WASHINGTON—America's Credit Unions' Andrew Morris provided the credit union perspective on national data privacy legislation Thursday during the House Financial Services Subcommittee on Financial Institutions hearing, “Framework for the Future: Reviewing Data Privacy in Today’s Financial System.”
ACU's director of innovation and technology outlined three key tenets that must be present in any national data privacy law:
- A recognition of Gramm-Leach-Bliley Act (GLBA) standards and accompanying regulations in place for financial institutions and a strong exemption from new burdensome requirements
- Robust federal preemption from a patchwork of state laws for credit unions in compliance with national privacy and GLBA standards
- Protection from frivolous lawsuits created by a private right of action
“First and foremost, America’s Credit Unions supports a comprehensive federal data security and privacy framework that includes robust security standards that apply to all who collect or hold sensitive personal data,” Morris stated in his opening remarks. “We recognize that the financial services landscape is evolving. It is important that as the law evolves to match it, credit unions have rules of the road that allow them to meet the needs of their members in the marketplace. This includes a data privacy standard that not only protects their members but also allows credit unions to evolve in their service to them.”
Rep. Roger Williams (R-TX) asked Morris about how Congress can prevent privacy regulations from being too burdensome for credit unions. Morris recommended a preserving opt-out framework for sharing information present in GLBA, which allows small credit unions and financial institutions to partner with fintechs when appropriate to meet member needs.
Rep. Cleo Fields (D-LA) askedhow the section 1033 rule might help consumers and community financial institutions in the current environment.
“In terms of competition, the 1033 rule can offer benefits to credit unions in the general sense that data portability is helpful for consumers to switch financial institutions,” Morris said. “However, we do have concerns around the CPFB’s specific implementation of section 1033: costs of API development, the lack of a framework for allocating liability of third parties that mishandle data, as well as concerns around non-statutory enumerated information the CFPB would want shared, such as payment information.”
Rep. John Rose (R-TN) noted credit unions have long prioritized data security, and asked Morris how much credit unions are investing.
“We’ve run surveys in the past, and consistently, year after year after year, the results reflect the enormous cost of data breaches and the risk of fraud,” Morris said. “Credit unions are prioritizing investment in cybersecurity, data security as part of GLBA, which mandates NCUA and other regulators implement technical safeguards to ensure institutions are securing data security. This drives costs but is also important in keeping trust.”
Rep. Scott Fitzgerald (R-WI) asked what role Congress should play in ensuring federal regulators do not stifle credit union innovation.
“On the federal regulatory side, I think some of the inconsistencies can arise simply due to the fact that these technologies are evolving at a very quick pace and it may be beneficial for there to be pilot programs, or other ways to test innovative products without necessarily the fear of compliance driving those decisions,” Morris said.