{ "id": "IN11199", "type": "CRS Insight", "typeId": "INSIGHTS", "number": "IN11199", "active": true, "source": "EveryCRSReport.com", "versions": [ { "source": "EveryCRSReport.com", "id": 608132, "date": "2019-11-15", "retrieved": "2019-12-13T15:22:46.332572", "title": "Big Data in Financial Services: Privacy and Security Regulation", "summary": "Congress has shown interest in data privacy and security issues in the financial services industry, including an upcoming House Financial Services task force hearing. Recent data breaches at large financial institutions and credit reporting agencies have increased concern about the privacy and security of the large amounts of consumer financial information (known increasingly as big data) that companies gather, use, and store. Some of this information is public, whereas other information is considered personal and nonpublic. No single law provides a framework for regulating data privacy in the United States. Instead, myriad laws cover different industries. \nIn the financial services industry, several federal and state laws cover data privacy; most comprehensively, the Gramm-Leach-Bliley Act (GLBA; P.L. 106-102) directs financial regulators to implement disclosure requirements and security measures to safeguard private information. This Insight summarizes GLBA\u2019s regulatory implementation and discusses policy issues for Congress.\nGLBA and the Financial Regulators\nGLBA provides a framework for regulating data privacy and security practices in the financial services industry. This framework is built upon two pillars: (1) privacy standards that impose disclosure limitations on financial institutions concerning consumers\u2019 information and (2) security standards that require institutions to implement certain practices to safeguard the information from unauthorized access, use, and disclosure. The two major rules for implementing this framework are known as the Privacy Rule (Regulation P) and the Safeguards Rule, respectively. These rules are promulgated, supervised, and enforced by different government agencies, and in some cases different agencies have rulemaking and supervisory authority over the same entity. \nRulemaking\nRulemaking authority to implement the Privacy Rule through Regulation P is vested in four agencies. The Federal Trade Commission (FTC) has the rulemaking authority for the Safeguards Rule. Table 1 provides a crosswalk of the federal agencies and who they may regulate under each rule.\nTable 1. Rulemaking Authority for GLBA\nFederal Regulator\nPrivacy Rule\nSafeguards Rule\n\nConsumer Financial Protection Bureau (CFPB)\nDepository and nonbank financial institutions involving consumer financial products or services in the CFPB\u2019s jurisdiction\nNone\n\nSecurities and Exchange Commission (SEC)\nSecurities companies\nNone\n\nCommodity Futures Trading Commission (CFTC)\nFutures-related companies\nNone\n\nFederal Trade Commission (FTC)\nMotor vehicle dealers\nFinancial institutions significantly engaged in financial activities (e.g., bank and nonbank lenders, real estate appraisers, professional tax preparers, courier services, credit reporting agencies, and ATM operators)\n\nSource: 15. U.S.C. \u00a76804; 12 C.F.R. \u00a71016.1(b).\nRegulation P requires financial institutions to\nprovide initial, annual, and revised privacy policy notices to customers and\nset the conditions for when a financial institution may or may not disclose nonpublic personal information.\nThe Safeguards Rule requires financial institutions to\ndesign and implement a safeguards program and \nidentify and assess the risks to customer information in each relevant area of the company\u2019s operation, including service providers and changes in the firm\u2019s operations.\nSupervision and Enforcement\nAgencies responsible for privacy and safeguard rulemaking are sometimes not the same agencies responsible for implementing these rules for a particular entity. For instance, as discussed in Table 1, the FTC has rulemaking authority for the Safeguards Rule; however, supervisory authority for the rule is shared among the banking and credit union regulators. Further, most of the financial regulators have some supervisory or enforcement authority to ensure that the institutions in their respective jurisdictions comply with the Privacy and Safeguards Rules (see Table 2).\nTable 2. Supervision and Enforcement Authority for GLBA\nFederal Regulator\nPrivacy Rule\nSafeguards Rule\n\nCFPB\nSupervision and enforcement authority over depository and nonbank financial institutions involving consumer financial products or services in the CFPB\u2019s jurisdiction \nNone\n\nDepository agencies\nSupervision and enforcement authority over banks or credit unions in their jurisdiction \nSupervision and enforcement authority over banks or credit unions in their jurisdiction\n\nSEC\nEnforcement authority over brokers, dealers, and investment advisors or companies in their jurisdiction\nEnforcement authority over securities companies in their jurisdiction\n\nFTC\nEnforcement authority over other entities not covered above by another federal regulator, such as motor vehicle dealers or other nonfinancial companies \nEnforcement authority over other entities not covered above by another federal regulator, such as nonbank consumer financial institutions or other nonfinancial companies\n\nSource: 15. U.S.C. \u00a76805.\nNote: The depository agencies include the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Federal Reserve, and the National Credit Union Administration.\nPotential Policy Considerations for Congress\nThe fact that several regulators implement, supervise, and enforce GLBA provisions has raised questions over the \u201cpatchwork\u201d of regulatory standards for consumer privacy and security. As Congress continues to explore this issue, a few policy considerations may be informative:\nData Security Standards\u2014One area of debate is whether data security standards should be prescriptive and government defined or flexible and outcome based. Some argue that a prescriptive approach can be inflexible and harm innovation, but others argue that an outcome-based approach might lead to institutions having to comply with a wide range of data standards. For instance, the FTC recently submitted proposed amendments to the Privacy and Safeguards Rules to provide more certainty to financial institutions and to better protect consumers. Two commissioners dissented over the amendments to the Safeguards Rule, raising caution over the impact more prescriptive cybersecurity standards might have on innovation.\nFinancial Data and Consumer Redress\u2014GLBA covers only nonpublic personal information held by financial institutions significantly engaged in financial activities. However, as the industry\u2019s data use has grown, some have debated whether the law covers all sensitive individual financial information. For example, data brokers can compile public and private data from different sources, much of which may not be subject to GLBA\u2019s provision, but combining these data might reveal financially sensitive information about a consumer. Further, consumers have a limited ability to know, control, or correct financial data, which can make it difficult to obtain redress for violations such as data breaches.", "type": "CRS Insight", "typeId": "INSIGHTS", "active": true, "formats": [ { "format": "HTML", "encoding": "utf-8", "url": "https://www.crs.gov/Reports/IN11199", "sha1": "f4947b426a21041f73f8d3013a07f720a01467a7", "filename": "files/20191115_IN11199_f4947b426a21041f73f8d3013a07f720a01467a7.html", "images": {} } ], "topics": [] } ], "topics": [ "CRS Insights" ] }