Prevention and risk mitigation are key components in every aspect of bank operations - the same holds true in the protection of customer data.
Community banks are on the frontline defending the financial sector and bank customers against cyber threats. As a result of sophisticated and constantly evolving threat landscape the federal government and the financial sector are increasingly focused on cyber security.
To better address the increased threat and provide banks with the ability to implement risk-based security programs, state and Federal legislation, regulation, and guidance should be non-proscriptive and non-duplicative in approach and recognize existing or similar regulatory requirements. The patchwork of state data security laws and requirements increases burdens and costs, fosters confusion, and is detrimental to customers.
ICBA supports national data security standards that include appropriate exemptions for community banks that are already covered under GLBA. Regulators should broaden their supervision to include all third parties that have access to, use, or store consumer financial data. These companies should be regulated to Gramm-Leach-Bliley Act (GLBA) like standards.
ICBA supports bi-directional threat information sharing between the financial sector and the government, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit information-sharing forum established by financial sector. ICBA recognizes that the U.S. Government also has a responsibility to safeguard financial and personally identifiable information (PII) and to provide banks with visibility into the government’s business continuity, incident response, and other critical resiliency plans.
ICBA supports the work of .BANK, Sheltered Harbor, and other financial sector efforts to enhance protection for bank customer account data.
Community banks are on the frontline defending the financial sector and bank customers against cyber threats. Safeguarding customer information is critical to maintaining the public’s trust. Data breaches in the private and public sectors continue to jeopardize consumer financial data and increase the chances of identity theft, the use of synthetic IDs, and financial fraud of all types.
To better address the increased threat and provide banks better access to actionable threat intelligence and clearer requirements, new Federal incident notification laws should supersede state laws. Often the patchwork of state laws creates requirements that are overly broad, often conflict with one another, increase burdens and costs, foster confusion, and are detrimental to customers because of the difficulty to implement.
It is important that community banks receive timely notification from the public and private sectors, concerning the nature and scope of any breach that may have compromised consumer information so that they may take steps to mitigate any damage.
The costs of data breaches should be borne by the party that incurs the breach. Barring a shift in liability to the breached entity, community banks should have continued access to various cost-recovery options, including account recovery programs and litigation. Too often, the breached entity evades accountability while financial institutions are left to mitigate damages to their customers.
Lastly, the government, including regulatory agencies, continue to be the subject of cyber incidents and data breaches resulting in the loss of consumer data. Like banks, governmental departments and agencies have a responsibility to report incidents. Liability for the breach of governmental systems should not be unfairly born by community banks.
By their very nature, community banks and other financial institutions must collect sensitive nonpublic personally identifiable information (PII) about customers to meet their needs for financial services, which includes an array of deposit and loan services.
This information is also used to prevent fraud, identity theft and comply with various regulatory requirements. Safeguarding customer information is central to financial institutions maintaining public trust and retaining customers.
Third Party and Non-Bank Privacy. Information that is gathered by entities outside of the financial services industry is not held to the same standards as it relates to
safeguarding information. Once information is shared with permissioned third-parties, consumers may no longer have control of their personal and financial information.
The potential for abuse is real and can be extremely harmful to consumers.
This leaves consumers vulnerable to entities that may mislead them about what they do with the information they collect. This places an extraordinary burden on consumers to be vigilant in their research and knowledge of firms to which they may provide
their online account credentials.
For this reason, ICBA has profound concerns that non-bank entities which may be authorized by consumers to access their information and store their bank login credentials may not take the same care in
protecting consumer privacy and data as community banks.
At a minimum, consumers must have the same GLBA-like privacy protections with permissioned third parties as they have with banks, including limitations on the use of consumer information and limitations on the disclosure of the consumer’s information to third parties.
Privacy Standards. Community banks are committed to complying with existing standards to protect customer privacy as outlined in the GLBA and the Safeguards Rule. However, many states are
establishing privacy requirements to enhance consumer protection.
While ICBA fully supports privacy standards, particularly as it relates to protecting consumer financial information and PII, creating a patchwork of differing state privacy
laws and requirements creates unnecessary costs and burdens for community banks and other small businesses.
It is important to maintain one standard as opposed to many complex and potentially competing state-level standards.
GLBA Exemption. Community banks have protected consumer privacy for the last two decades under the Gramm-Leach-Bliley Act. ICBA supports the GLBA and the privacy standards and enforcement
it requires.
Given the patchwork of state privacy laws currently in place and being signed into law, ICBA supports an entity-level exemption from proposed laws due to the strict privacy requirements in GLBA and stringent enforcement by
federal regulators. Complying to both the GLBA and the various state laws which community banks may fall under, would be both unnecessarily burdensome and duplicative.
The GLBA requires financial institutions to provide protections for consumer’s data and prevents financial institutions from sharing consumers’ personal information under certain circumstances without offering consumers a reasonable opportunity
to opt out of such sharing.
Further, the GLBA’s Safeguards Rule requires financial institutions to review their consumer data, identify security risks and develop a comprehensive security program to protect consumer data from unauthorized
use and disclosure. Including such an exemption in state privacy laws will continue to protect consumers while avoiding any unnecessary barriers to community banks.
Staff Contacts: Steven Estep and Susan Sullivan.