New Banking Policy Will Keep Us From Getting Caught in Data Aggregators Net

The Sandra Bullock thriller The Net celebrates its 30th anniversary this week – a cautionary tale that warned us at the time about the impending dangers of the Internet. The film scared mid-90s audiences by showing how digital power brokers could steal our personal information and, with it, our lives. 

Of course, this movie isn’t remembered as painting too accurate a picture of the future. Because our digital overlords don’t need to steal our personal information. We just give it to them. 

Digital services provided for free are almost always paid for with our personal information, whether we realize it or not. A Deloitte survey found that 91% agree to digital legal terms and conditions (T&Cs) without reading them – notwithstanding that many are too long and/or complex for a normal person to actually read. PC Magazine estimated it would take 17 hours to read the T&Cs of just the 13 most popular apps whereas Time estimated it would take 76 work days to read all the T&Cs we click on each year!

The Gordian knot of online T&Cs aren’t life and death in most situations: yes, we all realize Google tracks everywhere we go using their maps service, but it is so useful we’re happy to pay for it that way. But the knot squeezes a little too tightly when it comes to our finances. 

When we use money apps, we often unknowingly grant permission to a bevy of third-party data brokers to access our financial information. Companies like Plaid and MX harvest sensitive account details – from personally identifiable information to where and what you spend your money on – and resell them to crypto firms and other fintech companies in order to profit from sensitive consumer banking data. Of course, they don’t advertise that they do that – indeed Yodlee brags about how it is “Driving a more inclusive financial future!” next to an image of two minorities looking at a computer … so they must be good guys, right? 

Wrong, of course. These faceless data thieves are so shady they make Wells Fargo look reputable.

But that didn’t stop the Consumer Financial Protection Bureau (CFPB), under President Biden’s leadership and Elizabeth Warren’s direction, from creating a policy that would make it even easier for these data middlemen to access your data – in perpetuity.  Finalized in 2024 under Director Rohit Chopra, Rule 1033 requires financial institutions, credit card issuers, and others to unlock personal financial data and transfer it to another provider for free, all under the guise of “open banking.” While the consumer may check a box to make a one-time payment through a fintech app like Venmo or to transfer money to a Coinbase crypto wallet, what they don’t realize is they’re actually giving permissions for these faceless brokers 

The rule was designed to reinforce activity that has opened the door for even more abuse of our privacy. The rule – which is set to be implemented next year – subjects normal financial customers to fraud, security risks, data breaches, and identity theft, according to the Taxpayers Protection Alliance. “Rule 1033 isn’t just wrongheaded and a price control, it’s also anti-customer exactly because it mandates giving away what’s crucial and valuable for free,” wrote Forbes columnist John Tamny.

Earlier this year, the Trump Administration called the rule “unlawful” and announced its intent to “set it aside” before it would take effect — and that action can't come soon enough. Data aggregators are accessing our accounts far beyond any legitimate need, and 90% of the time without us asking for it. JPMorganChase, the #1 data provider to fintechs and crypto companies, estimates data middlemen access consumers’ data 2 billion times per month – up four times over the last two years. 

One hopes that without the CFPB opening the door to data harvesters, and therefore financial institutions having the ability to keep consumer protections in place, these numbers will come down. But the private sector has some ideas to help customers even more. Last week, JPMorganChase announced it would begin charging fees for data requests from third-party fintech apps. 

No pricing structure has been disclosed, but even it’s just 10 cents a transaction, that will make shady data harvesters think twice. If fintech apps that have been effectively stealing our data through opaque disclosures, now have to ask us – and pay – every time they ping our accounts, the numbers will drop. Over the past year, according to a CNBC report, one major U.S. bank has seen fraud-related claims linked to aggregator traffic surge by nearly 30%, totaling close to $50 million in losses.

Legitimate fintech providers will still be able to access people’s accounts when a customer requests it – they just won’t as easily be able to aggressively harvest the data for profit beyond the customers’ knowledge. 

Many experts are predicting that JPMorganChase’s decision will spur other big banks to follow suit, and that charging third-party apps will become the industry standard. As are all of us hoping we don’t get crushed by data tyrants like Sandra Bullock in The Net.