There are so many rules coming from so many directions at U.S. financial institutions that spotting key strategic challenges or opportunities is harder than ever.  That more and more of these rules are longer than 1,000 pages makes C-suite impact considerations still harder to highlight.  In the midst of this morass, one proposal from the CFPB on consumer-data rights may be easy to overlook, but this seemingly-petite 299-page rule is at least as consequential as the thousands of capital and CRA pages getting all the not-so-love.

Why?  Quite simply, consumer data are the currency of commerce in general and retail finance in particular.  The stratospheric ascent of data-driven companies such as Amazon are indisputable proof that competitors who control data quickly control consumers, mobilizing ever more powerful network effects that then crush all but the most nuanced niche providers.  The CFPB is right that banks no more deserve exclusive provenance over consumer data than tech-platform companies, but requiring banks to give these data away as the Bureau plans means the crown jewels of each retail franchise are now out on the shop counter for free.

Companies far better able to make astute use of these data than all but a few banks will quickly find ways to persuade consumers to give personal information to them unless the final data rights standard has considerably more consumer protection built in than the proposal.  I know it sounds odd to say that a CFPB proposal is light on consumer protections, but so it is.

What clearly happened as the Bureau wrote the rule is that process took precedence over meaningful protection.  As our in-depth analysis makes clear, each data provider – read bank – will need to go through all sorts of procedures to ensure that it properly allows consumers to obtain data that then would go to “authorized third parties” – read anyone offering any consumer financial product, service, or ancillary product that can fill out a lot of forms.

Many, many forms and procedures are proposed to ensure consumer rights, the proposal is nonetheless a classic case of information asymmetry – no one reads anything because reading even some of it takes too long and for many consumers is far too hard.  At a standard reading rate, it would take almost four months of eight-hour days for a consumer to read the service agreements for the websites most Americans use.  Many of those the Bureau now proposes are at least as ponderous and will surely go as much unread.

The CFPB has thought about this when it comes to privacy, proposing not more disclosures and forms but instead automatic protections requiring that anyone who gets consumer data from a bank must abide by the privacy safeguards that govern banks.  This is a start, although I suspect the distance between earnest promises and actual compliance could be substantial.  Still, at least consumers don’t have to read something complex to decide if they wish to protect their personal privacy.  Most do and all at least have a shot at it.

But what about the risks that come with new product offerings?  Director Chopra mentioned in his statement accompanying the proposal that he wants to make it easier for consumers to find higher rates of interest than those many banks offer on transaction and savings accounts.  The thinking – fantasy? – is that “relationship” focused community banks will benefit and so some may.  But the firms most likely to make the greatest use of deposit data are not banks.

Think of all the nonbanks that offer higher returns only because the deposit-like product is higher risk.  Even if all the FDIC’s injunctions not to delude consumers with the false promise of FDIC insurance bear fruit – and again compliance is a sometime thing – consumers may well not fully understand the risks that come with blandishments for authorization to obtain their data.  Odds are, many won’t and lifetime savings will go all sorts of places they shouldn’t.

Open banking in the European Union is easier because open banking in the EU is largely open only to banks and entities under bank or bank-like regulation.  That of course is very much not the case in the United States.

Philosophically, it’s up to consumers to know what they are doing as they claim the data that is rightfully theirs.  Practically, that’s impossible because most consumers don’t understand risks – see for example the stunned surprise earlier this year when it briefly turned out that uninsured deposits might actually be uninsured.  Will consumers really know that the entity to which a bank gives their data at their request is an entity that will operate under the do-no-harm principle essential to vulnerable consumers?  Banks aren’t always all that good at this and they’re under rules that govern them.  What about all the companies that aren’t?

In short, open banking in the U.S. could be a playing field that cannot be made safe for most consumers just by demanding as the proposal does that the consumer is in charge of who gets his or her data.  What is done with these data matters too – a lot.