The Consumer Financial Protection Bureau’s (CFPB) new ”open banking” rule, which aims to increase consumer control over financial data, potentially exposes online banking customers to grave cybersecurity risks, experts tell the Washington Reporter.

The Banking Data Exposure Rule, which was recently finalized under Section 1033 of the Dodd Frank Act, was enacted to enhance transparency and innovation in the financial sector. Its critics, however, argue that the rule’s failure to ban harmful data-sharing practices, particularly screen scraping, leaves customers vulnerable to exploitation by third-party actors like cybercriminals and foreign adversaries.

The new rule seeks to empower consumers by granting them greater access to their financial data and the ability to share that data with third-party financial service providers. This approach is designed to foster innovation, allowing fintech companies to offer personalized financial products, budgeting tools, and investment advice based on a user’s banking information.

But the average user could be left completely unaware of this practice and the rule contains few, if any, protective guardrails when it comes to accountability for data security, according to leading consumer advocates.

“While the CFPB’s Banking Data Exposure Rule aims to democratize access to financial data and foster innovation in the financial sector, its toothless approach to data security and accountability leave the average banking customer’s data vulnerable to numerous threats,” an advocate told the Reporter.

Proponents of the rule, like far-left Rep. Maxine Waters (D-Calif.), argue that the rule targets data brokers and empowers the consumer. Democratic support neglects to address the rule’s shortcomings when it comes to data protection vulnerabilities to foreign adversaries, the rule's critics told the Reporter.

“Faced with mounting congressional scrutiny over the sharing of personal banking data with the federal government, allowing this rule to go into effect not only exposes banking data from bank customers, it may have compounding consequences,” a banking policy veteran told the Reporter.

The Banking Data Exposure Rule’s reliance on screen-scraping involves the use of bots or algorithms to extract consumer data directly from financial institutions’ websites or applications, often without the user’s knowledge. This approach often requires consumers to share their banking credentials with third-party applications, sometimes exposing their data to nefarious actors. Once credentials are shared, the third party effectively bypasses the security measures banks use to protect their customers, such as multi-factor authentication or fraud detection algorithms.

Senior citizens are particularly vulnerable to online scams.

“This rule is a huge mistake with potentially perilous outcomes for anyone with a bank account,” Saul Anuzis, the president of the 60 Plus Association, told the Reporter “Without significant improvements, the Banking Data Exposure Rule will increase the threat from fraudsters and the risk of personal financial data falling into the wrong hands. Washington has to stop this rule before it’s too late.”

Fraudsters could also exploit poorly regulated data-sharing ecosystems by creating fake fintech apps designed to lure unsuspecting consumers. Once users share their credentials, attackers gain access to sensitive information that could be used for identity theft, unauthorized transactions, or even blackmail.

“Injecting so much new risk into the system without educating consumers shows the depths of the disconnect between an unchecked bureaucracy and Americans who trust their banks to safeguard their hard-earned money. We’re very concerned about the potential for this rule to increase the likelihood of anyone with a bank account suffering devastating financial losses and exploitation,” Anuzis said.

Another contentious issue surrounding the rule is the ambiguity of liability in the event of a data breach. If a third party app suffers a cybersecurity incident, consumers may find themselves caught in a legal gray area, unsure whether their bank, the app developer, or another entity is responsible for the financial fallout.

Major banks have voiced their opposition to the rule, emphasizing the security risks associated with screen scraping and the potential erosion of consumer trust. Some argue that the CFPB’s regulatory framework needs to prioritize security protocols over convenience.

“It’s totally unacceptable to create a situation where customers are left without accountability if a third party data breach results in a mishandling of their banking data, or to allow entities to handle our financial data with security standards lower than those followed by banks. Washington really needs to hit the brakes on this,” Anuzis said.