Paul Hastings Hosts Panel on Privacy and Security Challenges for Fintechs

On October 23, 2024, Paul Hastings hosted a panel on privacy and security challenges for fintech organizations. The panel was moderated by Paul Hastings Senior Privacy Director Jeremy Berkowitz, and featured Seyi Iwarere (Payments Regulatory Counsel, Cash App Block) and Steve Boms (Founder and President, Allon Advocacy).

Here are some of the main takeaways from the panel:

CFPB issued the Final § 1033 Open Banking Rule.

Panelists discussed the open banking rule implementing Section 1033 of the Consumer Financial Protection Act of 2010. The new rule, finalized in October, requires financial institutions (Data Providers) to share banking and transaction data with their consumers or third parties who are processing that data on behalf of consumers.

Both Data Providers and third parties are required to establish protocols for transmitting and receiving the data, as well protecting it, including establishing APIs to hinder screen scraping. Third parties will also have to maintain consent of consumers for processing their data and not retain it for more than one year at a time. Panelists said the rule will go into effect for Data Providers on a rolling basis starting in 2026. They added that due to bipartisan support for the rules, any changes in leadership at the CFPB will likely not result in changes to its implementation. Panelists also said that subsequent CFPB rulemakings on large providers and data brokers will provide guidance on how the 1033 rule will be enforced. 

Data breach challenges continue in the financial space.

Panelists discussed lessons that can be learned from recent data breaches, in particular a major one involving a global bank that happened earlier this year. Panelists explained that as a result of the breach and a subsequent enforcement action, that bank is no longer allowed to have new partnerships or to engage in new products and services without regulator approval. Panelists explained that this highlighted the importance of organizations knowing who they partner with, those partners’ systems, and how issues related to those partners and their systems can impact organizations.

Panelists further discussed that, while fintechs can white label products, banks are still responsible for customer relationships and safeguarding funds. Panelists emphasized the importance that agreements between fintechs and banks define what information they will share about customers. Panelists noted that, when reviewing agreements, organizations should ensure that agreement terms consider any relevant regulatory requirements.

The Privacy+Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz and brings together leading experts in the areas of privacy and security law. Paul Hastings was a sponsor for this fall’s Forum, which took place from October 23-25 in Washington, D.C.

Our Privacy and Cybersecurity practice regularly advises companies on key issues. If you have any questions concerning these issues or any other data privacy or cybersecurity developments, please do not hesitate to contact any member of our team.