.svg)
A discussion draft released by a Republican Congressman would give consumers GDPR-like rights over their financial data and update a 23-year-old federal law.
Last week (June 23), Patrick McHenry (R-NC), the Republican leader on the House Financial Services Committee, published a discussion draft of new legislation to modernise the country’s federal financial data protection law.
The proposal would amend the federal Gramm-Leach-Bliley Act 1999 (GLBA) and establish consumer rights over how financial institutions collect and use their customers’ personal information.
“Technology has fundamentally changed the way consumers participate in our financial system,” McHenry said.
“Our privacy laws — especially as they relate to financial data — must keep up.”
‘Material’ changes
The discussion draft would amend the federal GLBA “in a number of material ways”, according to Glenn Brown, of counsel at Squire Patton Boggs.
The proposal aims to protect against the misuse and overuse of consumers’ personal information by introducing consumer rights similar to those included in the EU’s General Data Protection Regulation (GDPR).
The draft allows consumers to access data held about them, request the deletion of the data and opt out of the collection of information that is not necessary for the provision of the service.
These rights are also similar to those under the US Fair Credit Reporting Act (FCRA), which regulates the data management practices of credit reporting agencies.
The act requires disclosure of all nonpublic personal information held by a financial institution about a consumer, as well as the parties with whom the financial institution shared that information and from whom the financial institution had received the information, Brown told VIXIO.
In addition, the bill requires financial institutions to disclose to consumers why they are collecting certain pieces of data and only use data for its stated purpose.
The draft also seeks to address growing concerns around data aggregators, which have access to a large amount of nonpublic personal information but may operate under limited regulatory oversight.
This issue received significant public attention last year when data aggregator Plaid agreed to pay $58m to settle class-action claims that it exploited its position as a middleman to obtain app users' banking login credentials and use that information to gain access to and sell their transaction histories without the users knowing about it.
The bill changes the GLBA’s definition of a financial institution to include data aggregators, meaning that they will be bound by the same data protection rules as traditional financial institutions.
Controversial provisions
Although the proposal takes important steps to modernise the existing financial data protection framework, several of its provisions could be seen as controversial, according to Brown.
For instance, the proposal includes a provision that significantly expands the liability of financial institutions for data breaches.
The bill provides that “[i]f the nonpublic personal information of a consumer is obtained from a financial institution (either due to a data breach or in any other manner) and used to make unauthorized access of the consumer’s account, the financial institution shall be liable to the consumer for the full amount of any damages resulting from such unauthorized access.’’
This imposes extremely broad liability and provides no safe harbour for companies whose information security programmes satisfy certain criteria, as has been seen in other legislation, Brown noted.
“It seems unlikely that the bill would pass with this provision as currently drafted,” he added.
In addition, the bill would take supremacy over state regulation of financial institutions on a number of topics.
Although this may not raise any concerns in many cases, in the example of the California Consumer Privacy Act or other stricter state breach notification requirements, these state laws would not apply to a financial institution, Brown pointed out.
Such a provision is “likely to upset privacy rights advocates”, he noted.
Finally, implementing and maintaining the requirements related to the new consumer rights are expected to impose additional costs on financial institutions.
According to EY, the world's 500 biggest corporations spend a total of $7.8bn to comply with the General Data Protection Regulation (GDPR), while another report estimated that the total cost of initial compliance with the California Consumer Privacy Act (CCPA) was $55bn.
Next steps
The discussion draft is the first step in a lengthy process, which opens up a conversation around how financial institutions, banks, non-banks and data aggregators, collect and use consumer financial data.
The Bank Policy Institute (BPI) welcomed the proposal, stressing that any proposals “should ensure all financial firms — both banks and nonbanks — have a clear blueprint for safeguarding consumers’ privacy”.
Data aggregator Akoya said it agrees with the bill’s technology-agnostic approach and the extension of the definition of financial institutions to data aggregators.
“Akoya has long supported the principles of consumer empowerment, transparency, informed consent and data minimisation, and we are delighted to see those principles prominently featured in the draft bill,” the company told VIXIO.
“We believe that a clear liability framework is also needed to facilitate data sharing amongst industry participants, which should be based on the simple principle that if data access results in harm, such as through data loss, compromise, misuse, or other security-related incidents, the party that causes the harm should bear the liability and be held responsible for the risks their actions introduce,” it added.
Although different stakeholders may seek to change different provisions of the proposed draft, McHenry’s bill should act as a helpful starting point for discussions.
