Framework for the Future: Reviewing Data Privacy in Today's Financial System

House Financial Services Subcommittee on Monetary Policy and Trade

2025-06-05

Loading video...

Source: Congress.gov

Summary

This hearing focused on reviewing data privacy in today's financial system and assessing how Congress can ensure consumer data protection while fostering innovation. Participants debated the effectiveness of existing legislation like the Gramm-Leach-Bliley Act (GLBA) in the digital age, the role of open banking, and the implications of a fragmented regulatory landscape across states.[ 00:18:47-00:19:26 ]

Themes

Modernizing Financial Data Privacy Laws and the Need for a National Standard

Many participants emphasized the need to modernize the Gramm-Leach-Bliley Act (GLBA) to address technological advancements that have revolutionized financial services over the past 25 years.[ 00:19:26 ] The current patchwork of state data privacy laws creates a complex, costly compliance landscape for financial institutions, potentially increasing costs and reducing access for consumers. There is a strong call for a uniform national data privacy standard that would offer clear, consistent, and preemptive rules for financial institutions while protecting consumers. Such a federal law should be technology-neutral and sector-neutral but could still allow the financial services industry to be governed by GLBA due to its unique needs and existing robust compliance programs. Updating GLBA could include clarifying definitions, ensuring consumers have rights such as disclosure, access, correction, deletion, and opting out of targeted marketing, and retaining permissible data use for fraud prevention.

Open Banking and the CFPB's Section 1033 Rule

Open banking, which allows consumers to securely share their financial data with third-party providers, is seen as a key driver of innovation and consumer empowerment but raises questions about privacy, liability, and GLBA's applicability.[ 00:20:14 ]

Citation requires full transcript

Sign in to continue

Sign in
 The CFPB's Personal Financial Data Rights Rule, implementing Section 1033 of Dodd-Frank, aims to give consumers greater rights, privacy, and security over their financial data, making it easier to switch providers and manage finances. This rule was developed through a lengthy bipartisan process over multiple administrations. However, concerns were raised about the rule's implementation, including its failure to address liability for fraud or data breaches and its prohibition on financial institutions charging fees for API access, which disproportionately burdens data providers. Rescinding the rule entirely, as some propose, would cause unnecessary delays and potentially harm privacy, innovation, and competition, and could remove important safeguards for data recipients.

The Impact of Private Rights of Action (PRA)

A significant point of concern was the expansion of enforcement mechanisms through private rights of action (PRA), which allow individuals to sue firms directly for alleged violations. Opponents argue that PRAs lead to frivolous lawsuits, benefit large firms that can absorb litigation costs, discourage innovation, and can be business-crippling for smaller financial services providers, even if they win. There's little evidence that adding a PRA would meaningfully enhance consumer data protection in the financial sector, as existing regulatory agencies have enforcement authority and there have been few privacy-related cases under GLBA. Therefore, a federal privacy law should limit PRAs and assign enforcement to appropriate federal regulators.

Protecting Small Financial Institutions and Fostering Innovation

Regulatory changes should maintain flexibility for smaller banks and credit unions, as mandates can divert resources from community lending to legal compliance.[ 01:11:17 ]

Citation requires full transcript

Sign in to continue

Sign in
 The patchwork of state laws disproportionately burdens smaller entities by requiring compliance with varying interpretations and definitions across multiple states, hindering market efficiency and the ability to offer innovative products.[ 00:54:35 ]

Citation requires full transcript

Sign in to continue

Sign in
 Data-sharing arrangements between banks and FinTechs, often covered by GLBA and private contracts, improve competition and allow smaller institutions to offer cutting-edge digital tools.[ 01:12:57 ]

Citation requires full transcript

Sign in to continue

Sign in
 Preserving an opt-out framework, as in GLBA, facilitates joint marketing and helps community financial institutions promote services in underserved areas, whereas a more onerous opt-in framework could limit access to services.

Tone of the Meeting

The tone of the meeting was largely serious and focused on complex policy issues, with witnesses providing expert insights and offering concrete suggestions for future legislation.[ 00:19:07 ] There was a strong bipartisan recognition of the need to update data privacy laws to match the digital economy. However, discussions also revealed clear partisan divisions, particularly regarding the role of the CFPB and the Trump administration's actions concerning the Section 1033 rule, leading to pointed exchanges and accusations of political motives. Despite these differences, there was a shared emphasis on balancing robust privacy protections with innovation, access, and reduced regulatory burden.[ 00:21:30 ]

Citation requires full transcript

Sign in to continue

Sign in

Participants

Transcript

The Subcommittee on Financial Institutions will come to order.  Without objection, the chair is authorized to declare a recess of the committee at any time.  This hearing is titled Framework for the Future, Reviewing Data Privacy in Today's Financial System.  Without objection, all members will have five legislative days within which to submit extraneous materials to the chair for inclusion in the record.  I now recognize myself for four minutes for an opening statement.   Thank you to our witnesses for being here today and lending your expertise to this complex and critical conversation.  Today's hearing focuses on financial data privacy, where we will assess how Congress can ensure consumers' data is used only as authorized while protecting the innovation that has transformed our financial system since the Gramm-Leach-Bliley Act, or GLBA, became law more than 25 years ago.   Since GLBA's passage, technological advances have revolutionized how Americans access financial services.  We've seen the rise of mobile banking apps, peer-to-peer payment platforms, and a shift away from cash toward digital transactions.  These innovations have expanded financial products and increased access for millions of Americans in rural communities and urban centers.   Alongside these developments, the volume and sensitivity of financial data have surged dramatically.  Every transaction and interaction creates data points that financial institutions and FinTech firms analyze to improve services, assess risk, and detect fraud and tailor products.   While these capabilities bring benefits, they also raise serious privacy and security concerns.  A key driver of innovation is open banking, allowing consumers to securely share their financial data with third-party providers through application programming interfaces, or APIs.  Open banking can empower consumers with more control over their financial information, foster competition, and spur the development of new tools and services.
But it also raises questions about data privacy, liability, standard setting, and GLBA's applicability.  GLBA's broad framework has served us well, setting key protections for consumer data.  But a quarter of a century is a long time in tech, so we must ask, is GLBA still fit for purpose in today's fast-paced, data-driven environment?   Does it provide the clarity, flexibility, and protection needed in the digital age?  As we consider modernization, we must proceed cautiously.  Changes that are too restrictive risk choking off access to financial options on which consumers rely.  Conversely, overly lax rules could leave Americans vulnerable to misuse of their sensitive data.  Striking the right balance is critical.   We also cannot examine GLBA in isolation.  Data privacy laws have proliferated at the state level, with 20 states enacting comprehensive privacy laws.  Some exempt financial institutions that comply with GLBA, while others layer on more stringent requirements.  This patchwork creates a complex, costly compliance landscape, potentially increasing costs and reducing access.   This also risks some states setting de facto national standards, bypassing Congress and creating uncertainty for businesses and consumers alike.  For these reasons, Congress should consider the benefits of a uniform national data privacy standard that offers clear, consistent, preemptive rules for financial institutions while protecting consumers.   As our colleagues on the Energy and Commerce Committee work on broader privacy legislation, we must also ask whether sector-specific laws like GLBA warrant carve-outs or tailored treatment.  GLBA already imposes strong data protection requirements, and financial institutions have built compliance programs around these rules.  Overlapping or conflicting standards would only add confusion and cost.   Finally, we must address calls to expand enforcement mechanisms by granting consumers private rights of action which allow individuals to sue firms directly for alleged violations.
Private rights of action open the door to frivolous lawsuits benefiting large firms that can absorb litigation costs and discouraging innovation by increasing legal risks for financial services providers.  Ultimately, consumers lose out through reduced access and choice of innovative products.   While these are complex issues requiring thoughtful consideration, we must balance robust privacy protections with innovation, access, and reduced regulatory burden.  I look forward to hearing from our witnesses today and engaging in a productive discussion on the future of data privacy in our financial system.  The chair now recognizes the ranking member of the subcommittee, Dr. Foster, for four minutes for an opening statement.
Thank you, Chairman Beyer, and to our witnesses for their excellent written testimony.   Today, we'll be discussing the framework for data privacy in today's financial system.  At its core are the Gramm-Leach-Viley Act, the Fair Credit Reporting, FCRA Act, and Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.  Minor changes have been made to this framework over the years.  However, there are significant questions about how these laws are adapting to an increasingly digital economy, innovative financial products, cybersecurity risks, artificial intelligence, and the growing role of third-party firms in the financial sector.   I look forward to discussing many of these issues with our panel today.  I was proud to have sat on this committee when we drafted the Dodd-Frank Act and was happy to see the most recent update to the financial privacy framework come out last October when, after years of bipartisan work under three different presidents, the CFPB finalized the Personal Financial Data Rights Rule to implement Section 1033 of the Act.   This rule is significant because it gives consumers greater rights, privacy, and the security over their personal financial data.  It makes it easier for consumers to switch between service providers to find better rates, to make secure payments, and to utilize innovative tools to manage their finances.  This rule gives consumers the right to revoke access to their data   whenever they choose and promotes the development of market-driven data standards.  The rule was developed through a lengthy process spanning multiple presidential administrations, gathering public feedback at several points starting in 2016.

Sign up for free to see the full transcript

Accounts help us prevent bots from abusing our site. Accounts are free and will allow you to access the full transcript.

Sign up