February 06, 2014

Curry: FIs have data security standards that retailers don't

Comptroller of the Currency Thomas Curry told the Senate Banking Committee Thursday that financial institutions should not be the focus of a new national data security standard and that nonbanking entities – as NAFCU has long urged – should be.

Curry was testifying in a committee hearing, "Oversight of Financial Stability and Data Security," that also included testimony from Treasury, the Federal Reserve Board, FDIC and securities regulators.

Sen. Robert Menendez, D-N.J., asked witnesses if there should be a federal standard on data security breach prevention and notification. Curry, also chairman of the Federal Financial Institutions Examination Council, noted financial institutions already have standards in place – and are subject to ongoing oversight in that regard – but that retailers do not. He also said the Target data breach occurred on the retailer end.

In his opening statement, Senate Banking Committee Chairman Tim Johnson, D-S.D., called on regulators of financial institutions to not implement one-size-fits-all rules or those that impose "unnecessary burdens on community banks and credit unions."

The hearing focused on issues of data security, implementation of the Dodd-Frank Act, housing finance reform, Volcker rule and "too big to fail."

Of interest to credit unions from Thursday's hearing:

  • In response to a question from Johnson, Curry said the FFIEC will focus on existing data security standards and ensure they are consistent across regulators. He mentioned the inclusion of banks and credit unions on this interagency body. (Along these lines, NAFCU President and CEO Dan Berger has urged NCUA to engage with other regulators working on ways to ensure data is secure.)
  • Menendez asked Curry if regulators are evaluating the harm caused to banks or the harm caused to consumers when working on data breach regulations. Curry said both come into play and that enforcement of consumer protection laws is important. FDIC Chairman Martin Gruenberg said one area potentially in need of review is the Bank Service Company Act of 1961, which has to do with banks' third-party relationships.
  • Menendez said it may be appropriate to have a "universal" standard that applies across the board to everyone involved in the payments system.