[House Hearing, 119 Congress]
[From the U.S. Government Publishing Office]
FRAMEWORK FOR THE FUTURE:
REVIEWING DATA PRIVACY IN TODAY'S
FINANCIAL SYSTEM
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED NINETEENTH CONGRESS
FIRST SESSION
__________
JUNE 5, 2025
__________
Serial No. 119-26
Printed for the use of the Committee on Financial Services
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
60-987 PDF WASHINGTON : 2026
-----------------------------------------------------------------------------------
HOUSE COMMITTEE ON FINANCIAL SERVICES
FRENCH HILL, Arkansas, Chairman
BILL HUIZENGA, Michigan, Vice MAXINE WATERS, California, Ranking
Chairman Member
FRANK D. LUCAS, Oklahoma SYLVIA R. GARCIA, Texas, Vice
PETE SESSIONS, Texas Ranking Member
ANN WAGNER, Missouri NYDIA M. VELAZQUEZ, New York
ANDY BARR, Kentucky BRAD SHERMAN, California
ROGER WILLIAMS, Texas GREGORY W. MEEKS, New York
TOM EMMER, Minnesota DAVID SCOTT, Georgia
BARRY LOUDERMILK, Georgia STEPHEN F. LYNCH, Massachusetts
WARREN DAVIDSON, Ohio AL GREEN, Texas
JOHN W. ROSE, Tennessee EMANUEL CLEAVER, Missouri
BRYAN STEIL, Wisconsin JAMES A. HIMES, Connecticut
WILLIAM R. TIMMONS, IV, South BILL FOSTER, Illinois
Carolina JOYCE BEATTY, Ohio
MARLIN STUTZMAN, Indiana JUAN VARGAS, California
RALPH NORMAN, South Carolina JOSH GOTTHEIMER, New Jersey
DANIEL MEUSER, Pennsylvania VICENTE GONZALEZ, Texas
YOUNG KIM, California SEAN CASTEN, Illinois
BYRON DONALDS, Florida AYANNA PRESSLEY, Massachusetts
ANDREW R. GARBARINO, New York RASHIDA TLAIB, Michigan
SCOTT FITZGERALD, Wisconsin RITCHIE TORRES, New York
MIKE FLOOD, Nebraska NIKEMA WILLIAMS, Georgia
MICHAEL LAWLER, New York BRITTANY PETTERSEN, Colorado
MONICA DE LA CRUZ, Texas CLEO FIELDS, Louisiana
ANDREW OGLES, Tennessee JANELLE BYNUM, Oregon
ZACHARY NUNN, Iowa SAM LICCARDO, California
LISA McCLAIN, Michigan
MARIA SALAZAR, Florida
TROY DOWNING, Montana
MIKE HARIDOPOLOS, Florida
TIM MOORE, North Carolina
Ben Johnson, Staff Director
------
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
ANDY BARR, Kentucky, Chairman
BARRY LOUDERMILK, Georgia, BILL FOSTER, Illinois, Ranking
Vice Chairman Member
BILL HUIZENGA, Michigan NYDIA M. VELAZQUEZ, New York
ROGER WILLIAMS, Texas GREGORY W. MEEKS, New York
JOHN W. ROSE, Tennessee DAVID SCOTT, Georgia
WILLIAM R. TIMMONS IV, South BRAD SHERMAN, California
Carolina AL GREEN, Texas
RALPH NORMAN, South Carolina JUAN VARGAS, California
DANIEL MEUSER, Pennsylvania SEAN CASTEN, Illinois
YOUNG KIM, California STEPHEN F. LYNCH, Massachusetts
BYRON DONALDS, Florida JOYCE BEATTY, Ohio
SCOTT FITZGERALD, Wisconsin CLEO FIELDS, Louisiana
MIKE FLOOD, Nebraska
MONICA DE LA CRUZ, Texas
TIM MOORE, North Carolina
C O N T E N T S
----------
Thursday, June 5, 2025
OPENING STATEMENTS
Page
Hon. Andy Barr, Chairman of the Subcommittee on Financial
Institutions, a U.S. Representative from Kentucky.............. 1
Hon. Bill Foster, Ranking Member of the Subcommittee on Financial
Institutions, a U.S. Representative from Illinois.............. 3
STATEMENTS
Hon. French Hill, Chairman of the Committee on Financial
Services, a U.S. Representative from Arkansas.................. 4
Hon. Maxine Waters, Ranking Member of the Committee on Financial
Services, a U.S. Representative from California................ 4
WITNESSES
Mr. Scott Talbott, Executive Vice President, Electronic
Transactions Association....................................... 5
Prepared Statement........................................... 8
Mr. Andrew Morris, Director of Innovation and Technology,
America's Credit Unions (ACU).................................. 14
Prepared Statement........................................... 16
Ms. Rebecca Kuehn, Partner, Hudson Cook, LLP..................... 29
Prepared Statement........................................... 31
Ms. Jennifer Huddleston, Fellow in Technology Policy, CATO
Institute...................................................... 38
Prepared Statement........................................... 40
Ms. Zoe Strickland, Senior Fellow, Future Of Privacy Forum....... 46
Prepared Statement........................................... 48
APPENDIX
RESPONSES TO QUESTIONS FOR THE RECORD
Written responses to questions for the record from Representative
Maxine Waters
Mr. Scott Talbott............................................ 88
Mr. Andrew Morris............................................ 90
Ms. Rebecca Kuehn............................................ 91
Ms. Zoe Strickland........................................... 92
Written responses to questions for the record from Representative
Gregory Meeks
Ms. Zoe Strickland........................................... 93
LEGISLATION
H.R. ----, the Advancing the Mentor Protege Program for Small
Financial Institutions Act..................................... 97
H.R. ----, the Systemic Risk Authority Transparency Act.......... 102
FRAMEWORK FOR THE FUTURE:
REVIEWING DATA PRIVACY IN TODAY'S FINANCIAL SYSTEM
----------
Thursday, June 5, 2025
U.S. House of Representatives,
Subcommittee on Financial Institutions,
Committee on Financial Services,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:09 a.m., in
room 2128, Rayburn House Office Building, Hon. Andy Barr
[chairman of the subcommittee] presiding.
Present: Representatives Barr, Huizenga, Williams of Texas,
Loudermilk, Rose, Timmons, Kim, Fitzgerald, Flood, De La Cruz,
Moore, Foster, Scott, Sherman, Green, Vargas, Casten, Beatty,
and Fields.
Also present: Representatives Hill, Davidson, and Waters.
Chairman Barr. The Subcommittee on Financial Institutions
will come to order.
Without objection, the chair is authorized to declare a
recess of the committee at any time.
This hearing is titled ``Framework for the Future:
Reviewing Data Privacy in Today's Financial System.''
Without objection, all members will have 5 legislative days
within which to submit extraneous materials to the chair for
inclusion in the record.
I now recognize myself for 4 minutes for an opening
statement.
OPENING STATEMENT OF HON. ANDY BARR, CHAIRMAN OF THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS, A U.S. REPRESENTATIVE
FROM KENTUCKY
Thank you to our witnesses for being here today and lending
your expertise to this complex and critical conversation.
Today's hearing focuses on financial data privacy, where we
will assess how Congress can ensure consumers' data is used
only as authorized while protecting the innovation that has
transformed our financial system since the Gramm-Leach-Bliley
Act, or GLBA, became law more than 25 years ago.
Since GLBA's passage, technological advances have
revolutionized how Americans access financial services. We have
seen the rise of mobile banking apps, peer-to-peer payment
platforms, and a shift away from cash toward digital
transactions. These innovations have expanded financial
products and increased access for millions of Americans in
rural communities and urban centers.
Alongside these developments, the volume and sensitivity of
financial data have surged dramatically. Every transaction and
interaction creates data points that financial institutions and
fintech firms analyze to improve services, assess risk, and
detect fraud and tailor products.
While these capabilities bring benefits, they also raise
serious privacy and security concerns.
A key driver of innovation is open banking, allowing
consumers to securely share their financial data with third-
party providers through application programming interfaces, or
APIs. Open banking can empower consumers with more control over
their financial information, foster competition, and spur the
development of new tools and services, but it also raises
questions about data privacy, liability, standard-setting, and
GLBA's applicability.
GLBA's broad framework has served us well, setting key
protections for consumer data but a quarter of a century is a
long time in tech. So, we must ask, is GLBA still fit for
purpose in today's fast-paced, data-driven environment? Does it
provide the clarity, flexibility, and protection needed in the
digital age?
As we consider modernization, we must proceed cautiously.
Changes that are too restrictive risk choking off access to
financial options on which consumers rely. Conversely, overly
lax rules could leave Americans vulnerable to misuse of their
sensitive data. Striking the right balance is critical.
We also cannot examine GLBA in isolation. Data privacy laws
have proliferated at the State level, with 20 States enacting
comprehensive privacy laws. Some exempt financial institutions
that comply with GLBA, while others layer on more stringent
requirements.
This patchwork creates a complex, costly compliance
landscape, potentially increasing costs and reducing access.
This also risks some States setting de facto national
standards, bypassing Congress and creating uncertainty for
businesses and consumers alike.
For these reasons, Congress should consider the benefits of
a uniform national data privacy standard that offers clear,
consistent, preemptive rules for financial institutions while
protecting consumers.
As our colleagues on the Energy and Commerce Committee work
on broader privacy legislation, we must also ask whether
sector-specific laws, like GLBA, warrant carve-outs or tailored
treatment. GLBA already imposes strong data protection
requirements, and financial institutions have built compliance
programs around these rules. Overlapping or conflicting
standards would only add confusion and cost.
Finally, we must address calls to expand enforcement
mechanisms by granting consumers private rights of action,
which allow individuals to sue firms directly for alleged
violations. Private rights of action open the door to frivolous
lawsuits, benefiting large firms that can absorb litigation
costs and discouraging innovation by increasing legal risks for
financial services providers. Ultimately, consumers lose out
through reduced access and choice of innovative products.
While these are complex issues requiring thoughtful
consideration, we must balance robust privacy protections with
innovation, access, and reduced regulatory burden.
I look forward to hearing from our witnesses today and
engaging in a productive discussion on the future of data
privacy in our financial system.
The chair now recognizes the ranking member of the
subcommittee, Dr. Foster, for 4 minutes for an opening
statement.
OPENING STATEMENT OF HON. BILL FOSTER, RANKING MEMBER OF THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS, A U.S. REPRESENTATIVE
FROM ILLINOIS
Mr. Foster. Thank you, Chairman Barr, and to our witnesses
for their excellent written testimony.
Today, we will be discussing the framework for data privacy
in today's financial system. At its core are the Gramm-Leach-
Bliley Act; the Fair Credit Reporting Act (FCRA); and section
1033 of the Dodd-Frank Wall Street Reform and Consumer
Protection Act.
Minor changes have been made to this framework over the
years. However, there are significant questions about how these
laws are adapting to an increasingly digital economy,
innovative financial products, cybersecurity risks, artificial
intelligence, and the growing role of third-party firms in the
financial sector.
I look forward to discussing many of these issues with our
panel today.
I was proud to have sat on this committee when we drafted
the Dodd-Frank Act and was happy to see the most recent update
to the financial privacy framework come out last October, when,
after years of bipartisan work under three different
Presidents, the Consumer Financial Protection Bureau (CFPB)
finalized the Personal Financial Data Rights Rule to implement
section 1033 of the act.
This rule is significant because it gives consumers greater
rights, privacy, and security over their personal financial
data. It makes it easier for consumers to switch between
service providers to find better rates, to make secure
payments, and to utilize innovative tools to manage their
finances. This rule gives consumers the right to revoke access
to their data whenever they choose and promotes the development
of market-driven data standards.
The rule was developed through a lengthy process spanning
multiple Presidential administrations, gathering public
feedback at several points, starting in 2016. The first Trump
Administration started the process of implementing the rule,
with an advance notice of proposed rulemaking in 2020.
Despite the work of the first Trump Administration and our
former Chair, Patrick McHenry, supporting the final rule, the
Trump Administration is now apparently working to repeal the
rule.
This morning, I led 12 of my colleagues from the committee
in sending a letter to acting CFPB Director Russell Vought
urging him not to rescind this rule but, rather, to address
outstanding issues through targeted amendments and future
guidance.
It has been nearly 15 years since the passage of Dodd-
Frank, and rewriting this rule in its entirety would cause an
unnecessary delay that will hurt privacy, hurt innovation, and
hurt competition.
Finally, while I support this committee's renewed focus on
data privacy legislation, I am also deeply concerned by other
actions taken by this administration related to Americans'
sensitive data.
The President and Elon Musk sent members of their
Department of Government Efficiency (DOGE) team to raid
government agencies of their data across our government, where
they accessed and gathered sensitive data on millions of
Americans. This includes data from the Social Security
Administration, from Treasury, from Health and Human Services,
and even the Consumer Financial Protection Bureau, which holds
information on companies that, for example, would directly
compete with Elon Musk's payment company, X Money.
These efforts pose great risk to the privacy of all
Americans, and anyone that truly cares about privacy should be
calling for immediate accountability and transparency from all
those involved.
Thank you, and I yield back.
Chairman Barr. The gentleman yields back.
The chair now recognizes the chairman of the full
committee, Mr. Hill, for 1 minute.
STATEMENT OF HON. FRENCH HILL, CHAIRMAN OF THE COMMITTEE ON
FINANCIAL SERVICES, A U.S. REPRESENTATIVE FROM ARKANSAS
Chairman Hill. Thank you, Chairman Barr.
Since 1999, when the Gramm-Leach-Bliley Act was passed,
most Americans were still watching movies on their VCRs and
arguing over who was tying up the dial-up internet connection.
Since then, technology has advanced at an extraordinary pace
and so has the amount of sensitivity of personal financial
information being collected and shared.
Remarkably, GLBA has kept the pace of many of these changes
but given the magnitude of today's technological complexity and
the increase of data availability and collection, we must
ensure Americans' privacy is protected while continuing to
support the seamless delivery of the financial services that
they rely on.
Congress has a major role to play in crafting strong,
modernized guardrails that keep pace with innovation, preserve
consumer trust, and future-proof our laws. Over the last
several Congresses, committee Republicans have worked to craft
a narrowly tailored legislation to modernize our financial
data. We look forward to working on that in this Congress now
with the leadership and partnership of the House Energy and
Commerce Committee.
I yield back to you, Mr. Barr.
Chairman Barr. The gentleman yields back.
The chair now recognizes the ranking member of the full
committee, Ms. Waters, for 1 minute.
STATEMENT OF HON. MAXINE WATERS, RANKING MEMBER OF THE
COMMITTEE ON FINANCIAL SERVICES, A U.S. REPRESENTATIVE FROM
CALIFORNIA
Ms. Waters. Thank you very much.
Today, we are considering the important issue of data
privacy. However, I find it rich that any Republican here would
claim to support data privacy, when they have said nothing
about Trump letting Elon Musk and his DOGE minions steal the
sensitive data of hundreds of millions of Americans--everything
from their health records and consumer data to Social Security
numbers and tax data.
Trump did not stop there. In addition to shuttering the
Consumer Financial Protection Bureau, which fights fraudsters
and helps Americans get remedies from predatory financial
firms, Trump also wrongly vacated the CFPB's Open Banking Rule
that promotes data privacy.
I would like to think there is bipartisan support to
protect Americans' data, but we must first start by stopping
the biggest threat: Donald J. Trump.
I yield back.
Chairman Barr. The gentlelady yields back.
Today, we welcome the testimony of Mr. Scott Talbott,
Executive Vice President of the Electronic Transactions
Association; Mr. Andrew Morris, Director of Innovation and
Technology at America's Credit Unions; Ms. Rebecca Kuehn,
Partner at Hudson Cook; Ms. Jennifer Huddleston, Fellow in
Technology Policy at the Cato Institute; and Ms. Zoe
Strickland, senior fellow at the Future of Privacy Forum.
We thank you for taking the time to be here. You each will
be recognized for 5 minutes to give an oral presentation of
your testimony. Without objection, your written statements will
be made part of the record.
Mr. Talbott, you are now recognized for 5 minutes.
STATEMENT OF SCOTT TALBOTT, EXECUTIVE VICE PRESIDENT,
ELECTRONIC TRANSACTIONS ASSOCIATION
Mr. Talbott. Good morning, Chairman Barr, Ranking Member
Foster, and members of the Financial Institutions Subcommittee.
I am Scott Talbott. It is my privilege, as the Executive Vice
President at the Electronic Transactions Association (ETA), to
speak with you today on the future of privacy and the modern
payments system.
ETA is a trade association representing a broad group of
companies from banks to processors and fintechs who provide
electronic products and services, including mobile wallets,
peer-to-peer products, credit, debit, and prepaid cards, as
well as other forms of digital payments.
Last year, our industry helped consumers and merchants in
the United States make over $11 trillion in card and peer-to-
peer (P2P) payments securely, reliably, and quickly. In fact,
during the 5 minutes I will speak this morning, roughly 1.5
million transactions will be processed in the United States.
In each of these transactions, there is a shared
expectation between consumers and the payments industry that
personal data will be kept both private and secure. Given ETA's
members' role in the payments industry, both privacy and
security are top priorities for our members.
Entities in the payments industry are covered directly or
indirectly by the Gramm-Leach-Bliley Act and a handful of State
privacy laws. The core structure of GLBA imposes both privacy
and data security requirements on the industry. This is
accomplished through the Privacy Rule and the Safeguards Rule.
These requirements in GLBA are tailored to the unique and
complex nature of the financial services industry.
For financial services, all transactions involve at least
two and quite possibly more entities working together to
execute the customer's request. A prime example is a single
credit card purchase where at least three or sometimes four
entities are involved in moving the data as well as the
payment. GLBA recognizes this reality and allows multiple
entities to share data to work together seamlessly and quickly
to serve customers' needs.
While GLBA is largely working well for the financial
services industry, a challenge comes with the patchwork of
nearly two dozen State privacy laws, eight of which went into
effect this year alone. These State laws have different
approaches to privacy as well as key definitions that create
confusion for consumers, small businesses, as well as
challenges and expense to financial services and other
businesses working to comply. Sometimes the State laws even
conflict with each other, and in my written testimony I have
given examples of this.
As Congress considers changes to the privacy laws, there
are a few key things that we urge you to consider.
First, is the need for a uniform national standard. ETA
member companies serve consumers and businesses, especially
small businesses, in all 50 States. A single, strong, uniform
national privacy standard would serve all American consumers
and businesses by providing common expectations as they conduct
their everyday transactions.
Any new Federal privacy law should be technology-neutral
and sector-neutral. However, given the complexity of financial
services and its unique needs, the financial services industry
should continue to be governed by GLBA.
Next, consumers should have rights within this Federal
privacy law. Privacy is a two-way street. For consumers, the
Federal privacy law should include consumer rights such as
disclosure, access, correction, deletion, and opting out of
targeted marketing. We also support using appropriate data
minimization and data usage standards that are reasonably
suited to execute the underlying transaction.
These key aspects will ensure that institutions know their
responsibilities and consumers know what to expect. This
approach will work to eliminate redundancies, inconsistencies,
and confusion created by the existing State privacy regimes.
Any privacy law must retain permissible use of data to
fight fraud. The payments industry works tirelessly to detect
and minimize fraud. These efforts to fight fraud benefit
consumers, merchants, as well as the economy. It is important
that any privacy law contains permissible use of the data to
fight fraud. Permissible use exists now in GLBA as well as in
every State privacy law. Other countries' privacy laws also
include this important use case.
The scenario here that we are focused on is that a thief
commits fraud and then asks for the data to be deleted or
forgotten. This would create a blind spot, allowing fraudsters
room to fester. By including a permissible use of data to fight
fraud in privacy law, the payments industry will continue to
have a 360-degree view of fraud or potential fraud in the
payments space.
Enforcement by Federal regulators. We encourage any privacy
law to assign enforcement to the appropriate Federal
regulators.
Next, a key goal of the payments industry is continuous
innovation, and we are constantly developing and deploying new
products and services to make payments safer, faster, and more
convenient for consumers.
Two new ideas on the horizon include open banking, or
consumer-driven banking, and artificial intelligence. Both of
these are in use in the market today, and both of these utilize
data-sharing between multiple parties.
Open banking contemplates consumers directing the sharing
of data, and artificial intelligence allows for faster and more
efficient use of the data. Both of these are covered by
existing Federal laws, including GLBA as well as fair lending.
In both examples, policymakers should rely on these existing
laws and look for any gaps and avoid rushing to legislate new
privacy laws here.
On behalf of ETA and our member companies, thank you once
again for the opportunity to participate in this important
discussion. I look forward to any questions you may have.
[The prepared statement of Mr. Talbott follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Barr. Thank you.
Mr. Morris, you are now recognized for 5 minutes.
STATEMENT OF ANDREW MORRIS, DIRECTOR OF INNOVATION AND
TECHNOLOGY, AMERICA'S CREDIT UNIONS
Mr. Morris. Good morning, Chairman Barr, Chairman Hill,
Ranking Member Foster, and members of the subcommittee. My name
is Andrew Morris. I am Director of Innovation Technology at
America's Credit Unions.
Thank you for the opportunity to testify about how a
comprehensive Federal privacy law can be harmonized with the
existing laws and regulations applicable to credit unions and
other financial institutions.
First and foremost, America's Credit Unions supports a
comprehensive Federal data security and privacy framework that
includes robust security standards that apply to all who
collect or hold sensitive personal data. It is important that,
as the law evolves to match it, credit unions have rules of the
road that allow them to meet the needs of their members in the
marketplace.
Depository institutions, including credit unions, have long
been subject to a framework of laws and regulations designed to
ensure a high standard of consumer privacy and data security.
Central to this framework is Title V of the GLBA, which
acknowledges the need for heightened care when handling
sensitive consumer financial information and provides well-
established standards for addressing consumer privacy concerns.
America's Credit Unions believes that the Gramm-Leach-
Bliley Act should remain the model for depository institution
compliance with any future Federal data privacy and security
standard.
Credit unions, like many financial institutions, have long
prioritized investments in data security to ensure that their
members' privacy is protected. The GLBA requires financial
regulators to implement safeguards that are comprehensive and
designed to ensure the security, confidentiality, integrity,
and proper disposal of consumer information and other records.
Under the rules promulgated by the National Credit Union
Administration, every credit union must develop and maintain an
information security program to protect consumer data.
Additionally, the rules require credit unions to ensure that
third-party service providers that have access to credit union
data take appropriate steps to protect the security and
confidentiality of the information.
As Congress considers potential reforms to data privacy and
security, there are various aspects we believe should be
included or addressed.
First, there should be an entity-level exemption for credit
unions and similarly regulated financial institutions that are
subject to the GLBA. An entity-level exemption would recognize
the rigor of existing financial institution compliance
activities and allow regulators to tailor supervision based on
changing privacy or data security risks.
Second, the oversight of credit unions, banks, and other
depository institutions should be left to the functional
financial institution regulators that have experience in this
field.
Third, preemption of State laws is necessary. Today's
patchwork of State privacy laws has invited idiosyncratic
approaches to data processing activities and technologies. Some
States, by choosing to recognize only a data-level exemption,
have placed strains on credit unions by demanding more complex
procedures for addressing data processing activities. The
resulting compliance burdens, magnified each time a new State
law is passed, siphon resources away from service to consumers
and the core lending activities of credit unions.
Fourth, there should be limits on data deletion
requirements. Prohibitions on collecting certain types of data
without consumer opt-in or a broad right of deletion can
frustrate efforts to comply with recordkeeping rules or to
detect and prevent fraud.
Fifth, an opt-out regime should be maintained. The GLBA and
Regulation P generally operate to limit sharing of sensitive
consumer information through an opt-out process, something we
believe should continue and be the standard for financial
institutions in any future data privacy regime.
Sixth, as outlined in my written testimony, a comprehensive
Federal data privacy framework should provide for principles-
based requirements and offer a safe harbor for businesses that
take the appropriate steps to comply with the law.
Seventh, any private right of action should be limited. We
have serious concerns with any broad private right of action
due to the risk of frivolous lawsuits being filed against
credit unions, which are already held accountable for
violations by their regulator, the National Credit Union
Administration (NCUA), as well as the Consumer Financial
Protection Bureau (CFPB).
In conclusion, stringent information security and privacy
practices have long been a part of the financial sector's
business practices and are necessary, as financial institutions
are entrusted with consumers' nonpublic personal information.
We look forward to working with you to achieve a well-balanced
Federal data privacy framework.
Thank you for holding this important hearing and the
opportunity to appear before you today. I welcome any questions
you may have.
[The prepared statement of Mr. Morris follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Barr. Thank you, Mr. Morris.
Ms. Kuehn, you are now recognized for 5 minutes.
STATEMENT OF REBECCA KEUHN, PARTNER, HUDSON COOK, LLP
Ms. Kuehn. Good morning. Chairman Barr, Chairman Hill,
Ranking Member Foster, and members of the subcommittee, thank
you for the opportunity to testify today.
I am Rebecca Kuehn. I am a Partner at Hudson Cook, where I
lead our credit reporting, data privacy, and data security
practice. I formerly served as an Assistant Director at the
Federal Trade Commission, where I led efforts related to
financial privacy and data security.
Today, I am appearing in my own capacity and not on behalf
of my firm or any client.
We are here today to consider the framework governing
financial data privacy.
The United States has a longstanding tradition of financial
privacy protection that balances consumer rights, market
innovation, and regulatory oversight. This balance is important
to consumers and the financial system.
The cornerstone of the financial privacy regulation is the
Gramm-Leach-Bliley Act, or the GLBA. It requires financial
institutions to provide consumers with clear privacy notices
explaining what personal information is collected and how it is
shared, to offer consumers with the right to opt out of certain
types of data-sharing with nonaffiliated third parties, and to
implement safeguards to protect the confidentiality and
security of consumer financial information.
The GLBA defines ``nonpublic personal information''
broadly, and it applies to a wide range of entities engaged in
financial activities, from banks to auto dealers, ensuring
consistent privacy standards across the financial services
landscape.
Through what are known as the 502(e) exceptions, the GLBA
also recognizes that certain forms of data-sharing are critical
to enabling core financial functions such as fraud prevention
and public safety. These include disclosures necessary to
process transactions, disclosures made with the consumers'
consent, and disclosures meant to prevent fraud or unauthorized
transactions. These types of sharing do not require an opt-out
because GLBA draws a clear line between essential, operational,
and service needs and marketing and other nonessential sharing,
where an opt-out is required.
As of 2015, financial institutions that share data only
within these carefully crafted exceptions are no longer
required to provide duplicative annual notices to consumers as
long as they have not changed their privacy practices. This
change in GLBA reduces regulatory burden and has incentivized
companies to limit their sharing to only those essential
purposes. This benefits both consumers and the industry.
I recognize there is a larger discussion about data on
consumers and privacy. However, recent proposals, such as the
CFPB's data broker rule, risk undermining this careful balance.
The CFPB's rule proposed to reclassify certain identity and
address information governed by the GLBA as information under
the Fair Credit Reporting Act (FCRA) and would have limited the
ability of companies to use GLBA information for a number of
core purposes, such as fraud prevention.
The proposal came out of a concern about misuse of consumer
data, but the proposal conflated the responsible, regulated use
of financial data by institutions that serve essential
functions with very different and concerning practices of bad
actors, such as entities who sell sensitive geolocation data on
military personnel.
This conflation is problematic. It overlooks the fact that
GLBA-covered entities are already subject to comprehensive
privacy and security obligations and that the types of sharing
permitted under the GLBA are vital for protecting consumers
against fraud and ensuring public safety.
As this subcommittee continues to examine financial
privacy, I urge a careful, fact-based approach, one that
recognizes the distinction between the well-regulated financial
data use and the more opaque or harmful practices of
unregulated bad actors.
Oversight and modernization are appropriate, but they
should not come at the cost of undermining core consumer
protections or essential financial system functions.
I thank you for your attention, and I look forward to your
questions.
[The prepared statement of Ms. Kuehn follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Barr. Thank you.
Ms. Huddleston, you are now recognized for 5 minutes.
STATEMENT OF JENNIFER HUDDLESTON, FELLOW IN TECHNOLOGY POLICY,
CATO INSTITUTE
Ms. Huddleston. Thank you.
Chair Barr, Ranking Member Foster, and distinguished
members of the House Committee on Financial Services
Subcommittee on Financial Institutions, my name is Jennifer
Huddleston, and I am a senior fellow in Technology Policy at
the Cato Institute.
My research focuses on the intersection of law and
technology, including its use related to data privacy.
Therefore, I welcome the opportunity to testify regarding data
privacy in today's financial system.
In this testimony, I will focus on three key points.
First, data privacy in sensitive areas, such as financial
services, is already regulated by existing law.
Second, as State or a potential Federal data privacy law
continues to emerge, careful attention should be paid to the
way they may interact with or conflict with these existing laws
and what a patchwork might mean regarding the burden
particularly on small players. This is additionally true if
enforcement mechanisms, such as private rights of action for
statutory damages, could significantly raise the risk of costly
litigation.
Finally, I wish to discuss how any conversations around
data privacy should consider the impact on innovation, consumer
choice, and smaller players, as well as how such laws could
interact with or hinder the deployment of potentially better
solutions when it comes to data privacy and data security.
So, to begin with, some have criticized the United States
as a sort of Wild West when it comes to data privacy. Instead,
the United States' approach has been better understood as
responding with regulation for particularly vulnerable or
sensitive data where consumers may be more likely to face harms
should it be abused or insecure, such as the financial services
sector.
In this regard, the financial services sector already has
consumer-focused data privacy laws, including the Gramm-Leach-
Bliley Act that regulates the personal data of consumers held
by financial services forums and the Fair Credit Reporting Act
that regulates consumer credit data from credit reporting
agencies.
To my second point, the potential interactions between
comprehensive data privacy laws at both the State and Federal
level and the financial services sector, it is important to
understand how general consumer privacy laws could impact this
already-regulated data. Additional data privacy laws could
further add to the regulatory burden or conflict with existing
laws.
As the chair mentioned in his opening statement, an
emerging patchwork of State laws that are both sector-specific
and general in their application could make this more difficult
to navigate, with at least 19 States having passed
comprehensive consumer privacy laws and more debating similar
legislation each year.
While many of these State consumer privacy laws have a
carve-out for existing regulated data under laws like the FCRA
and the GLBA, this does not mean they do not impact or create
potential conflicts for the financial services sector or
financial data. This can include conversations around different
definitions of ``particularly sensitive data,'' including
financial information or personally identifiable information,
and the timelines and steps that entities must take to respond
to consumer requests or potential issues. These conflicts can
be particularly felt by smaller and more innovative entities
who have to navigate various definitions.
Additionally, such laws provide an example of the impact
that different enforcement mechanisms, including private rights
of actions with statutory damages, could have in deterring
innovation and particularly in already-regulated or risk-averse
sectors.
While not related to financial data, for example, the
Illinois Biometric Information Privacy Act has such a
mechanism, and it is illustrative of the problems such
enforcement can create even in data considered particularly
sensitive. Because of statutory damages and private right of
action, this law has resulted in significant claims against
companies ranging from popular social media apps like Meta to
Six Flags amusement park, but more for violation than for any
actual harm occurring to consumers.
Finally, I would like to spend my last minute discussing
how privacy law and innovation can potentially conflict.
While recognizing the specific risks of economic harm and
sensitivity of financial data is logical, law is static and
innovation is dynamic. This yields the potential need for
review of regulation to allow improvements in data privacy
security and innovation, as various technologies might provide
alternatives that are more protective of privacy and provide
better services to consumers who opt in but might not meet the
existing definitions.
There are three ways existing data privacy regulation might
deter innovation that I would like to highlight.
First, many laws are developed for earlier technologies.
This may make it more difficult to use more secure technologies
like blockchain that could actually create greater privacy and
security for consumers.
Second, enforcement mechanisms around private right of
action or the need for government approval could deter
companies of all sizes, but particularly smaller companies,
from trying to find innovative ways to protect data.
Finally, artificial intelligence may require us to rethink
our existing frameworks around data usage, retention, and
minimization, including in regulated industries like the
financial services sector.
I thank you for your time, and I welcome your questions.
[The prepared statement of Ms. Huddleston follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Barr. Thank you, Ms. Huddleston.
Ms. Strickland, you are now recognized for 5 minutes.
STATEMENT OF ZOE STRICKLAND, SENIOR FELLOW, FUTURE OF PRIVACY
FORUM
Ms. Strickland. Thank you. I am grateful for the
opportunity on this important topic, financial privacy.
I am a senior fellow at the Future of Privacy Forum, which
is a leading privacy think tank which supports developing
privacy technology and business practices, and I lead their
Open Banking program.
I have spent over 30 years working in privacy--this is at
Fortune 20's and a leading agency--across sectors and across
technologies. I also led the Business Roundtable financial
subgroup in its efforts to reimagine privacy for the financial
sector.
I want to touch briefly on general privacy.
There are a lot of benefits to having an omnibus privacy
approach in law. It could be a consistent standard for all
consumers. Imagine if we could give consumers a clear set of
their rights. It would boost awareness in the consumer
ecosystem and their sense of control over their data. It would
also make our approach more consistent with international
approaches where they do have omnibus laws, and it would
support data transfers from multinationals.
There are three challenges when we think about omnibus
privacy laws.
The first one, of course, is the substance, right? Privacy
is principle-based, and so sometimes it is difficult to define
it and be thorough about what those rights are, especially as
they evolve over time. I have been very pleased with recent
bills that have really done a very thorough job in thinking
about modern privacy principles.
The second challenge is around enforcement. I would suggest
to policymakers to be careful of approaches that amount to
strict liability or per-violation penalties. If you think about
$1,000 times a million, you get to a billion pretty fast. On
the other hand, be careful to think about tying enforcement to
concrete harms. In privacy, there often are not out-of-pocket
damages but the violations are real. So, the focus should
instead be on the seriousness of the violation and with the
efforts the company made to prevent and mitigate the violation.
The third challenge is around existing laws. What do you do
with the plethora of State laws that exist and Federal laws
that exist in terms of carve-outs or integration? I do think,
as policymakers think about what are good privacy standards,
that can create some gravity that can enable these other
existing laws to fold in and to develop that consistent
standard.
I did want to talk about a pressing issue, which is around
open banking and the CFPB final rule. I do believe it is and
can be a bipartisan approach and issue.
First of all, open banking does represent enormous consumer
value. They really do have the right to have their data and
control their data. Enormous examples of positive use cases
allow better financial planning, to transfer and hold their
money as they see fit. Just imagine if we could have a focus on
Americans having financial health early in their life and the
benefits to them and to society and I think that feeling of
control over their data and their finances will also lend
itself in other areas of their life as well.
There is a challenge if open banking means only the
consumer has access to their records. Otherwise, they are going
to have to collect it and transfer it to desired third parties,
they will have to endlessly update it. I think that would
frustrate consumers. It also, unfortunately, would not enable
rules for data recipients when they obtain that data, and they
will have enormous power over the consumers.
There are many good things about the open banking
principles. One is eliminating screen-scraping, where consumers
give their credentials to a third party. It is a terrible
privacy and security practice. The rule incorporated industry
standards sensibly. In a way, I think it made it leading in the
world and it also enabled privacy and security rules for all
parties, even though they are differently regulated.
I do think in the final rule there were some misses. Some
of them impacted data providers; some of them impacted third
parties. They are detailed in my written testimony.
I do think that those issues can be examined and addressed,
and then open banking can look forward, because it needs--and
as mentioned in a lot of the consumer and industry feedback
that was provided in that rulemaking process--needs to cover
more products, things like loans, investments, payroll,
electronic benefits transfer (EBT), to really give that sense
of control and that full picture to consumers.
We are very happy to assist in this important effort, and I
look forward to taking your questions.
[The prepared statement of Ms. Strickland follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Barr. Thank you.
We will now turn to member questions. The chair now
recognizes himself for 5 minutes.
Mr. Talbott, my first question will be directed to you.
The section 1033 rulemaking that Ms. Strickland was just
referencing was a product of the Dodd-Frank Act. In the 15
years since the passage of Dodd-Frank and the rulemaking, the
landscape of the financial system has changed massively, as we
have all been discussing.
The rulemaking is currently being debated in the courts.
However, there needs to be some certainty and stability so
institutions can flourish in the technological ecosystem.
Mr. Talbott, should data privacy legislation potentially
modify or replace certain provisions of section 1033 of Dodd-
Frank to codify the beneficial aspects of the rule while moving
away from outdated and unclear aspects of the Dodd-Frank policy
as currently written?
Mr. Talbott. Sure. Thank you, Mr. Chairman. I appreciate
the question.
I think, in general, the open banking or consumer-directed
banking is already existing in the marketplace today, and it is
done through a series of bespoke contracts between the bank,
data aggregators, and fintechs. All of these entities should be
subject to GLBA or through these contracts. If they are not,
then possession of the data should trigger coverage of the
privacy law. If any entity has a consumer's data and they are
not covered, they should be covered as a basic principle.
A couple of issues we had with the open banking or
consumer-driven banking proposal, the final reg that is subject
to the courts is: One, it did not address liability for fraud
or for a breach. If one entity is subject to a breach and
consumers suffer a loss, that is an area that needs to be
addressed either through privacy law or through a future
rulemaking, that was one of the misses, I think, that Zoe
referenced earlier, and we agree, that there has to be
something around dealing with liability for fraud that was not
addressed in that.
Additionally, the law prohibited the collection or
assessment of fees by the financial institution for the work
that they are doing, and that is another area that needs to be
addressed.
In general, Mr. Chairman, the answer to your question is
that existing privacy laws should cover all the participants in
the open banking system.
Chairman Barr. Should our privacy legislation that we are
considering, should it modify 1033?
Mr. Talbott. I think that, in general, it should consider
it, but I do not think there are any gaps, necessarily, in the
law other than an entity not being subject to GLBA.
Chairman Barr. Okay.
Private rights of actions create more problems than they
solve. They incentivize trial lawyers to file frivolous class-
action lawsuits and lead firms to avoid business opportunities
that would benefit consumers due to fear of costly litigation.
Ms. Kuehn, based on your experience with the GLBA and
similar privacy laws, do you believe adding a private right of
action to GLBA would meaningfully enhance consumer data
protection or would it more likely impose litigation risks that
hinder innovation and reduce consumer access to financial
products?
Ms. Kuehn. Thank you for the question.
What we have not seen, and where I think this concern about
do we need to add a private right of action, is whether or not
there are gaps or problems happening in financial services
data. There do not seem to be.
If you look at the history of enforcement--and there have
been a couple of agencies with enforcement authority over
Gramm-Leach-Bliley during its existence--there have not been
many cases involving privacy of consumers, the use of data.
That tells us that, even though these entities are examined
by prudential regulators, looked at by different enforcement
entities--and we saw a very aggressive enforcement regime from
the last 4 years from the CFPB, yet, what we do not see are
cases brought under GLBA.
I think we have the tools that we need if there are
problems that exist, and I do not know that additional tools
are needed.
Chairman Barr. If we have a nationwide, uniform data
privacy standard, the regulatory agencies, the financial
regulators could handle enforcement----
Ms. Kuehn. I believe so.
Chairman Barr [continuing]. without a private right of
action?
Ms. Kuehn. Yes, sir.
Chairman Barr. Thank you.
Thanks to advancements in technology over the past few
decades, financial institutions and firms can partner with more
technology-oriented companies in order to compete and serve
additional customers with the products and services that work
better for them, but State privacy laws have created a
patchwork that can complicate these partnerships.
Ms. Huddleston, how has this patchwork harmed market
efficiency and consumers and would Federal preemption for GLBA-
compliant financial institutions help preserve these innovative
partnerships?
Ms. Huddleston. Thank you for your question, Mr. Chair.
When we see this emerging State patchwork, it is
particularly burdensome on new ways of using data that might
not fit existing models, whether that is firms that would not
traditionally be considered financial institutions but may be
using financial data in some way to help inform consumers or
whether these are just small financial institutions trying to
get off the ground.
A patchwork means that they are now going to have to seek
to comply in 19 different States. Even if those 19 or 20
different States have the same law on the books, there will be
different interpretations of many terms, meaning that these
firms have to invest significantly in regulatory compliance
rather than focusing on providing their consumers with the best
possible product.
Chairman Barr. Thank you for that testimony.
My time has expired.
The gentleman from Illinois, Dr. Foster, is now recognized
for 5 minutes.
Mr. Foster. Thank you, Chairman Barr.
Quickly, Mr. Talbott, when you mentioned that banks and
fintechs already have a limited data-sharing capability between
them, it seems to me that the small banks are kind of left out
of this. They cannot have the ability to stand up to an
application programming interface (API) team that will go and
do all this data-sharing.
Are there any solutions on the horizon for that or is this
going to be one of the things where we are going to have to try
to level the playing field to make sure that small banks and
credit unions are not left out?
Mr. Talbott. Yes, so banks and credit unions--I will let
Andrew speak for himself--but we work together as an industry.
We do not want any weak links; so, any data, like an API, for
example, through an industry consortium, is shared with all
entities to allow for----
Mr. Foster. Yes. There is a problem that I think remains
unsolved, that the smaller institutions simply do not have the
capacity to plug into this very complex ecosystem.
Ms. Strickland, thank you, first of all, for your very
thoughtful testimony and your focus on the important work that
CFPB has done on data privacy.
As I said in my opening remarks, I am really very
uncomfortable with the idea of this administration rescinding
completely the rule to implement section 1033 of Dodd-Frank.
Not only has it been 15 years since the passage of Dodd-Frank
that required the rulemaking, but I am also not confident that
the CFPB, frankly, currently has the staff necessary to do a
full rewrite of the rule.
One thing I think is important to recognize, that this is
not a rule that came out of nowhere. There was extensive work
on the final rule spanning multiple Presidential
administrations that solicited public input on various aspects
of the rule, as well as a notice of proposed rulemaking that
was initiated during the first Trump Administration.
Can you speak briefly about the extensive work that went
into this rule and the huge amount of bipartisan effort by your
organization and the financial services industry as a whole to
prepare for open banking and the impact of this
administration's potential rescinding of this rule?
Ms. Strickland. Thank you, and I very much welcome that
question.
I included in the written testimony a very detailed
description of the extensive process with the relevant links to
all the materials. It was a very long and extensive and
thorough process and had engagement across all industry sectors
and consumer groups.
If you read the comment letters, which I did--and there are
a lot of them. Not only were there a lot, but they were very
long and thorough and really delved through all the different
aspects of the rule, and largely supportive, that this is a
positive to the ecosystem. Yes, it has existed for a while, but
there were some areas that benefited from some consistency of
the regulatory framework.
You see that in the comment letters. In fact, some of them
suggested, again, covering more products. We really need to do
that, in terms of giving that full view to consumers, and doing
it more quickly since it exists now and it is a consumer
benefit.
I do think, as mentioned, in the final rule there were a
few misses that I think could be addressed. I think Scott hit
on a couple of them accurately. I do think that it will be a
good place to look in terms of what happens next, either
through Congress or the CFPB, to address those issues and then
look forward to where we are trying to take open banking in
America.
I did want to comment on your remarks about the smaller
players. I do think there is a question whether they stay under
a regime that is run by screen-scraping, which is, again, not a
good practice but also is not better for them, too, in terms of
their understanding of their consumers and their interests.
So, there are efforts to make that API more widely
available and to have core providers who can help lift up the
smaller players so that they can benefit from this developing
ecosystem too and that needs to be paid attention to as well.
I do think the staggering helped, because it allows some of
this infrastructure to grow and that they can then get on-ramps
onto it. I do think it benefits the whole community that the
smaller institutions are ramped on at the right time.
Mr. Foster. Yes. Thank you. As someone who has done his
fair share of programming of screen-scraping as well as APIs, I
share your enthusiasm for getting rid of screen-scraping. It is
unstable, it is dangerous to privacy, and it is just a pain in
the ass.
Ms. Strickland. Horrifying.
Mr. Foster. Right.
The future is probably neither APIs nor the past of screen-
scraping but agentic interactions, where the consumer
interaction is not going to be directly with the consumer but
with an agent.
One of the interesting arguments the Trump Administration
CFPB made in the brief that they filed with the court last
Friday was that section--they claimed section 1033 of Dodd-
Frank requires that the rule only allows consumers themselves
to request access to their data, which ignores the language in
the Dodd-Frank Act that, quote, an agent, trustee, or
representative acting on behalf of the individual, which is
obviously meant to include third parties and agents authorized
by the individual.
If you could just comment on that for the record, I would
appreciate it. That is a big problem.
[The information referred to was not submitted prior to
printing.]
Chairman Barr. Thank you.
The gentleman's time has expired.
The gentleman from Michigan, Mr. Huizenga, is now
recognized.
Mr. Huizenga. Thank you, Mr. Chairman, and I would like to
say thanks to the Ranking Member.
For the kids watching out there, that is a technical DC
term for difficulties in transactions, what he was expressing,
where exactly those pains might occur, earlier.
Apparently, that was funnier in my head than it was when he
said it.
Mr. Talbott, good to see you again. I think you got it. You
were nodding with me.
Yesterday, we heard from multiple witnesses about the
importance of consumer protections when it comes to owning
digital assets and when it comes to data privacy. Frankly, I do
not see much difference. Gaining access to a consumer's data is
just as lucrative as gaining access to their bank account. In
your testimony, you noted, ``Consumers rightly expect strong
privacy protections and data security for their personal
information and their money.''
Of course, providing protections does come with some costs.
How can Congress strike the balance between consumer protection
and excessive compliance--there is compliance, but then there
is also excessive compliance--so that small providers--and I
think Ms. Huddleston was talking about that a bit or at least
alluding to that--that the small providers are not
disproportionately affected compared to the larger providers?
Mr. Talbott. Sure. I thank you for the question. I
appreciate it.
I think first is, areas where we could focus are tightening
up the definitions so that all parties know exactly what data
is protected. For example, in Gramm-Leach-Bliley, they use the
phrase ``consumer'' and ``customer,'' and they make a
distinction between the two, and that may no longer hold or be
as clear to all parties, including smaller players. So,
tightening up the definitions can help so we all know what we
are talking about.
Secondly, you can look at the rights that are provided
under the law--right now, the rights include access,
correction, deletion, and those--and make sure that those can
be applicable for all entities so that consumers get the same
rights and benefits regardless of which institution they choose
to use and; so, narrowly focusing on those rights and how they
are applicable in the real world could help address the issue
for all players, not just small players.
Mr. Huizenga. You touched on definitions, tightening up
definitions. I want to ask, does the GLBA's definition of
``financial institution'' adequately reflect the range of
entities handling consumer financial data today?
Ms. Huddleston, you seem to have that--Mr. Morris?
Somebody?
Ms. Kuehn. I am happy to address that.
Mr. Huizenga. Grab it. Yes. All right.
Ms. Kuehn. The definition of ``financial institutions'' is
keyed off to all the variety of activities that financial
companies can engage in and that is subject to expansion if,
over time, the agencies decide, ``Hey, there are some
additional things we need to address.'' So, it is a flexible
definition.
It is also pretty broad. I mean, if you think about the
definition of ``financial institution''----
Mr. Huizenga. So, broad and flexible could be too broad and
flexible or interpretation of it has then locked out some
areas?
Ms. Kuehn. It is not locked out, because it is made in
reference to the Federal Reserve's definition of what types of
financial activities banks engage in. So, it lists everything
from credit reporting to making loans to doing financial
transactions.
Mr. Huizenga. Okay.
How about Mr. Morris? Does it apply to credit unions?
Mr. Morris. Yes, the financial activities would definitely
encapsulate what credit unions are doing. So, we would clearly
be----
Mr. Huizenga. Do you feel like you are adequately covered
by this?
Mr. Morris. Yes.
Mr. Huizenga. Okay. Great. I see Mr. Talbott nodding.
Mr. Talbott. I would agree.
Mr. Huizenga. Okay.
What consumer rights have States incorporated in data
privacy laws that Congress should codify at the Federal level?
In other words, are there some best practices that we are
seeing out in the States?
Mr. Talbott?
Mr. Talbott. Yes. I think a couple of--GLBA covers a lot of
those rights, but they do not necessarily have so much the
right to access a lot of the information or some of the
information. So, that could be important to update GLBA with.
Mr. Huizenga. So--but are there any States specifically
doing that? I mean, as we are seeing, obviously, privacy
frameworks need to evolve.
Mr. Talbott. Right.
Mr. Huizenga. Is there somebody that is actually doing a
good job that we ought to be looking at?
Anybody else?
Mr. Talbott. I would--Virginia has done a good job. Texas.
Both States' privacy laws capture those.
Mr. Huizenga. Okay.
Anybody else care to weigh in on that?
Ms. Huddleston. I would just note that I think it is
important to consider what enforcement mechanisms, and what
timelines are involved in some of these things.
When we look at, for example, a right to access, are there
appropriate incentives, particularly for sensitive financial
information, to ensure that it is the correct consumer that is
getting that information, that we are not seeing something
where there is such a short timeline for response that the
wrong information is handed over to the wrong consumer.
One can look at, for example, General Data Protection
Regulation (GDPR) to see how there have been some incidents
where recordings or other information, not financial, have been
handed over that way.
Mr. Huizenga. Great.
I yield back.
Chairman Barr. The gentleman's time has expired.
The gentleman from Georgia, Mr. Scott, is recognized.
Mr. Scott. Thank you, Chairman Barr.
I really agree with you, Chairman, that our Nation is at a
crossroads when it comes to financial privacy. Right now, our
constituents' banking information, their credit history, their
transaction records, and even how they pay their rent is up for
grabs, for exploitation, wrongdoing, and even stealing. Without
firm protections, that data can be collected, brokered, and
misused, often without the consumer ever knowing.
That is precisely why the CFPB section 1033 rulemaking is a
step in the right direction. The CFPB 1033 rule has set up a
framework that empowers Americans to take more control of their
own financial data safely, securely, and on their own terms. It
prohibits data brokers from monetizing data without consent,
fintech applications to be transparent and non-manipulative,
and financial institutions to provide data access in a secure,
machine-readable format.
Here is the problem: These protections, this progress on
behalf of our consumers are now under a great threat, for we
are watching a dangerous rollback taking shape at the CFPB
under the Trump Presidency.
President Trump is appointing people who have spent their
whole careers defending data brokers, avoiding regulatory
compliance, weakening the CFPB's enforcement capacity, and
threatening CFPB's funding and undercutting the CFPB's
rulemaking.
Now, Ms. Strickland, the Trump CFPB has argued that rule
imposes a burden on data aggregators and fintech companies. Let
me ask you, is it not the CFPB's job to protect the consumers
and not the business models of companies that profit from
opaque or predatory data practices?
Ms. Strickland. Thank you for your question.
Yes, I think one thing that was valuable about the 1033
rule is that it did place obligations on the companies
receiving data and, in fact, imposed sort of modern principles
around what those privacy rules should be.
To the prior question asked about what are some of those
activities that policymakers should look at? There is a
developing area called individual rights, which Jennifer
alluded to, which is, do I have the right to access, delete,
and transport my data? How do I understand the data that
belongs to me is about me, and do I have rights with regard to
that?
Also, another very useful feature we see in some developing
bills is around privacy impact assessments and risk-based
assessments, which are extremely familiar to the financial
sector, to a lot of risk analysis. So, those sorts of precepts
really lend themselves to how we think about privacy.
I do think that is a value in open banking, which is, the
data recipients are going to have a lot of information now
about these consumers and perhaps even will move money on their
behalf. So, it is very important that they actually have rules
that apply to them as well and if you do not have open banking
rules, you do not have that ability to really put those
controls in place.
Mr. Scott. Now, many of my friends on the Republican side
have talked about rescinding the rule. Tell me, will not
rescinding the rule make it easier for bad actors to exploit
our consumers?
Ms. Strickland. I do think that the proposed rule really
did address some issues between data-sharing amongst the
parties. There were some good features for data providers,
definitely some good controls over data recipients that really
should be included in any future rulemaking activity around
this. I think they were very important points.
Mr. Scott. Thank you, Ms. Strickland.
Chairman Barr. The gentleman yields back.
The gentleman from Texas, Mr. Williams, is now recognized.
Mr. Williams of Texas. Thank you, Mr. Chair. Thank you all
for being here today.
Community banks have earned the trust of their customers by
safeguarding their sensitive financial data because they have
longstanding relationships with their customers and handle
personal information with diligence and care.
Now, we need to ensure that any updates to data privacy
maintain flexibility for smaller banks. These smaller
institutions struggle with mandates that force them to divert
resources from lending in their communities and into legal
compliance.
Ms. Huddleston, could you elaborate on ways to modernize
the GLBA that preserves flexibility for smaller banks?
Ms. Huddleston. I think it is important that we look at
this on a Federal level as opposed to the State-by-State
patchwork that is often emerging.
Additionally, we need to consider not only the way data may
be being used these days by smaller entities but also the ways
it may be used in the future. We already see tools like
artificial intelligence (AI) being deployed in the fraud alert
system and things like that. We certainly would not want to see
regulation or changes that may make it more difficult to deploy
these tools in the future.
I think when we are talking about concerns about private
right of action that is particularly relevant to smaller
players, smaller players who could find, even if they win a
lawsuit, that it is still potentially business-crippling or
even business-ending and so are less able to absorb the cost of
that litigation than a larger player, even though larger
players also have significant financial regulatory compliance
burdens.
Mr. Williams of Texas. Thank you for that.
One of the most promising developments in financial
services over the past decade has been the growing
collaboration between banks and fintech companies. These
partnerships allow smaller institutions to offer cutting-edge
digital tools for underserved customers and compete with the
largest national banks.
Now, much of this innovation relies on responsible data-
sharing arrangements where consumers can securely grant access
to their financial information and improve their banking
services.
Mr. Talbott, how do data-sharing arrangements between banks
and fintechs improve competition in the marketplace? How can we
protect that collaboration while still maintaining strong
privacy protections?
Mr. Talbott. Sure. Thank you for your question.
I would just note that Texas has a number of provisions in
its privacy law which are examples for the rest of the country.
They have carve-outs for small businesses as well as rights of
cure, which are good examples.
In terms of data-sharing between banks and fintechs, most
of this interaction, if not all, is already covered by Gramm-
Leach-Bliley, both the privacy as well as the security
provisions. If it is not, it is covered by a private contract,
bespoke contract, between the two entities.
So there is sufficient coverage there both for privacy as
well as data security. We feel those existing laws and existing
contracts will help keep the data safe and secure.
Mr. Williams of Texas. The people I represent in Texas,
like many rural communities across the country, a lot of local
lenders and community financial institutions with access to
credit, mortgages, and basic financial services, and as we
consider new data privacy rules, we have to be careful not to
cutoff these vital lifelines. If regulations are too complex or
restrictive, small banks and credit unions may scale back
services or exit certain markets entirely.
Mr. Morris, this question is to you. How can we make sure
that the privacy regulations do not unintentionally limit
consumer access to financial products, and particularly for
those in rural areas like I represent in Texas?
Mr. Morris. Thank you for the question. I think one area
where a Federal privacy framework could focus to preserve that
access is by preserving the current opt-out framework that is
present in the Gramm-Leach-Bliley Act that facilitates a lot of
joint marketing activities, which allows community financial
institutions, small credit unions, small community banks to
partner with fintechs and others to promote the availability of
their services in banking deserts and other places where there
may be limited access to affordable products.
Having an opt-out framework for sharing information is an
intelligent way that the GLBA has balanced those concerns.
Whereas the more onerous opt-in framework could curtail that
and limit access to services in those communities.
Mr. Williams of Texas. Thank you, Mr. Chair, and I yield my
time back.
Chairman Barr. The gentleman yields.
The gentleman from California, Mr. Sherman, is now
recognized.
Mr. Sherman. When I saw the title of this hearing, I
thought I would spend my full 5 minutes talking about Elon
Musk, looking at all the Social Security data of millions and
millions of Americans, but I think I am going to focus on
things within the jurisdiction of our committee.
The CFPB plays a critical role with data privacy. The
decision of the Trump Administration to destroy, dismantle,
abolish the CFPB means that not only will Americans not be
protected from rip-offs, not only will they not get the
information they need to make intelligent decisions and
financial matters, but we will talk grandly about their
privacy, but there will not be an agency there to ensure that
their private data is kept private.
One of the issues that arises is one we have seen for a
long time, and that is what happens if there is hacking. We
have seen this issue with regard to giant retailers having
information, getting hacked, and then turning to the banks and
saying, ``You have to pay all the costs of dealing with
consumers on this issue.'' It has been well-established in tort
law theory for well over 100 years that the liability of the
cost of an accident should be put on the party who could have
invested to prevent that accident.
Whenever a fintech company is the entity that gets hacked,
they are the ones that should bear the cost of the consumer
repair. The 1033 rule asks fintech companies that want to
access to banks' data to comply with the same Gramm-Leach-
Bliley financial data protection requirements the bank must
comply with, but there is no specific enforcement mechanism for
this rule.
The rule also did not ban screen scalping, a practice by
which third-party stores your user, your password, then logs
into your bank account and collects, maybe sells your financial
data.
Mr. Morris, what amendments or guidance, like perhaps
banning screen scalping, and having the CFPB regulate fintech
companies that store financial data, what should we consider to
the personal financial data rights rule to ensure that we are
safeguarding this data for consumers?
Mr. Morris. Thank you for the question. I think with
respect to ways to better protect data and address the concerns
that you mentioned, in the context of 1033, it would be prudent
for the CFPB to consider a way of allocating liability in the
event that data is mishandled by downstream third-party
entities, using that information, collecting it from data
provider credit unions. The absence of that means that credit
unions and other data provider financial institutions and their
members only have a course in the courts. So, addressing that
in the regulation could be a helpful way to meet the rule.
Mr. Sherman. Now, under the CFPB Rule 1031, financial
institutions currently cannot charge a fee for third-party
fintech companies to access the bank's data through their API
application programming interface developer portals.
Mr. Morris, is it costly to develop and maintain these API
portals and should we consider at least allowing the smaller
institutions to charge a fee to fintech companies to access the
data through these relatively expensive portals?
Mr. Morris. Thank you for the question. I believe that it
is absolutely correct that it is costly to develop and maintain
APIs. One of our concerns, again, with the CFPB's rule
implementing 1033 was the significant cost that is shouldered
primarily by data providers to essentially subsidize API access
and development. So, we would like the CFPB to reconsider that
aspect of the rule to better balance the cost to our credit
unions.
Mr. Sherman. I am going to try to squeeze in one more
question. Mr. Morris, what protections, like perhaps, banning
screen scalping across the board should we consider adding so
that small institutions are protected? Even if they are exempt
from the rule, what effect on small credit unions and the small
banks could there be if there is a massive financial data
breach of a third party potentially exposing financial
institutions to liability and drying up all its members
depository accounts?
Mr. Morris. We are certainly supportive of moving away from
screen scraping, which is a less secure way of sharing
information. As far as tightening up rules that are designed to
prevent data breaches and minimizing their consequences, I
think one area in 1033 the CFPB explored, which is sharing
information necessary to initiate a payment, that is very
sensitive information, which if it is shared with a third party
it could lead to fraud.
Chairman Barr. All right. The gentleman's time is expired
and the gentleman from Georgia, Mr. Loudermilk, is now
recognized.
Mr. Loudermilk. Thank you, Mr. Chairman. Thank you all for
being here. Very important subject. I have 30 years in public
and private sectors with dealing with intelligence, data
security, and protecting information. Eight years Active-Duty
military in the intelligence community, protecting our Nation's
secret, 2 years with the Defense contractor, and 20 years with
my own business.
Privacy and security are very important to me and the
number one key to protecting data was a rule that we lived by
in those 30 years is, you only have to protect what you have.
Meaning, if you do not absolutely need something, do not keep
it.
While the GLBA focused on the private sector, the elephant
in the room is not Elon Musk. It is the massive amount of data
the government has that he had access to. No one on the other
side of the aisle wants to address that this entity, this 800-
pound gorilla called the Federal Government, is the largest
security risk of personal privacy information.
Now, what we are discussing here is very important, but
when we bring up legislation that actually would restrict the
amount of data, like updating the Bank Secrecy Act and currency
transaction reports to make them reflective of where they
should be due to inflation, we do not hear anything from the
other side, but they are always anxious to deal with the
privacy data when it comes to the private sector. That is
important. I am not demeaning it.
We do have to understand that our Nation collects and
forces the private sector to turn over massive amounts of
personal privacy information and financial information to the
government, which is the weakest link in our cybersecurity
protection.
With that, Mr. Talbott, dealing with GLBA, what rights do
consumers currently have regarding their personal data under
the Gramm-Leach-Bliley Act? Yes, Mr. Talbott. I am sorry.
Mr. Talbott. Yes, no problem. I appreciate the question,
Mr. Loudermilk, as well as your representation of the State of
Georgia where 70 percent of all credit card and debit card
transactions run through your State.
The rights under GLBA for consumers that exist now is they
have a right to correct and a right to talk about earlier
somewhat access the information, like to delete the
information. These are important rights for consumers. There
are disclosure notices that are required depending on where you
sit in the system and so, these are all important rights that
they have. They have the ability to opt out of target
marketing, and that is an important right as well.
Mr. Loudermilk. That is one thing in this new era because
we often fail to keep up with technology, which allows for some
innovation, but also, is defining what is consumer data versus
privacy data versus company data, that type of thing.
In what ways do financial institutions share consumer data
with affiliated and nonaffiliated third parties?
Mr. Talbott. The first and foremost example is with any
transaction. Let us say a credit card transaction, there are at
least three, sometimes four parties involved. There is the
issuing bank, the requiring bank processors, there are networks
and that data under GLBA is allowed to be shared for purposes
of processing that transaction. As you well know from the
credit card space, that is necessary to allow that transaction
to move in 1.2 seconds when you are standing in the checkout
line.
Mr. Loudermilk. How do fintech companies access consumer
data to deliver financial products and services and what role
does consumer consent play in the process?
Mr. Talbott. Sure. Right now the concept of open banking or
consumer-directed banking is happening in the marketplace and
fintechs will enter into bespoke contracts with banks to allow
their shared customers to share the data between the two. That
is governed by a private contract at this point, pending the
1033 rules that may come up at some point.
Mr. Loudermilk. Okay. Thank you. Mr. Morris, what are three
key features that credit unions believe should be included in
any new data security regime?
Mr. Morris. Thank you. I think the first and most important
is an entity level exemption that recognizes existing
compliance with the Gramm-Leach-Bliley Act as well as other
laws like Fair Credit Reporting Act, the Right to Financial
Privacy Act, and others. The other thing we would like to see
is preservation of the opt-out framework and a limitation on
private rights of action which could hinder innovation and
create enormous litigation risks for small credit unions and
other institutions.
Mr. Loudermilk. Okay. Thank you. Mr. Chairman, I will yield
back my time.
Chairman Barr. The gentleman yields back. The gentleman
from California, Mr. Vargas, is recognized.
Mr. Vargas. Thank you very much, Mr. Chair. First of all, I
want to thank you and the Ranking Member for convening this
hearing, and of course I want to thank the witnesses for being
here.
I do want to point out that I was abandoned by Mrs. Beatty
who normally sits here next to me. Today, she decided not to,
and I think that should be pointed out. I feel hurt.
Secondly, I do want to say this, that I actually agreed
with half of what my good friend from Georgia said. I actually
do think the government has way too much information. It
absolutely does, and it does not protect it as well. In fact, I
am a little worried today when you go through the airport now,
they get all sorts of biometric information about you. I do not
know how they use that either. I think we should be concerned
about that, and I do not think that the government does protect
the wealth.
I do not agree with Elon Musk. I do think that, in fact, it
was very dangerous to have him running around with these young
kids doing things that we do not even know what the hell they
were doing. I am not sure that they knew either.
All that being said, the CFPB has a job of making sure
consumers are getting straight deals and making one of the ways
it is done--and one of the ways it is done is by making sure
consumers are getting a fair deal when it comes to control of
their own data. When consumers are not in control of their own
data, financial institutions have to compete on their merits
for the people's business and more competition is better, I
think, for everyone.
That is what Dodd-Frank Section 1033 is all about. While
Section 1033 goes back to the Dodd-Frank Act, the CFPB's
finalized rule ensured consumers could be in control of their
personal financial data and could be more easily transferred to
another provider.
From the Gramm-Leach-Bliley Act dealing with financial
information to the Fair Credit Reporting Act dealing with
credit information, Congress has continued to adapt privacy
protection laws to an evolving economy. We also have to make
sure that we continue to adapt those protections, security of
data as a top of mind, especially in the financial sector, and
especially in the era as I said earlier of DOGE being given
access to sensitive data information.
I was proud to join a letter this week led by the ranking
member as he stated urging the CFPB not to vacate and throw out
the years of progress we have made on finalizing Section 1033
rule.
Ms. Strickland, when CFPB finalized the Section 1033 rule
in October 2014, former Chairman McHenry stated that the CFPB's
final rule 1033 is a promising step forward to protect
Americans' financial data privacy. Consumers should know where
their data is going, how it is used, and be able to terminate--
and to terminate collection of their data by certain firms.
Director Chopra also listened to some of our concerns
regarding unreasonable restrictions on secondary use of data.
Why do you believe there was bipartisan support for this rule
at that time?
Ms. Strickland. I am sorry, the question is there were?
Mr. Vargas. Why do you think we did come together and there
was bipartisan support?
Ms. Strickland. I think there was. You saw that from the
comment letters as well. It ranged across all the industry
sectors as well as the consumer groups. Again, delving very
deeply into every aspect of the rule.
I do think a contributing factor was with all the great
work that was done to get to the proposed rule--and there was
enormous amount of work done, including the small business
review panels--and again, digging deeply into how do the
parties work together, what are the right obligations? What are
the right privacy practices? Right security practices--what
products are we covering? How do we think about small entities?
A lot of work went into all those aspects.
I do think in the final rule, there were a few items that
were not addressed ideally and that creates----
Mr. Vargas. For example.
Ms. Strickland. So--and, again, in the written testimony, I
go through several of them. In my view, the main ones were--and
you mentioned them? One is the secondary uses of information.
They did not allow those--even consumers to agree to them and
that is what open banking is all about. It made for a very
awkward sort of consumer experience.
It also did not really allow the use of the identified
data, which is a common practice, not only in the financial
sector, but in every sector. It is a great privacy and security
practice, too, because you made it nonidentifiable and
controlled for re-identification.
It did not thoroughly look at the questions raised about
increased fraud or liability. There was some information given
about what that could look like. Could there be better
monitoring done? Some shifts looked at in terms of liability.
Mr. Vargas. Okay. I do want to stop you there because,
again, I think that there are some things that we could do a
better job at. I have to say this: It is interesting because
this issue came up in California, many, many, years ago back in
2001, when I was the Chairman of the Insurance Committee. At
that time we would have had screaming matches here. We do not
have that anymore, because I think we have come a long way, and
I do want to praise everyone that has worked on this issue.
Thank you. Thank you, Mr. Chair.
Chairman Barr. The gentleman yields back. The gentleman
from Tennessee, Mr. Rose, is recognized.
Mr. Rose. Thank you, Chairman Barr, and also thank you,
Ranking Member Foster, for holding this important hearing.
Thank you to our witnesses for your time today and being part
of this hearing.
Mr. Talbott, in your testimony, you highlight that two
dozen States have enacted different data privacy laws. Can you
discuss the challenges that members of the Electronic
Transactions Association face when it comes to navigating such
a large number of potentially inconsistent State laws?
Mr. Talbott. Sure. Thank you for the question. The biggest
one is what data is covered. Many States provide either provide
an entity level exemption, meaning that the bank or the credit
union is exempt from that State's privacy law because they are
covered under the GLBA. Some States only have a data-level
exemption, which means the entity is covered, but certain data,
the GLBA data is not covered by that State's privacy law but
the State's privacy law definition of what is covered is
broader. At that point, and most particularly, California is
the lead example. Oregon is similar as well. Business-to-
business (B2B) data is exempt under GLBA but is not exempt
under California law.
So, any entity that may be GLBA compliant still has to map
out all of its data and all of the uses for the business side
to ensure that it is in compliance with the California State
law--the California State privacy laws.
There is a perfect example of how different States with
different definitions can create issues. That creates a lot of
problems and challenges.
Mr. Rose. Sure. Can you--and it may be beyond what you just
gave as an example, are there examples where--that you can
provide where State data privacy laws are in conflict at such a
level that it is impossible to comply with those
inconsistencies?
Mr. Talbott. I do not know if I would say impossible
necessarily but definitely creates some conflicts. I have a
list in my written testimony, and the biggest example is with
California. Where I just talked about where B2B is covered
under the California privacy law, but it is not covered at the
Federal law. That is the biggest challenge. Others relate to
timing, the nature of the disclosures, what data can be
excluded or not, what opt-out rights the consumer has. Maryland
has a very stringent opt-out on what can and cannot be covered
or cannot be shared. Those are just some examples where the
challenges----
Mr. Rose. So not really--I do not think I am hearing of
examples where you--what you do in one State would actually be
a violation if you did it in another State. Is that fair to
say?
Mr. Talbott. That is correct. It is fair, yes, sir. It is
on the implementation side.
Mr. Rose. I guess that is good news. Obviously, we need to
avoid that.
Mr. Morris, in your testimony, you touch on the fact that
the credit unions, like many financial institutions, have long
prioritized investments in data security to ensure that their
members or customers' privacy is protected. I think it would be
helpful if you could expand on just how much credit unions have
already invested in data security.
Mr. Morris. Thank you for the question. I am happy to share
more statistical information perhaps after, but I can say that
we have run surveys in the past and consistently year after
year after year reflecting enormous cost of data breaches and
the risk of fraud. Credit unions are prioritizing investments
in cybersecurity and data security. Those things are part of
the Gramm-Leah-Bliley Act, which mandates that the National
Credit Union Administration, other financial regulators, and
other regulators of financial institutions implement technical
safeguards to ensure that those institutions are adopting
appropriate data security practices. That drives a lot of cost,
but it is important for keeping trust.
Mr. Rose. Very good. Mr. Talbott, back to you. Would you
like to discuss the significant investments that the Electronic
Transactions Association members have already made in data
security?
Mr. Talbott. I think the number would be in the billions.
We spend equal amounts on developing and deploying new products
and services to make payments easier, faster, more secure. We
also spend similar amounts to fight and protect fraud to
protect both consumers, merchants, as well as the economy. The
number is easily in the billions of dollars.
Mr. Rose. In light of some of the discussion we have had
about the role of employees of institutions in safeguarding
data--and I might open this up, but I will start with you, Mr.
Talbott, any--and we do not have much time--but any criteria in
any of the law as to the credentialing or qualifications of
employees of organizations that are charged with protecting
consumer data that you would like to speak to or take note of?
Mr. Talbott. Yes, sir. I appreciate the question. The
Federal Trade Commission (FTC) safeguard rules as well as good
business practice require companies to develop a robust system
internally for security purposes, and that includes addressing
which of their employees have access to it, how to cutoff that
access, passwords, et cetera. I mean, all the usual security
protocols that you would think would go into protecting data as
well as payments.
Mr. Rose. Thank you. My time has expired. I yield back. I
would appreciate insight from the rest of the panel about that
question of credentialing of employees that deal with consumer
information. Thank you. I yield back, Mr. Chairman.
Chairman Barr. The gentleman yields. The gentleman from
Illinois, Mr. Casten, is recognized
Mr. Casten. Thank you, Mr. Chair. Last year the CFPB
finalized their open banking rule that would have given
consumers greater access and control over their financial data,
including making it easier for consumers to move their
financial data from institutions.
Ms. Strickland, can you just talk about how that rule would
increase competition and make our markets more efficient?
Ms. Strickland. Yes, so on that actually--and thank you for
the question--has been a key driver of open banking initiatives
in the United States as well as in other jurisdictions which is
how do you make all the players compete for the consumer's
business, both in terms of good price, but also in terms of
product offerings? Really encouraging new technology and new
business models to say, Hey, I have a brand-new idea. How do I
do this but recognizing they are not always regulated in the
same way as banks are, which is deep and thorough.
So, open banking really does enable these different
companies to work together and to put both a framework around
how the data exchanges occur, but also, as I mentioned, put
some rules on the data recipient who are not regulated in the
same way. The open banking rule created to the prior question
on this roll around what you collect, what you can use it for,
how long you can retain it, which are really important
safeguards
Mr. Casten. To that point, we had, a couple years ago on
this committee, we had a discussion with former Director Chopra
about how Facebook had no obligation to ensure that in
hoovering up your data, they were not essentially violating the
Fair Lending Act by only promoting certain credit card products
to one individual or another.
Would the open banking rule have fixed some of those gaps
so that third parties like Facebook are not using your data to
target you in ways that may be, if not illegal, certainly
unethical?
Ms. Strickland. Yes, I think that is right. I mean,
presently for large companies, if they are not regulated by
sectorial law, they are under general FTC jurisdiction which is
unfair and deceptive; so, their privacy policy is accurate.
They can proceed as well as the State laws that exist.
I do think an open banking benefit was to create modern
privacy rules for the recipients of this data which are very
important because they are getting sensitive financial
information and sometimes the ability to move money. So, having
that bar and those requirements on data recipients was a real
value to the rule.
Mr. Casten. Just as an aside, I consistently struggle with
the fact that my extreme libertarian colleagues are petrified
of the government getting your data but seem to have no problem
if a private company gets your data and monetizes it and
refuses to let you see what they have. Rand is pissed is all I
have to say about that.
You mentioned the FTC. This matters, of course, because
last week the Trump Administration's CFPB filed a motion to
vacate that rulemaking, which is going to open up this gap. A
lot of these data privacy rules, as you mentioned under Gramm-
Leach-Bliley, CFPB has some jurisdiction, the FTC has
jurisdiction, our balancing regulators have jurisdiction.
I guess I will turn to you, Ms. Kuehn. Given your past role
at the FTC, if the CFPB cannot fulfill their roles to protect
data privacy and were left with whoever remains standing, what
are the gaps that emerge in our ability under current law to
protect the people we represent and their data privacy?
Ms. Kuehn. One of the benefits that the Federal Trade
Commission has is a broad rule related to unfair deceptive
action practices. There was some discussion about retailers
getting data and what happens if there is a breach at a
retailer. The FTC has brought a number of cases involving data
security, many, many, years ago, just under its general Section
5 authority where it has found a gap.
So, one of the benefits of the Federal Trade Commission's
jurisdiction is that it does have this sort of flexible
oversight and ability to bring cases where it sees developing
threats emerging.
Mr. Casten. So, I guess the concern--maybe I will turn back
to you, Ms. Strickland--in theory, I agree with you. In
practice, we have an entire industry saying I want complete
absolution of any liability from any of my AI models. In fact,
all of our Republican colleagues just voted last week to pass a
piece of legislation that says, there shall be no liability for
anybody using the AI model.
So I steal your data, I put it into the system, I violate
the deceptive practices, but you are totally absolved because I
did not do it. The AI optimized an algorithm to solve this, and
how was I to know? All I did was just not comply--did not say
that AI would comply.
So I guess, Ms. Strickland--there may not be enough time--
but I would welcome your thoughts on how we might regulate AI.
In this world, where the CFPB is broken, data privacy still
matters, what should we be doing to close this barn door,
especially in light of this big ugly bill that we passed out of
the House last week if the Senate goes along with that?
Chairman Barr. The gentleman's time has expired. The
witnesses can answer for the record. The gentleman from South
Carolina, Mr. Timmons, is now recognized.
Mr. Timmons. Thank you, Mr. Chairman, and thank you to the
witnesses for joining us this morning. I often hear from
constituent companies about the challenges posed by the complex
State-by-State patchwork of data privacy laws, which makes
compliance across jurisdictions burdensome and undermines
consistent consumer protection. Many States vary restrictions
and laws based on the side of the company. This is
understandable until you realize that many States have vastly
different thresholds based on the institutions in common
handling of consumer data.
This issue is compounded by the fact that the Gramm-Leach-
Bliley Act serves only as a Federal floor for consumer
financial data privacy, allowing States to impose more or less
stringent requirements.
For instance, California mandates opt-in consent for
sharing consumer data with nonaffiliate third parties, going
beyond the GLBA's opt-out standard. While other States, such as
Alabama, align more closely with the Federal baseline and
impose fewer additional obligations.
This uneven regulatory landscape complicates compliance
efforts and creates uncertainty for institutions operating
nationwide.
Ms. Kuehn, what challenges do California's law in similar
State regulations create for consumer access to financial
services within those States and how do they affect financial
institutions seeking to enter or operate in those markets?
Ms. Kuehn. The former preemption that GLBA has, which
basically keeps States from going below the standards does
allow States to set different standards above that. To date,
until these more recent privacy laws, States have not really
ventured into that very far. The problem is that as the States
are looking at these privacy issues, and they want to set
different or varying standards, that is going to make
compliance very difficult, particularly for financial
institutions who operate throughout the United States.
So, I am going to have to have an investment in State-by-
State rules and compliance and controls that is going to take
away from my ability to provide other products and services to
consumers. The patchwork is of great concern. If this committee
were to relook at GLBA, I think revisiting the form of
preemption that exists in law will be very important in order
to preserve this sort of uniform approach that financial
institutions take across the country.
Mr. Timmons. Is it fair to say that larger financial
institutions comply with the patchwork framework more easily
than smaller?
Ms. Kuehn. They have more money to invest in compliance. I
mean, let us face it, the smaller guys, particularly in a
competition area, have a tougher time because they have to
build the kind of processes and services and have the personnel
to deal with consumer inquiries, for example, you name it. It
is the big investment for the clients that I work on. It is
often a hardship.
Mr. Timmons. It really stifles entrepreneurship because
startups are unable to comply, and it really creates a major,
and we need to address it.
Mr. Talbott, what problems do these regulations create for
innovative institutions trying to deliver a seamless experience
for consumers, especially when offering products and services
if those consumers have actively requested?
Mr. Talbott. Thank you for the question. We will deliver
the products and services as the market demands, but the
challenge will be in compliance with the various State laws.
You have disclosures, you got opt-ins, you have opt-outs. All
of those will slow down the process of getting customers on-
boarded in the first instance.
Once they are on-boarded, once that has been addressed,
then the products will be delivered quickly, accurately,
seamlessly. The challenge would be in the compliance side we
are doing.
Mr. Timmons. Thank you for that. How do these frictions
hinder new market participants, such as fintechs, to compete
with larger more established institutions?
Mr. Talbott. They too must comply with the privacy and data
security rules. There are cost, time, and expense associated
with compliance. In addition, they have to navigate all the
different States, depending on which States they operate in, as
well as GLBA, depending on where the State exemption is. That
creates enormous amounts of complexity, challenge, compliance
costs.
Mr. Timmons. As we consider how to address this problem, I
think the general perspective is that Europe has gone too far,
and they have really restricted competitiveness. What would
your recommendation be--obviously, California has a standard,
and the European standard is the most developed--how do we
thread this needle to accomplish the objective without being
overly burdensome?
Mr. Talbott. Two points: GDPR is the European version. They
actually have a good definition that many States borrow from.
That is positive. They also allow for a private right of action
which creates off the back end the number of legal issues and
challenges and complexities.
Initially, the number of these private rights of action can
distort or change or slowly case by case modify the law which
creates more challenges in terms of compliance versus having
enforcement at the Federal regulatory system.
Mr. Timmons. Thank you for that. It is past time for
Congress to act, and we need to preempt State law and create
one standard so we can compete in the global economy. With
that, I yield back. Thank you.
Chairman Barr. The gentleman yields. The gentlewoman from
Ohio, Mrs. Beatty, is recognized.
Mrs. Beatty. Thank you, Mr. Chairman, and Ranking Member.
Ms. Strickland, I will start with you where Ranking Member
Foster ran out of time, and so, I will pick it up there. He was
making the point that one of the points outlined by the Bureau
is that Section 1033 only allows CFPB to write rule-granting
consumers access to their financial data, and it does not allow
for sharing that data with third parties.
Would consumers not be harmed most if they do not have the
ability to share their financial information with third party
tools and products to help them manage their financial well-
being? Could you elaborate on that?
Ms. Strickland. Yes, I will be happy to. Yes, I do think if
consumers get access to their own information in a machine-
readable format, that is great. That is progress but the real
benefit of open banking is their ability to direct the sharing
and transporting of that data from a data provider to authorize
third parties who have been adequately vetted to make sure they
have the right privacy and security practices. If you do not
enable that, I think it will frustrate consumers because what
they are going to keep it on, their computer, and then they are
to send a data recipients, and they are going to update it. It
seems unworkable.
I also think of a downside to that which might be an
unintended consequence, which I have touched on is that then
the third parties are no longer under an umbrella that requires
them to have rules about what they can and cannot do with that
data once they receive it. They are not vendors of the data
provider. What is it that they can and cannot do with that
data? The 1033 rule did put restrictions on what they can use
it for, which is the purpose of the transaction, right?
So, it did put some rules around, A, them being vetted and,
B, that they actually had some requirements of their own when
they received this data. Both of those aspects of the
portability piece of this were very important.
Mrs. Beatty. Okay. Thank you so much for that. Mr. Morris,
let me go to you. First, let me thank you for your work with
America's Credit Unions. As you may be aware, I have a bill the
Advancing the Mentor Protege Program for Small Financial
Institutions Act, which is actually noticed in today's hearing.
It would codify the Treasury Department's financial agent
Mentor-Protege Program to encourage partnerships between large
and small financial institutions, including credit unions.
Codifying this program would help small and community financial
institutions across the country increase their capacity,
improve their relationship, lending business modeling, and even
become a financial agent to Treasury.
Can you briefly discuss how this bill will help credit
unions better serve their communities because I also look at it
when we talk about open banking and technology? It is supposed
to be new ways also to bring institutions together. I would
like to hear your comments on that.
Mr. Morris. Thank you for the question. I think the Mentor
Protege bill is one that aligns well with the cooperative
nature of the credit union industry, and we are certainly
supportive of it and ways to enable Minority Depository
institutions (MDIs), small institutions to partner with their
larger peers to learn best practices, learn how to comply with
complex rules and regulations. Today, we have spoken about the
costs of complying with a rigorous data privacy regime. It is
certainly a mentor protege arrangement that can help facilitate
learning among smaller institutions.
Mrs. Beatty. Thank you for that. I think I have time for
one more question since I am down here on this row by myself
that my colleague took great pleasure, Mr. Chair, Ranking
Member took great pleasure in telling me that he was going to
pull rank on me, and now I see why.
Let me address it also to Mr. Fields, our Ranking Member,
thank you for letting me ask this last question. I will come
back to you, Ms. Strickland.
Tell me your comments or thoughts on in the time I have
left. What would happen if we abandoned Section 1033 which
means that all of the consumer protections imposed on those
third parties would also be rescinded?
Ms. Strickland. Thank you for your question. As other
witnesses have mentioned, open banking does exist today and has
been a developing practice in the United States for a few
years. It would still continue, it just would not have the same
framework around it, around, how does that data sharing work?
What are the rules in terms of vetting these third parties?
What are the obligations on the third parties?
It does phase out screen scraping. Yes, perhaps, it could
have done it more directly, but it did phase it out and say
once compliant data sharing APIs are employed, you cannot--
screen scraping can be prohibited, which is, I think, very
important for both the consumers' benefit as well as website
security.
Chairman Barr. The time has expired.
Mrs. Beatty. My time is up.
Chairman Barr. The gentlewoman from California, Mrs. Kim,
is now recognized.
Mrs. Kim. Thank you, Chairman Barr, Ranking Member, thank
you for hosting this hearing. I want to thank all our witnesses
for joining us today too. As you know, for too long, our
Federal laws have not evolved to keep up with the issue of data
privacy. As a result, we have seen States take action because
we have failed to lead at the Federal level.
In California, we have implemented legislation such as the
California Financial Information Privacy Act and the California
Consumer Privacy Act. While the intent of these bills has been
good, the unfortunate result is that the financial institutions
have dual compliance obligations at the State and Federal
levels. That, coupled with patchwork State laws, has made it
both costly and very confusing for institutions as they have to
comply with the jurisdictions in which they operate.
I want to ask my first question to you, Mr. Talbott. Can
you explain how in States like California, which I am sure you
are very familiar with the conflicting State privacy laws have
created damaging dual compliance?
Mr. Talbott. I am sorry, I missed your last part.
Mrs. Kim. Yes, the damaging--how do these conflicting
privacy laws have created damaging dual compliance?
Mr. Talbott. Sure. Thank you for the question. Thank you
for your leadership with the financial literacy and wealth
creation caucus as well as you and Mrs. Beatty. The challenge
is in terms of the costs of compliance, the complexity, because
financial services institutions are not exempt in California at
the entity level, only at the data level. Any data that they
use is not GLBA-compliant has to be mapped out and evaluated in
terms of making sure they are compliant with the California
laws that you mentioned. That is costly. That is time-
consuming. Additionally, there are----
Mrs. Kim. Yes, can you talk about, like, the regulatory
cost? What are the companies looking at when they have to
develop these processes to meet those divergent State privacy
laws?
Mr. Talbott. Sure, they have to assign personnel. They have
to assign lawyers. They have to hire regulatory counsel.
Outside counsel is usually hired. There are compliance experts
that are brought in. The whole team that has been developing
system for the financial institutions at the Federal level also
has to spend time, if not create a separate team focused on
California.
In addition, California changes their law frequently, and
currently there is a current proposal to amend it. Now all of
those changes have to be discussed and analyzed and executed,
and that takes time and resources.
Mrs. Kim. Sure. Another issue I hear a lot about is the
question of opt-out versus opt-in as it relates to data
privacy. Ms. Kuehn, I want to ask you in the Gramm-Leach-Bliley
Act can you explain to us why there was an intentional decision
to offer consumers the ability to opt out rather than opt in?
Ms. Kuehn. Yes, so GLBA provides a requirement that
financial institutions have to clearly disclose to consumers
exactly what happens with their data and where they have
choices about that data. They do that at the start of the
relationship. If you are going to share data that is subject to
an opt-out, you have to tell the consumer every year, hey, I am
sharing your data, you can change your mind about it. The
reason it did that was because there are a number of things
companies do to share data the consumers sort of expect. I
might not want to opt out of my bank sharing my data for
certain purposes, but I might want to opt out, say, for a car
dealer using it. You have those choices on an entity-by-entity
level to do that.
Also, the privacy notices, I know people pick on them, but
they are the subject of a lot of research and development to
make sure that consumers can clearly understand in plain
language exactly what is happening with their data and what
choices they have.
Mrs. Kim. I think consumers are rightfully concerned that
they have limited understanding about how their financial data
is being utilized. That is why I think it is important that we
also address the annual privacy notice that consumers receive.
Ms. Kuehn, can you talk about the annual privacy notice
that a consumer receives, and what kind of research does the
agency or agencies conduct to make notices more consumer-
friendly?
Ms. Kuehn. Yes, the FTC and the bank regulators worked on
the current form of the privacy notice. I think one of the most
recent innovations is the understanding that the consumers do
not necessarily need to get a repeat annual notice if, number
one, their financial institution is not sharing it subject to
an exception, meaning that the purpose their financial
institution is sharing data for things like fraud prevention
and to process their transactions.
Mrs. Kim. Can you quickly talk about when the last time the
annual policy model form that FTC posted was revisited or
reformed?
Ms. Kuehn. That was back when I was at the Federal Trade
Commission, which was about 15 years ago.
Mrs. Kim. Completely outdated. I think that explains the
reason why----
Mr. Moore [presiding]. Representative, the lady's time has
expired.
Mrs. Kim [continuing]. Okay. Thank you. Thanks for
answering that question.
Mr. Moore. The gentleman from the great State of Louisiana,
Representative Fields is recognized.
Mr. Fields. Thank you, Mr. Chairman. Let me thank all the
witnesses for being here, and I thank you for this hearing. I
just have two very simple questions. The first question I want
to ask Ms. Strickland. Lower-income families often rely on free
and low-cost, third-party financial tools to plan their
financial futures. When big banks restrict these tools by
blocking data portability, who gets hurt? How does Section 1033
address this rule inequity?
Ms. Strickland. Yes, thank you for your question. I do
think both predating 1033 and then under the 1033 rule, the
goal was to encourage consumer commission data sharing and
doing it in a responsible fashion so that data providers did
not put up unnecessary hurdles to that data portability
request. The third party had rules as well in terms of privacy
and security obligations because they had that information and
then not in the same regulated field as the banks do. There
were important steps made to think through those issues to make
sure responsible data transfers and data portability occurred
at the consumer's direction.
As I mentioned, one of the things that many commenters
remarked upon and is still unfinished business in the 1033 rule
is how are you making sure that other parts of people's
financial health are also included so that they can have that
full picture of their financial wherewithal. One of the
comments dealt with things like if you would have government
benefits, like EBT. There were a lot of comments there about
how does that community also able to aggregate the information
about themselves? These were items that were considered to be
like future rulemakings. I think they are really important so
that there really is that complete picture that people can have
a full understanding of their financial situation, are able to
direct the use of products and services that benefit them, and
that it is done in a way that treats the data providers, data
recipients fairly and ethically so that the data transfers are
well-managed. I do think it is an important step in terms of
that ecosystem as well as future products that should be
addressed.
Mr. Fields. Thank you. My next question is for Mr. Morris.
Section 1033 rule had broad support precisely because it
promotes competition and empowers consumers. Credit unions
compete on service, not market power. How does maintaining the
current system where big banks can block data access harm
credit unions' competitive position in serving working
families?
Mr. Morris. Thank you for the question. I think in terms of
competition, 1033 can offer benefits to credit unions in a
general sense that data portability is helpful for consumers to
switch financial institutions. However, we do have concerns
around the CFPB specific implementation of Section 1033, the
cost of API development, the lack of a framework for allocating
liability of a third party's mishandled data, as well as
concerns around the type of nonstatutorily enumerated data
elements that the CFPB will want to see shared, like sensitive
payment information.
So, while we think that the statute is good in the sense
that it provides a core principle of data portability, there is
work to be done, in our view, on refining the final rule.
Mr. Fields. I want to thank you, Mr. Chairman. I yield
back.
Mr. Moore. The gentleman yields back. The gentleman from
Wisconsin, Representative Fitzgerald, is recognized.
Mr. Fitzgerald. Thank you, Chairman. Mr. Morris, from your
perspective, how does overlapping or inconsistent enforcement
approach impacted your member credit unions' ability to
innovate and serve their customers efficiently? What role
should Congress play in ensuring Federal regulators do not
stifle credit union-led innovation that is already subject to
any different State-level scrutiny?
Mr. Morris. Thank you for the question. I think there are
areas of inconsistency in terms of the patchwork of State
privacy laws just in terms of how different types of data are
handled, whether you are opt in, whether you are opt out,
whether there is specific regulation targeting a technology,
like artificial intelligence. Certainly, those are areas where
credit unions can leverage technology to innovate, provide
better fraud detection and prevention, for example.
On the Federal regulatory side, I think some of the
inconsistency can arise simply due to the fact that these
technologies are evolving at a very quick pace. It may be
beneficial for there to be pilot programs or other ways to test
innovative products without necessarily the fear of compliance
driving those innovation decisions.
Mr. Fitzgerald. As a former State Senator, a lot of the
work we did at the State level, I now have a different
perspective of. Financial institutions like credit unions are
always subject to robust Federal privacy requirements,
including the regular oversight and enforcement by the
regulators. There is a growing concern adding a Federal private
right of action would trigger a wave of abuse of class action
lawsuits, right? We have seen this in Illinois. We saw it in
California with California Consumer Privacy Act (CCPA).
So these suits, obviously, often result in huge settlements
with minimal benefit to consumers and kind of leave the small
and mid-sized institutions exposed to sue or settle.
How would introducing a private Federal, private right of
action for data privacy violations affect credit unions'
ability to just serve their members, I guess?
Mr. Morris. Thank you. I think it would absolutely have a
detrimental effect to include a private right of action and any
comprehensive Federal privacy framework. Certainly, when you
talk about the individual private right of action that might
arise across however many States, that does have an impact
across the board. It influences decisions, again, around
innovation, but it can also just add to litigation costs and
litigation risks. Those settlements can add up and detract from
the core mission of credit unions, which is serving their
communities with affordable products and services.
So, to the extent that litigation drives compliance costs
or litigation costs up, that is money that is coming out of the
community.
Mr. Fitzgerald. While the State privacy law wholly exempt
banks and other institutions subject to Federal Gramm-Leach-
Bliley Act law, there are some others, such as California
Consumer Privacy Act, which I just mentioned, and a successor
of the California Privacy Act. This obviously means that
financial institutions will still implement programs to comply
with the laws, even though it only applies to just a limited
kind of subset, I guess you would say, of their data.
Ms. Kuehn, what is a level of effort for these compliance
products?
Ms. Kuehn. I believe Mr. Talbott testified to this as well.
You have to sort of map all of the data that you have. You have
to have personnel involved with that. You have to have often
bring out third-party technology companies to help you assess
and it figure out which data is covered, which data is not. So,
there is a compliance investment for financial companies that
operate in California that may not exist elsewhere that have an
entity-specific exemption, for example.
Mr. Fitzgerald. Chairman, I will just say that it is these
kinds of legal burdens that drive financial institutions, like
the credit unions and the banks, to kind of pursue the mergers
in order to better absorb the compliance costs. With that, I
will yield back.
Mr. Moore. The gentleman yields. The gentleman from Texas,
Representative Green, is recognized.
Mr. Green. Thank you, Mr. Chairman. I thank the Ranking
Member and the witnesses for appearing today. Mr. Chairman, I
would also like to thank the Chairman, Mr. Barr, for honoring
his commitment to bring H.R. 3716, as it is today, to the
attention of the Congress again. This was done at a previous
hearing.
Mr. Barr, if you are somewhere within the sound of my
voice, or any place where you might find out, I am grateful. I
am also grateful to the staff for helping us with this
legislation. Many times when we say I, ``I'' is properly
defined as ``we.'' The personal pronoun is rarely efficacious
when it comes to passing legislation.
This legislation, H.R. 3716, deals with something that I
hold dear, and it is the belief that the public has a right to
know what Congress needs to know. This legislation satiates
both of these concerns. I introduced this legislation--
remember, ``I'' as ``we''--the Systemic Risk Authority
Transparency Act on June 4, 2025. It was first introduced on
June 14, 2023, in the 118th Congress. The legislation was
developed following the failures of Silicon Valley Bank and
Signature Bank in 2023 when the The Federal Deposit Insurance
Corporation (FDIC) invoked the systemic risk exception to
guarantee uninsured deposits at those banks.
The key provisions of this piece of legislation would
include within 60 days of such an invocation of a systemic risk
exception, the Government Accountability Office will be
required to produce a preliminary post failure report. Within
90 days, the appropriate bank regulator, including the FDIC,
the Office of the Comptroller of the Currency (OCC), and the
Federal Reserve System (Fed)--or the Fed will be required to
issue a preliminary post-failure report. Then, within 180 days,
the Government Accountability Office (GAO) and the bank
regulators will be required to issue a comprehensive post-
failure report.
This timeline provides an opportunity for us to get some
initial evidence of what happened, to get a better
understanding, and then get a comprehensive report. More
appropriately said, these reports will provide Congress and the
public with an analysis to identify the causes of the bank
failures, including any management, supervisory, or regulatory
shortcomings. The committee passed similar legislation by a 50-
to-zero vote last year.
Again, I see this as necessary legislation. Congress needs
to know certain things, and these are the things that the
public has a right to know. When banks fail, I think people
need to know why and I think that they should know why without
having to speculate.
I have found in life that where you have few facts, you
have much speculation. This will provide the facts so that we
can avoid speculation.
In closing, members of the panel today, this is a process
that I used when I was a litigator. It is called voir dire, or
voir dire depending on where you are from. We called it voir
dire in Texas, and it requires you to tell the truth. It is the
truth-telling portion of a trial.
So, this is a simple question for you. Given what I have
shared with you about this legislation, given what you know
about banking failures, given what you know about the public
right to know what Congress needs to know, do you think this
legislation would be helpful? If you think so, kindly extend a
hand into the air. Was that question too complicated for you?
Do you think the legislation would be helpful?
Mr. Talbott. I think we would have to take a closer look at
it.
Mr. Green. Okay.
Mr. Talbott. I am happy to get back to you
Mr. Green. I will ask all of you to take a closer look and
give me your opinions. Would you do this for me, please?
Mr. Talbott. Yes.
Mr. Green. Ms. Strickland?
Ms. Strickland. Certainly.
Mr. Green. Okay. Thank you. Thank you, Mr. Chairman, I
thank all of you for your participation today. I know that this
is without the lane that you normally negotiate and navigate
and traverse, but I hope that you will give it some thought and
give me an answer. Thank you so much. I yield back.
Mr. Moore. The gentelman yields. The gentleman from Ohio,
Representative Davidson, is recognized.
Mr. Davidson. Thank you, Chairman. I am excited about this
important hearing. Privacy is one of the most abused portions
of the Bill of Rights. I mean, we have seen technology
radically change what is possible since Gramm-Leach-Bliley
became law. It is timely, relevant, probably a little past due
that we update GLBA. Frankly, not long after GLBA laid a great
foundation, the Patriot Act passed and massively expanded what
the government was doing, and frankly, what the government was
directing other people to do on its behalf.
Technology has grown rapidly over these 25 years, but
especially fast since the innovation of artificial
intelligence. I hope that we can kind of get the horse before
the cart and not the other way around.
Privacy is really foundational. Before we can really get a
correct framework for artificial intelligence, we really need
to look at what is happening to the underlying data because if
we have artificial intelligence laid out there, it only
functions by having access to the data. If that data in the
private hands is not cared for in the proper way, you are going
to see it exponentially exploited by the technology that
artificial intelligence is making possible.
I hope we get this right in short order.
Ms. Kuehn, your testimony highlights that GLBA's broad
definitions of financial institutions in nonpublic personal
information cover a wide range of entities and data.
During the evolving financial landscape, including the rise
of fintechs, data aggregators, and whatnot, how would you
recommend updating GLBA's definitions?
Ms. Kuehn. At this time, in my experience, it has pretty
much covered anyone I have looked in the financial sphere. It
is a large, flexible definition. It also covers not only the
entities who are financial institutions themselves, but also
entities that receive information under the Gramm-Leach-Bliley.
There are restrictions on their ability to reuse or re-disclose
the data they get.
It was surprisingly forward-looking and thinking about all
the ways in which financial institutions and the endless
financial industry are intertwined. It covers a lot of those
uses that exist already.
Mr. Davidson. A lot of times we do regulation here in
Congress is because we have committees of jurisdiction, so we
do not really holistically solve problems. When you look at
GLBA, it kind of says that we have one set of privacy laws for
financial firms but then if you run a website or put automation
into cars that really does quite a lot of surveillance in your
automobile, it is governed by a whole different set of laws.
Does it make more sense to have a comprehensive privacy law
that recognizes that individuals have a property right in their
data versus a sector-based approach? Does anyone have thoughts
on that?
Mr. Talbott. Happy to, real quickly. Yes. I appreciate
the--I think given the unique nature of financial services and
the fact that we have both your account numbers as well as your
money and your information, that it is unique versus other
industries, but I think the rest of the marketplace could
benefit from a uniform national standard.
Mr. Davidson. Thanks.
Mr. Morris?
Mr. Morris. I would agree that a sectorial approach is
appropriate for the financial sector, just because we are
already subject to so many laws and regulations. I think, to
your point about other sectors maybe not having the same rules
of the road. I think a comprehensive Federal privacy framework
should address that.
Mr. Davidson. Yes. Here is an example. Google paid a
small--for the scale of the size of the entity--fine because
they set up the Android operating system, and they said that
you could select ``do not track,'' for your geolocation, in
theory, would not be tracked. When they were caught tracking
everyone's geolocation, they said, Oh, no. What we meant was
you could select do not track. We, of course, are going to
track you.
That was pretty dishonest. I mean, that would not be just
simple negligence, not really gross negligence. That was
willful misconduct. They should have gotten in trouble for
that.
Right now, because the FTC or Federal Communications
Commission (FCC) would regulate a product like that, they put
terms and conditions down in the fine print, five-point fonts
with pop-ups that hit you until you relentlessly click okay,
fine. I just want to get on with what I am trying to do, and
there is not really much accountability for it.
Financial firms, I would love to say, are totally
different, but Wells Fargo did not accidentally do what they
did with consumer data and set up false accounts and
everything. They paid over $4 billion in fines, but no one was
prosecuted. In other sectors, when you abuse the access to data
or you commit fraud, people go to jail. I think we ought to
consider much stronger privacy protections, and I hope we do.
I yield back.
Mr. Moore. The gentleman yields.
The gentleman from Nebraska, Representative Flood, is
recognized.
Mr. Flood. Thank you, Mr. Chairman.
The topic of today's hearing is extremely important. Data-
sharing is at the center of financial interactions and
transactions. In many cases, a consumer's data has to be shared
between many parties in order to even fulfill a transaction.
Let us use the example of a consumer applying for a mortgage to
demonstrate the point.
The consumer initially applies for their mortgage with
their lender. They need to provide documentation verifying
their income, their assets, their liabilities, their
employment, among other things, in order for that application
to be complete. At that point, the lender uses those pieces of
information from the consumer's application to determine
whether or not to approve the mortgage.
They have to go to the credit bureaus to get the consumer's
credit report. The consumer's credit score needs to be polled,
involving the credit scoring companies. They may go to another
bank to verify information regarding the borrower's assets.
They may go directly to the consumer's employer to verify their
employment. Then an underwriting decision needs to be made.
Sometimes the lender will work with an outside underwriter who
would also need to access all of the same information that we
discussed in order to even confirm their credit risk and
compliance with local relevant loan programs.
After all of those steps are complete, and many more I did
not name for the sake of time, it is possible for the lender to
make an informed decision on whether or not to approve the
mortgage.
Think about all the different third parties I just
mentioned that were involved in completing just one act for the
consumer, filing a mortgage application. We live in a world
today that is far more complex than it was 10, 20, 30 years
ago, and we have relationships between financial institutions
and third parties today that did not exist when the Gramm-
Leach-Bliley was written. That, in a nutshell, is why we are
having this conversation today. When you layer on the fact that
some States are now moving in competing directions as it
relates to rules around sharing and protecting your consumer
financial data, you have even more complexity to the underlying
problem.
Mr. Talbott, in your testimony, you mentioned some examples
of conflicting State privacy laws. Can you please describe an
example of conflicting State law on data privacy that you feel
really represents the broader problem that I just talked about?
Mr. Talbott. Yes. I think that California, unfortunately
again, is probably the lead example where it has both private
right of action which do not exist in any other State, as well
as it does not exempt GLB entities--does not exempt the--does
not exempt the entity. It exempts the data. In California, for
example, the B2B transactions are covered by that State's
privacy law, whereas the rest of the country, it is not. That
is a challenge right there.
Mr. Flood. For those of us, Mr. Talbott, that are
interested in open banking, how should we think about a Federal
financial data privacy law and how that could ensure that the
consumers' information is both protected while also leaving the
door open for them to choose to use tools that are offered by
third parties?
Mr. Talbott. Yes. So, the entities engaged in open banking
or consumer-directed banking are already covered by GLBA, so
the privacy protections and the data security protections are
there. To the extent that an entity, maybe a fourth party, is
not, it should be, given the fact it will have data or access
to the data. So, that is an important structure that is already
in place.
Mr. Flood. Ms. Huddleston, can you speak to some of the
results of the private right of action connected to the
Illinois Biometric Information Privacy Act?
Ms. Huddleston. As mentioned in my written statement, we
have seen significant litigation against a variety of entities.
This includes small timekeeping entities; this includes large
social media companies, like Meta. It also includes people
that--or entities that one might not traditionally think of
with data, like Six Flags Amusement Park. This litigation has
not only been when actual harm occurs. It has also been over
statutory issues, such as the exact method of the language of
consent or things like that then become overly burdensome on
launching new products.
We have also seen products not being launched in Illinois
because of a concern around compliance. This, of course, means
that the residents of that State do not have the benefits of
some of the better technologies that might improve security
through the use of biometrics, as well as fun things like
Google's Art Selfie match a few years ago.
Mr. Flood. I am a strong believer in States' rights. I
served in a legislature, like our Chairman here, both in the
role of speaker. This is the one area that I do think we need a
national standard. I truly believe that this only happens if
Congress acts and we can let people do business. That is the
reason I put that mortgage application example in there.
I will go to bat for States' rights whenever I can. This is
one of the few times that I think this is a very appropriate
direction. I thank Chairman Barr for his leadership on this
issue and would love to deal with this in the 119th Congress.
Thank you, and I yield back.
Mr. Moore. The gentleman yields.
We would like to thank all of our witnesses today for
taking the time to be here and for your testimony on behalf of
all the committee members. We do appreciate that.
Without objection, all members will have 5 legislative days
to submit additional written questions for the witnesses to the
chair. The questions will be forwarded to the witnesses for
their response. Witnesses, if you receive those, we please ask
that you respond no later than July 10th, 2025.
[The information referred to can be found in the appendix.]
There being no further business before the committee, the
Chair declares the hearing adjourned.
[Whereupon, at 12:16 p.m., the subcommittee was adjourned.]
APPENDIX
----------
MATERIALS SUBMITTED FOR THE RECORD
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]