At the Institute for Reforming Government, we work to break down barriers and unnecessary red tape that stand in the way of Wisconsinites achieving the American Dream. That means questioning whether regulations, even when well-intended, risk creating new costs or unintended consequences for consumers.
One such instance is a little-known provision of the 2010 Dodd-Frank Act, the landmark financial reform law enacted after the 2008 crisis. The law included a provision in its Section 1033 requiring financial institutions to make consumer account and transaction data available, at the customer’s request, to authorized third-party services the consumer chooses. This includes personal finance apps and digital payment platforms. Congress never intended this requirement to fuel an industry devoted to collecting and monetizing sensitive banking data, nor to grant those firms unlimited, free access without meaningful liability. But that’s exactly what happened in late-2024 when the Biden Consumer Financial Protection Bureau (CFPB) issued its so-called open banking rule.
Today, implementation of the Biden-era rule is paused. Regulators at the CFPB are reconsidering whether its policy should move forward at all. What happens next will shape whether Americans’ personal banking information is more widely monetized, raising serious questions about privacy, security and who ultimately bears responsibility when data is compromised.
On its surface, the so-called open banking rule was presented as a consumer-friendly reform that promises greater control over personal financial data. In practice, however, it introduces a policy approach that deserves careful scrutiny: government rules that limit how institutions can recover the costs of providing secure access to sensitive financial data. By restricting how banks recover the costs associated with data access, the rule risks overlooking the real and ongoing investments required for security, infrastructure, compliance and liability.
Government limits on pricing can sometimes address specific market failures. But in complex markets like financial services — where cybersecurity, liability, and infrastructure costs are constantly evolving — restricting how providers recover those costs risks producing unintended consequences.
For years, banks and financial technology companies have developed data-sharing arrangements through voluntary, negotiated agreements. These arrangements expanded access to budgeting tools, payment platforms, and financial management services without Washington dictating the terms. They emerged through competition and mutual interest rather than regulatory compulsion, and they adapted as technology, consumer expectations, and security threats evolved.
That is how a functioning market operates. Agreements reflect real-world costs and responsibilities, and when those costs change, contracts adjust accordingly. Consumers benefit from this flexibility because it encourages innovation while maintaining accountability on all sides.
The implementation of Section 1033 of the Dodd-Frank Act threatens to disrupt that balance. By restricting how providers recover the costs associated with secure data access, the rule effectively requires one side of the market to absorb expenses that have historically been negotiated between parties. The financial and legal responsibility for safeguarding consumer data does not disappear under a regulatory constraint. It remains with the institution that holds the data, even as access is extended to third parties operating under different business models, risk profiles, and limited regulatory oversight.
Those costs will be absorbed somewhere. They may appear as reduced investment in security, higher prices for other services, or fewer partnerships offered to consumers. None of those outcomes serve the public interest. They are the predictable result of imposing rigid constraints on complex market relationships.
The implications for data security are especially concerning. Financial data is among the most sensitive information consumers possess. Today’s market-based arrangements allow parties to allocate liability, negotiate security standards, and invest continuously in protection as threats evolve. Policies that restrict how providers recover the costs of secure data access risk weakening incentives to invest in the protections consumers depend on.
Supporters of the rule argue that government intervention is necessary to prevent banks from restricting access to data. The record suggests otherwise. The widespread availability of digital financial tools developed in response to consumer demand and competitive pressure, not regulatory mandates. Institutions that failed to meet consumer expectations lost business to those that did.
At its core, the debate over Section 1033 reflects an important policy question: how best to balance consumer access, innovation, and security. Wisconsin families benefit from policies that encourage competition, reward innovation, and preserve strong incentives to protect sensitive information.
Regulators at the CFPB and lawmakers from the Badger State should take note of Wisconsinites’ strong belief in privacy, security and consumer choice and ensure the CFPB’s Section 1033 rule is either scrapped or substantially reformed to prioritize consumer banking security over the profit interests of fintechs.
Section 1033 may be well-intended. But if implemented poorly, it risks undermining the incentives that support innovation, investment and data security for the very consumers it aims to help.
Chris Reader is the Chief Operating Officer of the Institute for Reforming Government.
This article originally appeared on Milwaukee Journal Sentinel: Congress never intended to fuel industry monetizing bank data | Opinion
Reporting by Chris Reader, Special to Milwaukee Journal Sentinel / Milwaukee Journal Sentinel
USA TODAY Network via Reuters Connect
