WASHINGTON—NAFCU President and CEO Dan Berger has asked CFPB Director and Federal Financial Institutions Examination Council (FFIEC) Chair KathyKraninger to provide interagency guidance related to the Gramm-Leach-Bliley Act (GLBA) to help credit unions and other financial institutions comply with data privacy laws.
The California Consumer Privacy Act (CCPA) took effect earlier this year and other states are considering their own data privacy laws.
"NAFCU opposes the application of conflicting state privacy requirements to credit unions as they are already subject to the privacy requirements of the GLBA and serve as responsible stewards of sensitive consumer data," Berger wrote in a letter to Kraninger, adding that the association supports a federal law "that preempts state privacy laws while providing protections to consumers and clarity and consistency for credit unions."
Echoing NCUA Chairman Rodney Hood's call for "increased coordination and efforts among the [FFIEC] members to respond to the burden on financial institutions posed by multiple privacy laws," Berger said the "FFIEC should provide interagency guidance indicating that the GLBA should be the sole framework under which financial institutions collect, process, sell, or disclose consumer data, thereby eliminating duplicative state standards." He asked Kraninger and the CFPB "to take the lead in mitigating the regulatory fragmentation created by states passing multiple, parallel regulatory frameworks."
‘Act Swiftly’
Noting the high compliance costs and unsustainability of complying with multipleframeworks, Berger called for the FFIEC to "act swiftly to provide the industry with clear guidance as many financial institutions, particularly small, not-for-profit, community-based financial institutions like credit unions, may have difficulty complying with varying state standards."
"This would provide consistent protections for consumers across all states and minimize compliance burdens for credit unions and other financial institutions," Berger said. "If legally-binding guidance were issued and all personal information were collected, processed, sold or disclosed pursuant to the requirements of the GLBA and Regulation P, that may satisfy the CCPA's exemption and reduce the number of parallel frameworks financial institutions must undertake."
The association has urged California to exempt credit unions from the CCPA and said it will continue to advocate for a national data privacy standard to ensure credit unions can effectively and efficiently comply.