Financial Privacy Bill Could Affect Providers

A key House Republican has released a discussion draft of financial data privacy legislation that could impact how retirement plan providers and administrators collect and share consumers’ personal information. 

Rep. Patrick McHenry (R-NC), who serves as the top Republican on the House Financial Services Committee, on June 23 released the draft legislation, which would amend the Gramm-Leach-Bliley Act (GLBA) to implement new obligations for financial institutions—including non-bank financial institutions—with respect to the collection and disclosure of nonpublic personal information. The draft legislation would also give consumers more control over how their personal information is collected and used.

“Technology has fundamentally changed the way consumers participate in our financial system—increasing access and inclusion. It has also increased the amount of sensitive data shared with service providers,” McHenry said in a statement. “Our privacy laws—especially as they relate to financial data—must keep up. This proposal will modernize the current framework to better align with evolving technology and protect against the misuse or overuse of consumers’ personal information.” 

According to a summary, some of the key provisions in the legislation include the following.

• Requires notice of collection activities: GLBA currently requires financial institutions to notify consumers that their information is being disclosed to third parties. The draft bill requires financial institutions to notify consumers that their nonpublic personal information is being collected as well. This addition will ensure consumers are made aware when their data is being collected, the summary notes.
• Updates the definition of a financial institution: Under current law, a financial institution is defined as “any institution the business of which is engaging in financial activities as described in 4(k) of the bank holding company act of 1956.” The draft bill updates that definition to include data aggregators, ensuring that they will be bound by the same rules as traditional financial institutions.
• Broadens the definition of non-public information: Noting that GLBA currently references “personally identifiable financial information,” the draft bill expands this definition to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” This does not include publicly available information. 
• Provides consumers with access to data held about them: The draft bill provides that, upon an authorized request from the consumer, a financial institution shall disclose data held, entities with which the financial institution shares consumer data, and list of entities from whom the financial institution had received non-public personal information of the consumer. 
• Empowers consumers to terminate collection and disclosure of their data: Upon a request from a consumer, a financial institution must delete nonpublic personal information of the consumer held by the financial institution. In addition, the draft bill provides that if a financial institution is required to terminate the collection and/or sharing of a consumer’s nonpublic personal information, the financial institution must notify third parties that data sharing has been terminated and requires them to also terminate. If financial institutions are required by law to keep the data, they may only use the data for that purpose.
• Minimize and notify consumers of data collection: The bill directs financial institutions to disclose to consumers why they are collecting certain pieces of data and only use data for its stated purpose. To that end, the draft bill also specifies that financial institutions’ privacy policies must include: the categories of personal information collected by the entity, the manner in which the entity collects that information, and the purpose for which they collect that information.
• Requires preemption: To provides consistency across the country with respect to understanding how downstream entities are collecting and using personal information, the draft bill would impose a national standard preempting state law privacy rules. 
• Enforcement: The draft legislative language also includes a placeholder for enforcement but does not specify what that might entail. It does, however, include a section specifying that, “if the nonpublic personal information of a consumer is obtained from a financial institution (either due to a data breach or in any other manner) and used to make unauthorized access of the consumer’s account, the financial institution shall be liable to the consumer for the full amount of any damages resulting from such unauthorized access.”

While this legislation is unlikely to be enacted this year, it could form the basis for legislation in the next Congress if the Republicans take over the House of Representatives since Rep. McHenry is the ranking Republican of the House Financial Services Committee. 
Moreover, if enacted, it could have any number of implications to the retirement industry, including in relation to the sharing of data to third parties, administering financial wellness programs or being sued for unauthorized access or sharing of information to name a few.