involve remotely accessed account information and personal data. This remote theft will become far easier for cybercriminals if credit card mandates and onerous rules compromise network security.

Rather than doubling down on heavy-handed rules targeting financial institutions, policymakers should empower banks to protect consumers. Americans should not have to worry about bureaucrats undermining the safety of their bank accounts and credit cards. 

Ross Marchand is the executive director of the Taxpayers Protection Alliance. 

Related Content