CFPB Data Breach Shows Danger of its Attempted Power Grab Over Fintech

Photo Credit: Getty

My friend Patrick Brenner, president of regional free-market think tank the Southwest Public Policy Institute, recently had a great op-ed at on data troubles at the Consumer Financial Protection Bureau (CFPB). In the op-ed entitled “Who’s protecting consumers from the Consumer Financial Protection Bureau?”, Brenner points to a data breach reported last March in which a CFPB employee forwarded confidential information of 256,000 consumers to his or her personal email account.

Recounting a hilarious encounter in which he tried to utilize the CFPB complaint process to file a complaint against the CFPB itself – spoiler alert, the CFPB process doesn’t allow for that type of complaint – Brenner concludes that “something tells me that we need the Bureau to Protect Financial Consumers from the Consumer Financial Protection Bureau, or the BPFCCFPB.”

One thing the data breach also shows is that consumers really need protection from is the CFPB’s current attempted power grab for supervisory regulatory authority over FinTech apps and platforms. In a recent interview with A.P. Dillon for an excellent article she penned  in the North State Journal, I explained that a proposed CFPB rule giving it a supervisory role over firms operating banking and payment apps is “a solution in search of a problem that will lead to many other problems.”

The article reports on a letter of support for the CFPB rule from various state Attorneys General and quotes the North Carolina AG as saying the rule was necessary because FinTech apps “need to be playing by the same rules so that people’s hard-earned money is protected.” But as I explain in the article, these apps and platforms do play by the same rules as legacy financial institutions. Apps such as Chime and Dave that enable checking and deposit accounts for consumers provide these services through affiliated banks, which are subject to the same regulations and regulators as other banks. Apps such as Venmo that primarily involve sending and receiving money are subject to state money transmitter laws as well as the federal statutes and regulations that have applied to money transfer services such as Western Union since before the Internet was even invented.

Furthermore, as I explain, the CFPB already has authority to penalize firms for specific violations consumer protection statutes: such as providing a financial product or service found to be fraudulent, deceptive, or “abusive.” Yet the CFPB – without giving much in the way of specific justifications for this power grab – claims it also needs “supervisory” authority to regulatory inspect Fintech firms sensitive operational and customer data, even from divisions of the firm that have noting to do with the payment or banking service.

Not only is such power unneeded to protect consumers, as I explain in the article, it would also be genuinely dangerous for the CFPB to possess. The CFPB, which hasn’t yet resolved the aforementioned data breach, would have access under this rule to even more consumer data. As I ask in the article, “what are the restrictions on the CFPB if it can view everything – including customer transactions?”

I also bring up in the article that the CFPB, given its role in Operation Choke Point in the Obama administration, could use such new power for “possible jawboning of an industry with a political agenda.” I explain that, as in Choke Point, the CFPB could muscle FinTech apps and platforms into cutting off financial services to individuals and industries the government deems a “reputational risk.” Recent revelations of bank regulators asking banks to hand over broad swaths of data on consumers who made references to “Trump” and “Maga” or even made purchases at outdoor stores such as Cabella’s should heighten these concerns about misuse of data by CFPB and other financial regulators.

In comments on the CFPB rule, the internet trade association NetChoice makes a good case that the CFPB is exceeding its authority from Congress in the power grab it is proposing. “Simply put, the CFPB’s proposed rule to regulate non-bank digital wallet and payment app providers is a substantial expansion of its regulatory authority that raises new and novel concerns,” NetChoice states.

Also expressing concerns about the proposed rule is the Blockchain Association, a leading trade group for firms involved in cryptocurrency. The group points out in its comments to the CFPB that the rule asserts authority of some “digital assets” and could extend to crypto trading platforms. The comments state that “as a threshold matter, the CFPB has not established jurisdiction over digital assets by way of an independent rulemaking process, which it must do if it
seeks to supervise the sector.”

Such attempted power grabs by the CFPB show why the CFPB needs to be subject to the Congressional appropriations process, instead of getting its funds from the Federal Reserve. Hopefully, the Supreme Court will subject the CFPB to this structure in its upcoming ruling in CFPB v. CFSA. As I have stated previously, “CFPB’s bypassing of the congressional appropriations process — enabled by Dodd-Frank — has allowed it to escape accountability for regulation that imposes crushing costs to community banks, credit unions, and the very consumers it claims to protect.”