Bank Associations Want Exemption from Any New Federal Data Privacy Law
A group of financial trade associations urged the House Committee on Energy and Commerce to exempt companies that offer consumer financial products or services (under the Gramm-Leach-Bliley Act ("GLBA")) from additional federal data privacy legislation.
The letter is in response to the Committee and the Data Privacy Working Group's request for information "that would be of use in crafting a comprehensive federal privacy law while avoiding unintended consequences for banks." The letter, signed by the ABA, America’s Credit Unions, the Bank Policy Institute, the Consumer Bankers Association, the Independent Community Bankers of America, the Mortgage Bankers Association, and SIFMA, supplements a previous letter to the Committee in which the associations called for a uniform national standard that recognizes the existing GLBA regime, preempts conflicting state laws, and avoids duplicative regulation for financial institutions.
In the supplemental letter, the associations urged lawmakers to ensure that any federal data privacy framework includes a clear exemption for financial institutions already subject to the GLBA. The associations proposed model statutory text (drawn from the Kentucky Consumer Data Protection Act) arguing that it provides the most straightforward and effective language to prevent duplicative or inconsistent regulation. They emphasized that banks, credit unions, and other supervised institutions operate under robust federal privacy standards and should not be swept into requirements intended for entities outside the GLBA regime.
The associations also cautioned that the current patchwork of state privacy laws imposes costly and uncertain compliance obligations, even where GLBA exemptions exist. They pointed to recent amendments to state laws that create operational unpredictability. They cited California’s privacy law, in particular, as significantly raising banks’ compliance costs. The associations asserted that new regulatory mandates for cybersecurity audits, risk assessments, and automated decision-making technologies are projected to add billions in industry-wide costs. They warned that such overlapping frameworks strain resources without improving consumer protections.
The associations also stated their intent to respond to the House Financial Services Committee's request for public feedback on potential changes to federal consumer financial data privacy laws. (See previous coverage.)