The House Energy and Commerce Committee canceled a scheduled markup of the American Privacy Rights Act (APRA) amid industry advocacy calling for Title I of the bill to be amended to exempt all financial institutions subject to federal privacy mandates.
Seven trade groups representing the financial industry expressed concerns that the bill does not include clear language exempting financial institutions from certain requirements outlined in the bill. The trade advocates previously urged lawmakers to clarify these exceptions in a joint letter submitted in May.
Asserting that it is essential to secure consumer information to maintain customer trust, the organizations insisted regulators account for the rigorous federal laws their members adhere to under the Gramm-Leach-Bliley Act (GLBA), which balances consumer protection with secure financial transactions.
“The primary privacy and data security consumer protection law for consumer financial data is Title V of the GLBA. With the GLBA, Congress carefully constructed a privacy and data security regime to provide an effective and successful balance between strong consumer protections and ensuring that consumer financial transactions take place in a safe and secure environment,” the trades wrote. “In particular, the current regime has been carefully structured to ensure compliance with existing laws and regulations, adherence to judicial process, and protection from fraud, illicit finance, money laundering and terrorist financing.”
The financial institutions represented in the letter expressed concerns about APRA (H.R. 8818). Despite their support for privacy protections for all companies, including technology firms entering financial services, the trade groups said they believe the current draft of APRA lacks clear language regarding GLBA exceptions, which they previously highlighted in a joint letter on May 23.
“While the financial services trade associations support legislation to put in place a national privacy standard, that standard must recognize the strong privacy and data security standards that are already in place for the financial sector under the GLBA and other financial privacy laws and avoid provisions that duplicate or are inconsistent with those laws,” the trades wrote.
The GLBA provides a comprehensive regime for data security and consumer protection, including notification requirements and opt-out provisions for data sharing, allowing consumers control over their personal information, the trades noted. Financial institutions argue that without clear exceptions for GLBA-regulated entities, the APRA could create regulatory inconsistencies and undermine the established balance of consumer data protections.
Section 118(b)(3) only excludes “activities” governed by the GLBA, as opposed to exempting financial institutions subject to the GLBA, the trades wrote, asserting this would lead to “duplicative and conflicting requirements for financial institutions already subject to oversight by GLBA regulation” and would be “disruptive to the financial system, consumers, and the economy.”