Hacker News new | past | comments | ask | show | jobs | submit login
CFPB finalizes personal financial data rights rule (eff.org)
138 points by hn_acker 8 days ago | hide | past | favorite | 68 comments






And right on cue, wall street fights back! Expected, but still rankles as bit.

'JPMorgan CEO Jamie Dimon says 'it's time to fight back' on regulation' from https://www.reuters.com/business/finance/jpmorgan-ceo-says-i...

The comment from Dimon is the cherry on top.

'Dimon said he was not against open banking but noted that it could compromise consumer data and lead to fraudulent money transfers and he was set to fight it.'

His bank is happy to accept fraudulent checks and ACH transfers all day long, but his primary opposition to open banking rules is his overwhelming concern for his customers. Riiiight.


To add context:

The large banks just destroyed, through intense lobbying, what was called Basel III Endgame - a long-planned, carefully implemented regulatory structure designed to prevent future catastrophes like 2008. The Federal Reserve pretty much openly said they gave into pressure.

The problem with capitulating to make peace is that you don't get peace: The attacker is emboldened and tries for more, and now has precedent and momentum in the eyes of third parties.


Declaring defeat seems a bit much, considering that we haven't had another catastrophe similar to 2008. That seems pretty successful, so far? (The pandemic was bad, but banks mostly didn't collapse.)

But by the same metric, The great recession hadn't happened before 2008 so it would imply that the rules up to 2008 were sound?

With hindsight we know that the rules were far from sound and allowed banks to take on massive risk which they dumped on the taxpayers as usual.


IIRC 2020 was about to be one, then the Fed tripled/quadrupled the money supply.

"It is difficult to get a man to understand something, when his salary depends on his not understanding it."

You have an entire commercial banking industry that has been dependent on being able to capture inexpensive deposits from unsophisticated financial services consumers (they make the spread between the ~0% they offer on demand deposits and what they can lend at), as well as charging exorbitant fees to move value around, and that is all coming to an end with open banking and FedNow instant payments. Sad folks gonna sad. You're a utility, sorry to say.

(obligatory credit union plug here)


Credit Unions are typically better, but not always. Fees can still be high and interest rates low. You still have to comparison shop and do some due diligence.

Certainly, but they are not profit motivated in the same way a commercial bank is. Do your due diligence.

https://mycreditunion.gov/about-credit-unions/find-join-star...


> Certainly, but they are not profit motivated in the same way a commercial bank is. Do your due diligence.

How is profit motivation supposed to help the customers of a bank? On paper this is just as customer-hostile as with any other industry—profit is waste that fundamentally should be going to employees and customers.


Yeah and S&Ls would never participate in the credit cycle.

Banks are really dragging their heels on FedNow support.

It will arrive eventually (lots of concern around fraud due to potential value velocity). It only took a year for the first ~1k institutions to onboard, the last few thousand will onboard with time. The US Treasury is a participant, as is JP Morgan Chase and FiServ.

https://www.frbservices.org/financial-services/fednow/organi...


> "It is difficult to get a man to understand something, when his salary depends on his not understanding it."

I don't think the issue here is that he doesn't understand. I think the issue is he's lying.

He's almost certainly starting with the policy that he wants for his own self-interest, then working backwards from that to come up with BS arguments for it that sound good. He's not an idiot so almost certainly knows full well what he's doing.


Yeah, it was nice having a Consumer Financial Protection Bureau. It's on the chopping block under Project 2025:

"the next conservative President should order the immediate dissolution of the agency—pull down its prior rules, regulations and guidance"

So don't get too used to your new financial data rights. We'll know Tuesday if you'll ever get a chance to apply them.


The notion that a president can do this unilaterally without Congress is very strange. While I understand the laws and norms around executive authority are often pushed against, you cannot legally defund an entire agency by executive order. (Or create one for that matter - I'm looking at you "Government Efficiency Administration" or whatever the heck they keep talking about.

"Down with bureaucracy!" "Isn't that bureaucracy? A whole organization that focuses on waste?" "Yeah, but it's MINE. I only want down with YOUR bureaucracy."


It’s true that an executive order cannot legally defund the CFPB, but since SCOTUS gave the President the right to remove the CFPB Director without cause, the President absolutely can cripple the agency by that type of executive action rather than by defunding it.

Even his chosen appointee was a big fan of $1 fines to companies who defrauded customers. One of great 'victories' of the small government types who've been in power is rendering many of the agencies they were responsible for to be completely ineffective. Why fight to protect the CFPB if they're a tool of the companies they're supposed to police? It's extremely important to keep these agencies independent and aggressive in seeking justice/recompensation.

Yeah, we saw exactly this across the executive branch the last time this guy was in power. Intentionally corrupt or feckless appointees who blocked or simply failed to approve any action on the part of the agencies they nominally ran. What does it matter if you don't completely dissolve the EPA if you just have your stooge redefine the EPA's job, or what pollution means? Of course, that's been the typical Republican approach for decades. Now they're full mask off for round two and will be working to completely dismantle the administrative state altogether.

Plus now you can basically cripple any agency by suing them since the supreme court's view is that agencies can't do anything that isn't explicitly dictated by congress now.

Yeah -- essentially all he has to do is enact the OMB rule that he enacted at the end of his first administration that classifies any employee of a federal agency that creates policy as a political appointee, and then he can literally fire the entire staff of any federal agency. Even just firing the senior staff would be enough to erase the power of the agency.

So while it's true the CFPB would remain funded, it would also struggle to act effectively without senior staff to sign off on projects and pay salaries. This OMB rule is how Project 2025 is going to be executed, and it will go beyond chaos as they erase every federal agency including several that we all rely on within less than a year.


Why do you think the next conservative president would need to do it unilaterally without Congress? There's a good chance that the next conservative president would also have a conservative Congress.

It's not outlandish at all


They could also flex their newly found immunity when executing "official duties"

You can do it, just not legally. Who distributes the funds, who decides who gets hired? It ultimately comes down to the president, who is immune from any consequences for illegal things he does in the course of his presidential duties, right?

> you cannot legally defund an entire agency by executive order.

Of course you can, if people accept it. This dynamic is massive in the last three decades and is only going to grow.


So does this mean we can finally have APIs for personal financial software without resorting to the ickiness of putting credentials in Plaid?

Giving a third party your banking credentials is not just icky, it probably violates your online banking terms of service, and is obviously terrible for security. This practice really needs to die yesterday.

Of course it violates the terms of service written by your bank.

Your bank would make it illegal to even talk about your banking transactions with anyone other than your bank if they could.


Actually… not as much as you think. Go read Wells Fargo’s policies.

The gist of it: if you give it to someone, that’s on you.


It's not on you though. Banks have Reg E obligations that cannot be waived by contract.

I wasn't talking about Regulation E. My point was that banks like Wells Fargo have effectively "allowed" companies like Plaid and MX to log in using user credentials .

at the same time, the banks are happy they don't have to spend the money to develop those APIs themselves.

The fact that plaid was allowed to exist and grow into a monster tells a lot about incompetence/impotence of the regulators.

I’ve been happy to see more and more of the banking-related services that I use stop requiring that and give each other actual API access.

I absolutely refuse to hand over my credentials and cannot wait for the practice to die.


It doesn't matter if it violates your bank's terms of service, it's not an enforceable term. For example, banks cannot refuse to pay out if you were a victim of fraud because you gave your credentials to an aggregator (regardless of whether or not the fraud was related). The EFTA has anti-waiver provisions that state a bank's Reg E obligation to make customers whole after unauthorized transactions cannot be waived by contract.

What would actually happen if Plaid or the like was hacked? Would people lose money or would they be able to reverse it all?

Probably “thoughts and prayers” from a heartfelt apology written by their CEO who “takes full responsibility,” and free identity theft monitoring for a year.

Wonder how this compares with the Consumer Data Right in Australia. The standards and discussions around them are right there on GitHub [1] - pretty surreal seeing accounts for the big banks. Of course it's mostly completely useless for anything DIY as semi-understandably access to any real data is gated behind certification requirements.

[1] https://consumerdatastandardsaustralia.github.io/standards/#...


Until this comes to fruition and banks actually implement it with software (like Actual Budget) supporting it, I will continue using SimpleFIN Bridge. Hopefully this becomes ubiquitous like GoCardless in the EU.

Does anyone else feel like Apple’s app store rules have more teeth than this? Lobbyists have already or will soon be gutting this for sure.

This seems impossible without Chevron Deference. I doubt one can exercise one’s rights under this.

What does Chevron Deference have to do with this?

Congress passed an explicit law saying financial companies have to offer the ability outlined in this rule. They state the CFPB needs to make rules to enable it and now they are doing so.

This entirely fits within the current Supreme Court doctrine around regulatory agencies.

Now, that’s not to say there might not be some other constitutional objection the the law itself…


> Congress passed an explicit law saying financial companies have to offer the ability outlined in this rule. They state the CFPB needs to make rules to enable it and now they are doing so.

Actually it didn't. S1033 of the CFPA states a financial institution will upon request of a consumer provide covered information about their financial accounts in a digital format usable by consumers. The rule relies on an expansive interpretation of the statutory definition of "consumer", which is a natural person or "an agent, trustee, or representative" thereof. The agency asserts that representative can be any third party and off of this says banks have to make a developer interface available for them to access, that ironically it does not mandate actual consumers, i.e. natural persons like you and I, can access.

This expansive interpretation will not survive judicial review. The canons of statutory interpretation do not allow it, e.g. agent and trustee are fiduciary relationships, as they are mentioned before "representative" it limits the potential scope to other types of fiduciary relationship (ejusdem generis and noscitur a sociis). A fintech is not a fiduciary and has no obligation to act in your interest. It's a typical arms-length commercial transaction.

Whether or not the agency's goal is noble is besides the point. It has plainly and obviously gone way beyond the statutory authority granted to it by Congress.


Thank you for the additional information. I should be more careful when wading into legal topics. I read section 1033 and I am not sure I agree that the final rule is destined to failure but I am definitely not a lawyer.

I hate that I am so pessimistic, but I will hold my breath until the Supreme Court says why nobody has the authority to tell banks what to do.

Unfortunately it will still come down to the bank wanting to do business with you. I believe at the end of the day, if you don't agree to what the bank wants of you, and from you, they will debank you. There is no right, or even a law, that the bank has to give you an account.

This is a good decision by the CFPB but it's a drop in the bucket.


The Supreme Court did not say that no Federal agency can do anything, ever.

You can tell by the way the Federal agencies are still, you know, there. Doing things.


Dismissing fraud as a problem makes it sound like there’s no tradeoff here. I think we all know that in real life, fraud actually is a pretty big problem? Though they’re self-interested, I expect that banks know it too.

It doesn’t mean you shouldn’t be able to export your data, but this is a sensitive operation that maybe shouldn’t be too easy. People are definitely going to be tricked. The individualistic, libertarian assumption (that customers are responsible adults who know what they’re doing) is known to be false by anyone who has worked in a customer support role.


Fraud is only a problem for international transactions. The rest can be handled by lawyers.

At great time and expense, while you have bills to pay and someone else has your money.

Having seen how this shit works behind the scenes I’d rather do it manually.

I'd love to hear what you saw that motivated this. Care to share?

>I'd love to hear what you saw that motivated this. Care to share?

Working adjacent to medicine,banking, supply chain, and some other fields, I'd say that most people don't realize that everything is just csv files and sftp servers underneath. You'd assume these fields would be using realtime web services to communicate with each other, but even the ones that seem roughly realtime are often using scheduled file transfers of batched data. A lot of the integration is essentially bat files and shell scripts converting between one type of csv to another. It's bandaids and bailing wire all the way down.


Account holder migration between two major international banks. Subcontracted out to the lowest bidding outsourcer who operate some major enterprise messaging bespoke piece of crap bought from IBM which is held together with sticky tape, string and smeared in dog shit and requires hand holding 24/7 due to the sheer amount of bugs in it.

I found this out because the company I was contracting for was trying to get the open banking API working against one of the banks and we ended up having to speak to four parties over an simple encoding issue that no one at any org could understand. It was basically the spider man pointing meme. One set of outsourcers blaming another set of outsourcers while their local managers were doing the same. No one even understood or communicated the issues.

When you do something at a bank and it takes longer than expected it’s that sort of shit happening.


ah, you mean there are still more than two banks customer can choose from? and for how long?

Unless you have a very narrow use case, there has always been a plethora of banks to choose from.

There's four banks with over $1T in assets, eight with over $500B, nineteen with over $200B, and 29 with over $100B: https://www.federalreserve.gov/releases/lbr/current/

I'd argue there's exactly four banks to choose from if you plan on holding more than the FDIC limits at any one bank as I'm not as confident the rest would have an implicit "too-big-to-fail" guarantee.


If you are going to hold more than the fdic limits you should use one of the myriad of products designed for that rather than using hope as a risk management technique. They’ve been around for decades and are a normal part of any wealth protection strategy.

For better or worse US governmental policy is to encourage myriad amounts of banks, and it’s worked given we have more than any other nation by a long stretch.

In fact a lot of the disfunction in our banking system comes from the fact that we have too many banks.

No knowledgeable person thinks Americans lack for choice in banking.


People who have more than the FDIC limits probably have the most choice of banks because they are such desirable customers.

- If you demand more than an FDIC limit of liquidity in cash, you're not really in the same market for banking services as most natural persons. If the off-the-shelf banking products don't do it for you, you should probably be shopping around and negotiating.

- Private insurance is stil a thing. Banks are like some of the most underwriter-legible institutions known to man.

- Four is a bigger number than two anyway.


Most of those banks' customers would be better off at one of the thousands of credit unions in the US.

Banking with a more local institution can make all of the difference in the experience. It would probably blow your mind if you've never done it. Maybe try a mid-size bank that operates in a few states if you are concerned with going too small.

If you are banking with Wells Fargo or BoA, you are getting exactly what you signed up for. A customer base so large that they have no choice but to treat you like a row in a database (i.e., a piece of shit).


> Maybe try a mid-size bank that operates in a few states if you are concerned with going too small

I disagree with this. Medium/regional banks often have the same dynamic where the people in the branches have to call in to centralized help lines to get anything done, rather than employees being empowered to exercise judgement and act. But yet their systems can be way less polished than the megabanks. And from what I've seen their fees are often higher and less forgiving (not that you should be paying fees anywhere though, as an individual retail customer)

My main combo is local bank/creditunion for cash/notary/medallion/safedepositbox/cashierschecks and then online-only large bank because it pays real interest and has a less janky UI. (although with the ever-ratcheting SMS login nags, I'm starting to question that last bit). Both refund third party ATM fees.

On the larger topic, I'm disappointed to see this regulatory push has very little to do with making sure users can get frequent automated access to their own transaction data. Continually verifying the transactions on your account is basically the necessary and sufficient condition for preventing the bank making you responsible for their being defrauded.


If you don't like what banks do, then learn about the technologies that can replace them today.

Although you're obviously talking about crypto, I support the message of learning how shit things work underneath and maybe someone will come up with a way to improve them.

Do you mean bitcoin/crypto or did you have something else in mind?

I think most people don't really know what those things are, or what the fundamental concepts are, so I recommend people research decentralized technologies that are related to money from scratch.

Banks are 95% law and maybe 5% technology.



Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: