National data privacy standard must protect consumers, allow evolution of credit union service

Several members of the House Financial Services Subcommittee on Financial Institutions agreed with America’s Credit Unions’ perspective on a national data privacy law during their hearing Thursday. America’s Credit Unions Director of Innovation and Technology Andrew Morris testified at the hearing, sharing the need for—and the credit union perspective on—such legislation. 

“First and foremost, America’s Credit Unions supports a comprehensive federal data security and privacy framework that includes robust security standards that apply to all who collect or hold sensitive personal data,” Morris said. “We recognize that the financial services landscape is evolving. It is important that as the law evolves to match it, credit unions have rules of the road that allow them to meet the needs of their members in the marketplace. This includes a data privacy standard that not only protects their members but also allows credit unions to evolve in their service to them.”

In his testimony, Morris highlighted three key tenets to include in any national data privacy law: 

1. A recognition of Gramm-Leach-Bliley Act (GLBA) standards and accompanying regulations in place for financial institutions and a strong exemption from new burdensome requirements;
2. Robust federal preemption from a patchwork of state laws for credit unions in compliance with national privacy and GLBA standards; and
3. Protection from frivolous lawsuits created by a private right of action.

Rep. Roger Williams, R-Texas, questioned Morris about how Congress can prevent privacy regulations from being so burdensome it causes credit unions to “scale back services or exit services entirely,” especially in rural areas. 

Morris recommended preserving the GLBA’s opt-out framework for sharing information , which allows small credit unions and financial institutions to partner with fintechs when appropriate to meet member needs. 

Several committee members asked about the CFPB’s section 1033 rule, which would require data provider financial institutions with more than $850 million in assets to provide access to certain consumer data upon receiving a request from an authorized third party. America’s Credit Unions has concerns with the final rule, and the CFPB has indicated it will rescind the rule in a legal filing last month. 

“We think it would be prudent for the CFPB to consider a way to allocate liability for mishandled data by third-party entities. Its absence means credit unions and financial institutions only have a recourse in the courts,” Morris said, also recommending allowing small financial institutions the ability to charge fintechs for access to the data in any future final rule.

Rep. Cleo Fields, D-La., asked how the section 1033 rule might help consumers and community financial institutions in the current environment. 

“In terms of competition, the 1033 rule can offer benefits to credit unions in the general sense that data portability is helpful for consumers to switch financial institutions,” Morris said. “However, we do have concerns around the CPFB’s specific implementation of section 1033: costs of API development, the lack of a framework for allocating liability of third parties that mishandle data, as well as concerns around non-statutory enumerated information the CFPB would share, such as payment information.”

Rep. John Rose, R-Tenn., noted credit unions have long prioritized data security, and asked Morris how much credit unions are investing.

“We’ve run surveys in the past, and consistently, year after year after year. The results reflect the enormous cost of data breaches and the risk of fraud,” Morris said. “Credit unions are prioritizing investment in cybersecurity, data security as part of GLBA, which mandates NCUA and other regulators implement technical safeguards to ensure institutions are adopting data security. This drives costs but is also important in keeping trust.” 

Rep. Scott Fitzgerald, R-Wis., asked what role Congress should play in ensuring federal regulators do not stifle credit union innovation. 

“On the federal regulatory side, I think some of the inconsistencies can arise simply due to the fact that these technologies are evolving at a very quick pace and it may be beneficial for there to be pilot programs, or other ways to test innovative products without necessarily the fear of compliance driving those innovation decisions,” Morris said.