My last article stated, “Just when you thought the world could not get any more confusing, the Consumer Financial Protection Bureau (CFPB) finalized and published its rulemaking for Dodd-Frank Act Section 1033. Section 1033 introduces consumers’ personal financial data rights, including consumer access to financial records linked to the financial products and services involved.” Well, in the past 30 days, the data privacy world has continued to muddy the waters and not provide clarity as to what banks are to do to promote data privacy.
As I travel around the United States and speak to bankers, it is clear that most bankers understand that data privacy is important and that they need to do something in this space; however, what is equally clear is that banks do not have a clue where to start. CFPB 1033 has an implementation time frame of six to 60 months, depending upon your asset size, so how important is this issue if a bank has five years to address it? The published CFPB 1033 ruleset states that banks under $850 million never have to comply with CFPB 1033! Eighteen states have enacted dedicated state data privacy laws, but all eighteen states have carve-out exclusions for banks! Why? Because the banking sector is supposed to lay down their own rules and govern themselves. They have not done so. The federal government has tried twice to pass comprehensive data privacy legislation. Still, both times, the bill was written in a way that could not be supported and did not touch any organization that was not a big data broker. Does anyone want to take this data privacy issue seriously and help banks understand their requirements? Is there anyone who can put together a thin layer of data privacy requirements as a foundation to get started with data privacy protection at a bank? We always talk about how our sector is based upon customer relationships and trust, yet lawmakers and regulators are leaving the sector alone and driving firm requirements in every other industry.
The reality is that it is easier to point the finger at each other while most countries have already passed broad privacy legislation. Canada, Asia, Mexico, Europe and the like have all passed comprehensive data privacy laws, with Europe’s requirements quite onerous. In fact, with GDPR, any organization cannot share data without consumers explicitly “opting in.” The privacy model in Europe is that data is “owned” by the consumer and businesses have to ask to use it. All U.S.-based laws and requirements state organizations can share data but must give the consumer the ability to opt out — very different requirements. Can you imagine if, at your bank, you couldn’t share any data with any third party unless you have express consent? Can you imagine not being able to use data for anything other than the primary reason it was obtained unless you have explicit consent?
The data privacy hot potato continues to get passed around. Bankers clearly understand it is important but do not know how to efficiently get started. The CFPB took a bite of the apple with CFPB 1033 but then blamed the states for their “banking sector” exclusions. The feds blame the states for having too onerous requirements (like in California) but then don’t even pass a light version of data privacy rules. The political machine wins, and banks and consumers lose as consumers are not assured of their rights and banks are left guessing where to start and how far to go. Can you blame banks for not doing anything, waiting until the murky water clears before wasting time and resources?
So, what does this mean for your bank? Get educated! The short list of tasks includes:
- Assign someone to take the lead in understanding data privacy.
- Get someone trained or certified in the CFPB 1033 Rule and/or data privacy management.
The place to get started is education. The data privacy sky is not falling here! However, it is important to begin the data privacy journal beyond Reg. P of privacy notices.
