January 24, 2020

Berger asks Kraninger for FFIEC to lead on data privacy guidance

Berger, Kraninger
NAFCU President and CEO Dan Berger asked CFPB Director Kathy Kraninger to lead efforts to provide guidance around data privacy laws.

NAFCU President and CEO Dan Berger, in a letter Thursday, asked CFPB Director and Federal Financial Institutions Examination Council (FFIEC) Chair Kathy Kraninger to provide interagency guidance related to the Gramm-Leach-Bliley Act (GLBA) to help credit unions and other financial institutions comply with data privacy laws.

As the California Consumer Privacy Act (CCPA) took effect earlier this year and other states consider their own data privacy laws, NAFCU has led advocacy efforts for a comprehensive federal data privacy standard and last year developed a detailed white paper outlining six principles to do so. 

"NAFCU opposes the application of conflicting state privacy requirements to credit unions as they are already subject to the privacy requirements of the GLBA and serve as responsible stewards of sensitive consumer data," Berger wrote, adding that the association supports a federal law "that preempts state privacy laws while providing protections to consumers and clarity and consistency for credit unions."

Echoing NCUA Chairman Rodney Hood's – to whom Berger also sent the letter – call for "increased coordination and efforts among the [FFIEC] members to respond to the burden on financial institutions posed by multiple privacy laws," Berger said the "FFIEC should provide interagency guidance indicating that the GLBA should be the sole framework under which financial institutions collect, process, sell, or disclose consumer data, thereby eliminating duplicative state standards." He asked Kraninger and the CFPB "to take the lead in mitigating the regulatory fragmentation created by states passing multiple, parallel regulatory frameworks."

Noting the high compliance costs and unsustainability of complying with multiple frameworks, Berger called for the FFIEC to "act swiftly to provide the industry with clear guidance as many financial institutions, particularly small, not-for-profit, community-based financial institutions like credit unions, may have difficulty complying with varying state standards."

"This would provide consistent protections for consumers across all states and minimize compliance burdens for credit unions and other financial institutions," Berger said. "If legally-binding guidance were issued and all personal information were collected, processed, sold or disclosed pursuant to the requirements of the GLBA and Regulation P, that may satisfy the CCPA's exemption and reduce the number of parallel frameworks financial institutions must undertake."

The association has urged California to exempt credit unions from the CCPA and will continue to advocate for a national data privacy standard to ensure credit unions can effectively and efficiently comply.