WASHINGTON — September 2017 was the beginning of the end.
That’s when Equifax disclosed publicly, for the first time, that nearly 150 million people had their personal information — including names, addresses and Social Security numbers— stolen from its database.
Major data breaches at retailers such as Target and Home Depot had gotten a lot of attention from the media and consumers. But the hack at the credit bureau would touch the financial services industry in a way that earlier incidents did not. It also would help spur a broader national conversation around privacy that continues to gain momentum, both at the state level and on Capitol Hill.
“When Equifax got breached I thought, ‘Uh-oh, the barbarians are at the gate,’ ” said Camden Fine, president and chief executive of the bank consultancy Calvert Advisors and former longtime head of a community banking trade group. “Equifax and the other credit rating agencies are core to so many lending decisions that I knew the banking industry was going to become fully engaged in the privacy debate.”
And there was still more to come. Facebook’s scandal in March 2018 — when the political consulting firm Cambridge Analytica, hired by the Trump campaign, gained access to data for 87 million social media users — shocked the public. CEO Mark Zuckerberg’s poor performance before Congress a month later riled the critics even more.
“Equifax changed everything from an awareness perspective for policymakers, but a response takes time to catalyze,” said Sam Taussig, head of global policy at Kabbage. “Cambridge Analytica really caught policymakers’ attention and motivated folks to think about actual reforms.”
At the same time, Europe has been developing its own, much stricter privacy regime, known as the General Data Protection Regulation, or GDPR, which went into effect last spring, with far-reaching consequences for U.S. businesses that operate overseas, including financial services companies.
California has led the way stateside, with the passage of a sweeping new consumer privacy law last summer.
While banks have often been on the sidelines of political discussions surrounding privacy and security, the industry is hardly immune. Even in California, where the new privacy law includes some carve-outs for banks, the compliance burden could prove extensive. The law, which applies to all companies that collect data on California residents, goes into effect in January 2020.
“It’ll be a costly process — there’s a lot of groundwork to be laid,” said Crystal Sumner, head of legal and compliance at Blend, a San Francisco company with a namesake software platform for consumer lending.
And California is just the first to act. Banks may find they have new requirements to meet elsewhere soon. New York and Washington are among the states with bills on privacy and data security pending, and other states have approved related legislation in recent years, including Colorado, New Jersey and Vermont. (
At the same time, Congress has been looking into its own reforms, and even if divided attention has stymied progress in the past, some observers believe the topic is going to have sticking power this year.
The presidential election now gearing up could provide an especially bright spotlight for privacy proposals.
To avoid the worst of the blowback, the financial services industry needs to play an active role in the debate on Capitol Hill and around the country, analysts argue.
“Tech is replacing banks as the bogeyman — but banks do need to be fearful of collateral damage,” said Edward Mills, a policy analyst at FBR Capital.
Banks also need to start preparing for potential changes ahead — regardless of whether they serve customers in California. Overhauling systems and procedures is no small task.
For now, there are at least three key questions facing the industry.
How high are the stakes for banks?
It’s clear that the issue of privacy isn’t going away anytime soon.
Large tech firms and others with the least oversight in place right now are likely to endure the brunt of any new rules, whether in Congress or at the state level.
Even so, financial institutions can’t avoid the debate, and it’s not in their best interest to try. Engaging is the only way to shape the outcome.
“Privacy will have a red-hot focus in the second half of this year,” said Kabbage’s Taussig.
In arguing that they should not be treated in the same way as other types of privacy gatekeepers, financial institutions are expected to emphasize their requirements under the Gramm-Leach-Bliley Act, or GLBA. This law, which has been in force for nearly two decades, mandates that customers receive an annual privacy notice, with few exceptions, and significantly restricts the kind of information that can be shared with third parties. It also requires employing “reasonable” security standards to protect customer information.
“We’re looking to prevent any additional burdens being put on the banking sector, which already abides by very strict guidelines of protecting people’s privacy,” said Paul Merski, group executive vice president for congressional relations and strategy at the Independent Community Bankers of America.
Count California as a victory on that front. As state officials passed the new law there this summer, they ultimately added clarifying language around a GLBA carve-out for banks. While not an exemption from every facet of the new law, the carve-out will mitigate the overall compliance effort.
“Banks are trying to figure out exactly how GLBA applies — it’s not super clear what’s in and what’s out,” Taussig said. “That’s top of mind among banking attorneys and the California attorney general right now.”
As the debate heats up across the country, consumer advocates will be pushing for tougher new rules to ensure data privacy and security is protected.
“We want to make sure that everybody has the strongest data security and data breach provisions and we also don’t want companies sharing information promiscuously,” said Ed Mierzwinski, senior director of the federal consumer program at U.S. Public Interest Research Group, or PIRG.
In addition to industry-specific exemptions, like a GLBA carve-out, Mierzwinski said that the business community will be looking to Congress to preempt stricter state laws as part of national legislation — something that he warns consumer groups will vigorously oppose.
At the same time, any new reforms — at the state or national level — that affect the financial services industry will quickly bring layers of nuance to the debate.
For example, updated guidelines may need to consider and potentially account for how data is used by financial firms to prevent illegal activity. Internal fraud detection efforts and federal anti-money-laundering protections would have to be able to continue unencumbered.
“Without the ability to use data to identify and fight fraud, criminals will exploit the blind spot to commit crime,” said Scott Talbott, senior vice president of government affairs at the Electronic Transactions Association. “This will undermine the system and unnecessarily make efforts to fight fraud more difficult.”
How can financial institutions prepare?
As the debate heats up, experts note that banks, even those who don’t serve California customers, should consider reviewing their systems and procedures ahead of any additional changes to privacy law.
The challenge becomes wrangling numerous systems across an institution that may not handle customer information in a uniform way.
“If you were starting a bank from the ground up, you’d be able to sketch out on paper how all of the systems are going to work with a very clear view of how the data flows would operate,” said Steve Durbin, managing director of the Information Security Forum, a cybersecurity research firm. “But very few institutions are in such a luxurious position.”
The preparation effort starts with asking straightforward questions about data collection and use and following the trail from there, several industry officials said.
“For a larger bank to comply with something like the California law, the basic questions that they need to ask, simply, are what data do we have and where is it? What are we using it for and what do we need to tell customers about it?” said Scott Pearson, a partner at the law firm Ballard Spahr.
While the California law does include the GLBA carve-out, which limits the degree to which banks need to deal with data deletion, challenges are likely to remain, broadly, for financial services firms complying with new standards that give consumers more power over their information.
“If a customer says, ‘Delete all of my data,’ you need to know where all that person’s data is to delete it, and you need to have a procedure and system for getting that done in a reliable manner,” Pearson said.
“People have no idea how complicated these systems are and how many different systems there can be — it’s just an enormously complex exercise,” he said.
Who’s controlling the debate — the states or Congress?
Perhaps the biggest question for financial services companies — and the business community at large — is where policymaking around consumer privacy and data security are likely to play out.
The issue has attracted a bipartisan focus in Congress. Sen. John Thune, R-S.D., chairman of the Commerce Committee, has signaled interest, along with Sens. Ron Wyden, D-Ore., Richard Blumenthal, D-Conn., and Mark Warner, D-Va., among others. Sen. Marco Rubio, R-Fla., introduced legislation in January that would give the Federal Trade Commission the authority to update the country’s consumer privacy laws. Various House lawmakers are said to be interested in the issue, too.
In addition, the banking committees might get involved.
“In order to fully embrace the immense benefits that can result from technological innovation, we must ensure proper safeguards are in place and consumers are fully informed,” Sen. Mike Crapo, R-Idaho, chairman of the Banking Committee, wrote in a Jan. 29 editorial.
Crapo said that he plans to “explore legislative solutions” giving consumers more control over their data and greater disclosure around how the government and private companies are using their personal information.
Rep. Maxine Waters, D-Calif., who leads the House Financial Services Committee, also has vowed to examine the credit reporting system in the wake of the Equifax breach.
But, while the issue is likely to attract significant discussion — building on testimony from executives at Facebook, Amazon, Apple, Google and others last year — getting any federal plan into law this term will require overcoming some formidable challenges.
Attention span is one. There is often optimism around big issues like privacy early on, but that energy can dissipate.
“This is the really happy time, at the start of the new Congress, where everything is back on the table,” said Thomas Rosenkoetter, head of government affairs at BNP Paribas.
He’s seen this same issue come up in the past, only to have it fade against other priorities. “To me, it’s Groundhog Day,” he said.
He cited the divided government and the potential for privacy legislation to span across several committee jurisdictions as factors that could impede progress in Congress this time around.
The intense focus on the 2020 presidential race also has the potential to drown out privacy, rather than give it more prominence, Rosenkoetter said.
That’s why many expect that, while the national debate on privacy issues will keep burning, it’s in the states that the most real action is likely to be seen.
“We’re in the era of legislative deadlock at the federal level, and I think it is very likely that the states will step up and create more of a patchwork around privacy and security,” said Mercedes Tunstall, a partner at the law firm Pillsbury Winthrop Shaw Pittman.
Still, it’s worth noting that, over time, continued state action on these issues could create more interest in federal guidelines.
As more states pursue their own standards around consumer data protection and notification, companies are likely to become even more open to a national standard that simplifies the requirements they’re expected to follow.
“Companies with national footprints will find it operationally difficult to comply with 20 to 30 different state laws,” said Sumner, the Blend compliance head.
That kind of patchwork approach would force companies to default their operations to the most restrictive state law, “resulting in a situation where the goal posts keep moving as each new state passes its own legislation with disparate obligations,” she said.
But whatever the result, the issue remains one that banks will need to follow closely — and get involved in — in the months and years to come.
“There’s the old saying, ‘If you’re not at the table, you’re on the table.’ Banks better be at the table,” said Fine, who led the ICBA for 15 years before retiring last spring. “Whether they like it or not, banks will get pulled into this debate.”