"Beware the Ides of March."
- Julius Caesar Act 1, scene 2
In This Issue...
- CSBS Comments on Legislative Efforts on Data Privacy and Security
- CSBS Data Corner: State-Chartered Banks' Share of Agriculture Financing Ticks Upward
- 2018 Community Bank Survey Results Video
- In the Media
CSBS sent the following to the Honorable Mike Crapo, chairman, Senate Committee on Banking, and the Honorable Sherrod Brown, ranking member, Senate Committee on Banking. You can find the full letter here.
For many years, states have been at the forefront in advancing data privacy and security for the protection of consumers residing in their states. Accordingly, we believe any federal proposal relating to the collection, use and protection of consumer data must preserve the role for state leadership in the areas of data privacy, security and control.
Federal Law Appropriately Establishes a Federal Floor in the Areas of Data Privacy, Security and Control
Data privacy and security is a dynamic field with novel risks emerging on a constant basis. It is critical that state regulators and state law enforcement agencies retain the ability to protect consumers in their states.
In enacting federal privacy laws, Congress has traditionally recognized the important role filled by the states in setting data breach standards.
For example, Title V of the Gramm-Leach-Bliley Act (GLB) requires financial institutions to implement a risk-based response program to address instances of unauthorized access to consumer information systems. 1 Importantly, Section 507 of GLB establishes a floor for data breach and data security laws and expressly reserves the right of states to enact more stringent data breach and privacy laws for the protection of their citizens. 2
Section 507 was enacted to ensure states retain flexibility to develop regulatory approaches to protecting consumer information that fairly balance the needs of business with the level of privacy protection desired by the consumers residing in their state. Accordingly, federal consumer privacy standards have operated concurrently with more stringent state data breach and privacy laws for close to two decades.
The rapid evolution and proliferation of online financial services since the enactment of GLB has made it more crucial states be permitted to serve their constitutional role as “laboratories of democracy” in calibrating the appropriate level of protection for consumer data over and above baseline national standards.
In enacting federal credit reporting laws, Congress has likewise recognized the important role served by states in advancing the rights of consumers with respect to the collection, use and dissemination of consumer information by credit reporting agencies. As with federal privacy laws, the Fair Credit Reporting Act (FCRA) 3 likewise establishes a federal floor which allows for state laws to impose more stringent requirements with respect to the collecting, distribution, or use of any information on consumers or for the prevention or mitigation of identity theft. 4
Although, over two decades ago, legislation was introduced to preempt all state laws regulating credit reporting agencies, fortunately, this initiative failed. 5 Had the initiative succeeded, critical state reforms related to credit reporting would never have been established: consumers would not have nationwide free credit reports, consumers would not have access to their credit score, consumers would have not had data breach notices, and, at least until 2018, consumers would not have the free nationwide credit freezes.
The critical lesson here is that, while Congress often waits to enact critical consumer protections until widespread consumer harm is realized, a federal floor embraces the inherent nimbleness of state law by allowing states to experiment with innovative approaches to advancing the ability of consumers to control the use of their information as novel threats emerge.
For this reason, CSBS would strongly oppose any federal proposal which seeks to preempt states from playing a leading role in advancing consumers protections in the areas of data privacy, security, and control.
Recent State Actions Demonstrates State Leadership in the Areas of Data Privacy, Security and Control
Recent actions by state legislators and state regulators bear out the critical role served by the states in the areas of data security, privacy and control. Each of the initiatives highlighted below are examples of states responding to emerging threats to data privacy, security and control in areas where Congress and federal regulators have failed to or lack the authority to act.
In 2016, the New York Department of Financial Services (NYDFS) proposed a comprehensive cybersecurity regulation for financial institutions. 6 This regulation—the first of its kind in the nation—is designed to protect the cybersecurity of banks, insurance companies, and other financial institutions regulated by NYDFS. The regulation requires regulated companies to establish cybersecurity programs and policies, conduct annual cybersecurity assessments, and take other specific steps to secure information and network.
By taking a risk-based approach focused on highly sensitive information, the NYDFS regulation provides an incentive for companies to more effectively allocate their cybersecurity resources. The NYDFS cybersecurity regulation is just one example where the states are taking decisive action to protect consumers and our financial system in an area of data security where the federal government has yet to act.
In 2018, California enacted the California Consumer Privacy Act (CCPA) to enhance consumers’ rights to control the use, including the sale, of their personal information. 7 The CCPA (which like the NYDFS cybersecurity regulation is the first law of its kind in the nation) requires companies with California residents as customers to abide by heightened disclosure standards and gives consumers considerable control over how their personal data is used. 8 The CCPA is another example of states taking the lead to develop robust, innovative solutions to ensure consumers retain control over the use and dissemination of their information.
There is an abundance of other recent examples of states taking a leadership role by enacting state laws that enhance consumer protections in the areas of data privacy, security and control. In 2018, Colorado enacted data security standards requiring companies to maintain reasonable security practices and appropriately dispose of documents containing consumers’ personal information and ensure data is protected when transferred to third parties. 9
Vermont enacted a law regulating data brokers in 2018 which requires data brokers which buy and sell consumer information to register with the state’s attorney general, to make annual disclosures regarding privacy practices and data breaches, and to maintain a comprehensive information security program. 10
Finally, in 2017, New Jersey enacted a law that limits a merchant’s ability to collect information about shoppers and pass that data onto third parties. 11 These are important initiatives that demonstrate the critical role of preserving the role of states in experimenting with expanded consumer protections in the areas of data privacy, security, and control.
In addition to the above-mentioned state laws, state regulators have also been active in responding to incidents that reveal weaknesses in data security practices by existing companies.
For instance, in 2018, after the large-scale data breach at Equifax was made public, eight state financial regulators entered into a consent order with Equifax to address serious deficiencies the company’s cybersecurity program that results in the breach. 12 The consent order arose from a joint examination these regulators performed of the company. The order, which applied to Equifax’s operations nationwide, directed Equifax to undertake a restructuring of its risk management processes, strengthen internal controls, and enhanced Board oversight of its information security program.
Thus, as with state law, the corrective actions required of Equifax demonstrates just how critical it is to preserve the ability of state regulators to take swift action when material weaknesses and emerging threats come to light.
Federal Law Must Continue to Establish a Federal Floor, Not a Ceiling, in the Areas of Data Privacy, Security and Control
For the reasons discussed above, state regulators believe it is incredibly important for federal law to continue to establish a floor for consumer protection in the areas of data privacy, security and control and, thereby, leave room for states to establish more stringent consumer protections and to act quickly as novel threats emerge. Conversely, we would strongly oppose any federal proposal that would preempt the state’s authority to enact more stringent standards and enforce those standards.
State regulators stand ready to work with Congress concerning where uniformity in the areas of data privacy, security and control can be achieved while preserving the ability of states to take a leadership role in standard-setting, oversight and enforcement. Relatedly, given the experience of state regulators discussed above, any federal proposal which directs federal agencies to promulgate federal standards in the areas of data security, privacy and control should provide for a role for state regulators in the development and promulgation of those standards.
Finally, if greater uniformity in data privacy, security and control is a goal, Congress should consider adopting an amendment to the Bank Service Company Act (BSCA) which would enable the sharing of examination reports and supervisory information between state and federal regulators of bank service companies and third-party service providers. Bi-partisan legislation amending the BSCA to encourage information sharing between state and federal regulators passed the House Financial Services Committee in the previous Congress by a unanimous vote of 56-0. 13
CSBS appreciates the opportunity to comment in response to your request for feedback on the collection, use and protection of sensitive information by financial regulators and private companies.
As discussed above, data security, privacy and control are an evolving area in which threats emerge and change with great frequency, and states—due to their greater flexibility and nimbleness—have been very active in leading efforts to enhance consumer protections in this area and responding to threats to consumer protections as they emerge.
Accordingly, as your offices consider what, if any, federal solutions may be appropriate in this area, CSBS urges you to bear in mind that any long-term, viable solution should preserve the ability of states to act, as they have so often, as leaders and first-responders in the areas of data security, privacy and control.
By Brennan Zubrick
CSBS Senior Director, Analytics
This edition of the CSBS Data Corner shows the percent of agricultural loans made by state-chartered banks as a percent of all agricultural loans (non-seasonally adjusted) made by banks and how that share has changed over time. State-chartered banks are an important source of agricultural financing to farmers – and have taken on a larger share of total agricultural financing over time. In the most recent quarter (Q4 2018), state-chartered banks provided the third-highest share of agricultural loans in the history of the Call Report data (67.8%). Agricultural loans consist of two data elements from the Call Report data: Real Estate Loans Secured by Farmland and Loans to Finance Agricultural Production and Other Loans to Farmers.
Source: Bank Call Report, CSBS
Every year, CSBS conducts a nationwide survey of community banks.
This survey represents valuable insight on the views and concerns of community bankers today. In 2018, 521 bankers in 37 states responded.
Here's what we learned.
Helping or Hurting Community Banks? A proposal by federal regulators to implement a Community Bank Leverage Ratio is receiving pushback, reported American Banker (subscription required). At issue is whether a prospective capital framework would simplify regulatory compliance or create more hoops for smaller banks to jump through. The article cites a comment letter from CSBS, saying "the proposal is 'a fundamental obstacle to achieving the regulatory relief intended' because of how the agencies establish a new 'prompt correction action framework.'" You can read CSBS' rationale in a formal comment letter here.
Whipping Wells. Congress renewed its criticisms about Wells Fargo in congressional hearings this week, focusing on company actions to address sales practices that had led to creation of fake accounts of which consumers were unaware. Multiple reports from American Banker, Politico Pro, Reuters and others recounted the tense House Financial Services hearing with Wells CEO Tim Sloan. "More than two years after Wells Fargo's consumer scandals first started coming to light," American Banker summarized, "the congressional backlash facing the bank remains just as fierce, uniting both Democrats and Republicans." At the hearing. committee Chairwoman Maxine Waters (D-CA) described the company as too big to manage and urged its break up. Sloan responded by saying that the company has taken action to correct its sales practices. You can read Sloan's testimony here.
Modernizing CRA. In a speech this week, Federal Reserve Governor Lael Brainard discussed how enforcement of the Community Reinvestment Act could be updated. As Politico Pro reported, "A major debate around reform of the CRA...is how to define a bank's community, or 'assessment area,' which is currently driven by the location of a bank's branches and ATMs. On that front, "Brainard suggested the definition 'could be flexible enough to allow banks that conduct most or all of their retail activity online to identify states in which they have significant levels of deposits, lending or other banking activity.' She also said agencies have been considering 'a possible approach' where banks have different assessment areas for their retail activities and for their community development activities. 'This would retain the law's focus on the credit needs of a bank's local community by evaluating the retail lending and services it offers in the county or geographic area' around its branches and ATMs, she said." You can read the full text of Brainard's speech here.