Why Some Republicans Are Praising An Agency They Hate
Rohit Chopra doesn’t get a lot of praise from Republicans.
The consumer finance watchdog, confirmed three years ago on a party-line vote, has spent his time in office cracking down on banks and tech companies alike, moves often touted by the White House as they aim to show how they’re sticking up for average Americans. GOP lawmakers in turn say the hard-charging Chopra is hyper-partisan.
But this week, he finalized rules that would give consumers more control over how and when their financial data is used, earning plaudits from the Republican chair of the House Financial Services Committee, Patrick McHenry, who called it “a promising step forward to protect Americans’ financial data privacy.”
Something like this won’t get much attention just two weeks out from a presidential election that has sucked up all of the oxygen in Washington.
But the regulation could end up being the most consequential piece of Chopra’s legacy, in part because it’s less likely to be reversed if the White House — and therefore his agency, the Consumer Financial Protection Bureau — switches from blue to red.
It’s also a new chapter for the young bureau, which Republicans have lambasted since its creation, as it takes a path (well-trodden elsewhere in Washington) to more durable rulemaking: getting buy-in from at least some private sector actors.
The new data guardrails could lead to longer-term structural changes in the financial system by shifting some power away from big banks and toward upstart competitors that are looking to provide many of the same services, like lending and payments. Those tech-fueled competitors have attracted significant sympathy from lawmakers on the right.
The asterisk is that the rule still must survive a legal challenge from the banking industry.
“Certainly, very few large incumbents want to face more competition,” Chopra told me in an interview this week. “That’s true in banking. That’s true in every sector.”
“But that’s exactly what Congress wanted to see is more competition rather than less,” he said.
The legal basis for the data rule is as old as the CFPB itself, an agency best known as the brainchild of Sen. Elizabeth Warren (D-Mass.). But the push for formal rules ensuring consumers are the ultimate authority on what happens to their financial information has intensified in recent years, as banks and other firms have tussled behind the scenes about access to data.
If there’s one thing the reaction to this rule demonstrates, it’s that the politics around the financial industry have shifted with the rise of technology companies that Republicans like McHenry welcome as competitors to incumbent banks.
But another, more important takeaway is that there are many holes in the rules around data privacy that only Congress can fill, and they can’t put it off forever.
“This is progress for American innovation and consumers, but we can’t stop here,” McHenry said in reaction to the rule. “Congress must build on the bipartisan consensus regarding financial data privacy.”
Chopra and his agency appear to be benefiting from widely shared frustration with all that uncertainty — one of a few things that might bring Warren allies and McHenry sympathizers together. If you look at the current state of privacy rules, you can see why.
The existing system operates through a lot of ad hoc arrangements. When you use an app that needs access to your bank account information — whether because you’re applying for a mortgage, looking to improve your budgeting or hoping to pay your friend for that evening’s bar tab — they get that info through one of two ways.
In one version, you log in to your bank inside of the app, which then uses a middleman (a data aggregator) to “screen scrape” the data from your account, with the ability to see everything that you can see when you log into your bank. In another, you are redirected to your bank’s website, where you’re essentially telling the bank to send certain fields of data to the app, known as APIs.
Standardized APIs are an industry-wide goal, but right now they require extensive negotiations among the parties involved, and banks are motivated to provide as little information as possible, especially to competitors. Screen scraping, meanwhile, leaves consumers vulnerable to firms having way more access to their information, for much longer, than they really wanted.
The new regulation tries to improve up the status quo both by requiring banks to transfer financial data to other companies if the customer asks them to, and also by restricting firms facilitating that data transfer from using the information for other purposes (like, say, aggregating the informationand selling it).
Chopra markets the rule as making it much easier to “vote with your feet” and change banks if you want to, giving consumers more ability to compare pricing and rates.
And, he says, it could help people borrow money even without a credit history, if lenders get a sense of their cash flow.
He’s tapping into arguments that appeal broadly (giving disadvantaged people more access to the financial system), to progressives (protection of consumers through regulation), and to free-market conservatives (making it easier for other firms to compete with larger existing companies).
Under the rule, companies that access a person’s data can’t use it for targeted advertising, consumers must reauthorize access to their data every year, and they have the right to revoke access at any time.
Some of these provisions could serve as a blueprint for a broader update to data privacy standards, something that has been a topic of interest in Congress for years but has largely languished.
“It only governs consumer-permissioned data from a bank account or credit account,” Chi Chi Wu, a senior attorney at the National Consumer Law Center, said of the CFPB rule. “The guardrails that have been established are very good guardrails and hopefully will serve as a model for other privacy issues.”
Banks don’t agree. They’re warning that this whole arrangement could cause more fraud and scams by giving them little recourse if a consumer tells them to send data to an unreliable third party. They also fear that they’ll be on the hook for making customers whole when that happens.
“By mandating banks must hand over sensitive customer account data to any third party that got someone to click ‘I accept’ on their app, this rule handcuffs banks’ ability to demand high security standards from third parties,” JPMorgan Chase spokesperson Trish Wexler said in a statement.
The Bank Policy Institute and Kentucky Bankers Association filed a lawsuit the same day the rule was released.
If it withstands that challenge — or if a push to enshrine elements of it into law succeeds — a major effect of the rule will be to shift the distribution of power within the industry. Now everyone, from banks to Apple Pay, has to deal with each other if a customer tells them to — one reason data aggregators have welcomed the CFPB’s move, even though it has brought additional scrutiny of their handling of information.
In our conversation, Chopra touted the rule as being aligned with industry trends.
“This really doesn’t create a new framework from scratch. It builds on what has already been successful in the marketplace,” he told me. “That’s part of the reason I think you’re seeing broad support.”