By their very nature, community banks and other financial institutions must collect sensitive nonpublic personally identifiable information (PII) about customers to meet their needs for financial services, which includes an array of deposit and loan services. This information is also used to prevent fraud and identity theft and to comply with various regulatory requirements. Safeguarding customer information is central to financial institutions maintaining public trust and retaining customers.
Third Party and Non-Bank Privacy Standards
Entities outside of the financial services industry that gather sensitive nonpublic PII are not held to the same standards for safeguarding information. Once information is shared with permissioned third-parties, consumers may no longer have control of their personal and financial information.
This leaves consumers vulnerable to entities that may mislead them about what they do with the information they collect and places an extraordinary burden on consumers to be vigilant in their research and knowledge of firms to which they may provide their online account credentials. For this reason, ICBA has profound concerns that non-bank entities that may be authorized by consumers to access their information and store their bank login credentials may not take the same care in protecting consumer privacy and data as community banks.
At a minimum, consumers must have the same GLBA-like privacy protections with permissioned third parties as they have with banks, including limitations on the use of consumer information and limitations on the disclosure of the consumer’s information to third parties.
Community banks have protected consumer privacy for the last two decades under the Gramm-Leach-Bliley Act. ICBA supports GLBA and the privacy standards and enforcement it requires. Given the patchwork of state privacy laws currently in place or being considered, as well as the unnecessarily burdensome nature of proposed national-level privacy laws, ICBA supports an entity-level exemption from proposed laws due to the strict privacy requirements in GLBA and stringent enforcement by federal regulators. Complying with both GLBA and the various state or national laws to which community banks may be subject would be both unnecessarily burdensome and duplicative.
GLBA requires financial institutions to provide protections for consumer data and prevents financial institutions from sharing consumers’ personal information under certain circumstances without offering consumers a reasonable opportunity to opt out of such sharing. Further, GLBA’s Safeguards Rule requires financial institutions to review their consumer data, identify security risks, and develop a comprehensive security program to protect consumer data from unauthorized use and disclosure.
Community banks are committed to complying with existing standards to protect consumer privacy as outlined in GLBA and the Safeguards Rule. ICBA fully supports the intent of these laws to protect consumer financial information and PII. However, a patchwork of differing state privacy laws and requirements creates unnecessary costs and burdens for community banks and other small businesses. It is important to maintain one standard as opposed to many complex and potentially competing state-level standards.