What's Happening?
The Consumer Financial Protection Bureau (CFPB) has criticized existing federal financial data protections as outdated, urging states to reconsider their laws to better protect consumer financial information. The CFPB's call to action highlights the challenges financial institutions face in categorizing digital data within the current regulatory framework, particularly data generated by mobile banking apps and digital services. Montana and Connecticut have amended their privacy laws to remove broad exemptions for financial institutions, signaling a shift in the patchwork of state privacy laws. These changes could reshape how financial institutions approach data compliance, as they may now be subject to additional obligations under state law.
AD
Why It's Important?
The amendments in Montana and Connecticut reflect a growing recognition that financial institutions hold substantial amounts of consumer data not covered by the Gramm-Leach-Bliley Act (GLBA). This shift could lead to dual or overlapping compliance burdens for financial institutions operating across jurisdictions, as they must navigate both federal and state privacy requirements. The evolving privacy landscape may require financial institutions to invest in scalable compliance infrastructure to adjust to changing laws, potentially impacting their operational costs and strategies. The CFPB's call for updated privacy laws underscores the need for a more consistent and comprehensive approach to consumer data protection.
What's Next?
Financial institutions will need to align their data practices with both federal and state laws, mapping all collected consumer data to determine applicable regulations. Institutions should ensure privacy notices are clear and compliant with both GLBA and state laws, and may need to refine systems for processing consumer requests. As more states revisit GLBA exemptions, the compliance landscape may become more fragmented, forcing financial institutions to manage state-by-state obligations in addition to federal rules. The potential repeal of the CFPB's Section 1033 Open Banking Rule could further complicate privacy notices.
