An Update on Data Protection Regulations

Community banks bear a significant obligation to protect customer and bank information from unauthorized disclosure and use. That discipline spans physical security, cybersecurity, employee communications and various third-party activities. 

In 2022, the Consumer Financial Protection Bureau (CFPB) issued an advisory opinion to “protect privacy when companies compile personal data.” It makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy, and it reminds covered entities of potential criminal liability for certain misconduct. 

The advisory opinion affirms that “permissible purposes” are required to use and share credit reports and background reports. It further guides users on permissible purposes and emphasizes that companies cannot check an individual’s personal information, including their credit history, without a bona fide reason. Some common permissible purposes include using consumer reports for credit, insurance, housing or employment decisions.

Community banks’ data protection responsibilities

As a practical business matter and one of good customer service, banks generally have a duty of care and confidentiality for a customer’s records and dealings with the bank. 

Certain regulations protect customers’ financial records from federal government scrutiny under specific circumstances and subject to a mandated process, including:

• The Right to Financial Privacy Act (RFPA)

• Gramm-Leach-Bliley Act (GLBA) or Financial Services Modernization Act of 1999

• Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act)

These regulations and other legislation further specify restrictions on collecting, maintaining, using and sharing information.

The Privacy Act of 1974 ushered in more specific governance of how federal agencies can collect and use data about individuals in its system of records. Then the GLBA required the federal banking agencies and other regulators to issue regulations ensuring that financial institutions protect the privacy of consumers’ personal financial information and required disclosure of privacy policies and opt out of provisions for certain types of information sharing. 

Comprehensive data privacy laws also remain a hot topic for state legislatures, with a number of states following California’s lead and passing their own version of the California Consumer Privacy Act. 

“ICBA is concerned about the potential for states to administer a patchwork of privacy provisions that restrict community banks’ ability to do business across state lines.”

— Steven Estep, ICBA

At the time of this writing, 12 states—California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Texas, Delaware, Oregon and Montana—have comprehensive data privacy laws in place.

The future of data privacy laws

In recent years, Congress has taken a renewed interest in furthering controls on how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual. 

“At the federal level,” says Steven Estep, assistant vice president, operational risk, ICBA, “there have been a number of attempts to process legislation, but only a few have gained any traction. The one that got the furthest was in 2022, the American Data Privacy and Protection Act. It advanced out of the House Energy and Commerce Committee but was never presented on the House floor.” 

He notes that one of the prohibitions was the bill’s provision to preempt state privacy laws. ICBA is concerned about the potential for states to administer a patchwork of privacy provisions that restrict community banks’ ability to do business across state lines.

“There was another attempt to introduce legislation that began late last year and was introduced early this year,” Estep adds. “That’s the Data Privacy Act of 2023. It is more financial sector-specific and would amend GLBA to be more privacy friendly, but that, too, has not gained traction.”

H.R. 1165 Data Privacy Act of 2023 would have amended the Gramm-Leach-Bliley Act to modernize the protection of the nonpublic personal information of individuals who have customer or consumer relationships with financial institutions. It sought to establish consumer rights and impose institutional obligations regarding privacy policies, notices, opt-out requests, access and deletion.

“While many legislators appear interested in consumer privacy and data protection reforms, banks are not the main targets of the reforms,” Estep says. “There are already strong privacy protections in the banking sector, especially compared with the data aggregators and big tech companies. Some of the preemption and exemption provisions seem to be a hold up.”

What should community banks do to remain nimble for future privacy and data protection requirements?  

“Because both parties have produced bills, revisions are eventually going to happen,” Estep says. “Without firm requirements, community banks cannot take any specific actions to change internal controls and procedures yet. However, bankers need to stay updated and consider what changes would be required to their current practices, if any, based on proposed amendments. Certainly, state requirements, including important provisions like GLBA exemptions, should also be followed closely, as that area is evolving.”