Financial Firms Need to Play Leading Role in Debate for National Data Privacy Law

With executives like Mark Zuckerberg actively calling on lawmakers to regulate technology companies and pass national legislation governing data privacy and cybersecurity, the financial services industry should be paying close attention. As consumers have rightfully demanded greater transparency on the information companies collect on them and how their data is protected, the financial services sector, the least trusted industry globally, cannot afford to remain idle in this debate.

In particular, financial services companies need to play a more active role and better communicate to policymakers in Washington the existing privacy regulations they are under and what steps the nation’s largest financial firms have taken to work with the government to mitigate systemic cybersecurity risk. Financial services firms may then serve as a guide for other industries on how to prioritize data privacy and cyber risk management.

While the public has rightfully focused on Silicon Valley and tech companies that monetize consumer data, bank and non-bank financial services companies have for decades been proactively investing in critical infrastructure, working with regulators to protect financial data and ensure transactions are not interrupted by bad actors, all while adding greater convenience for consumers.

With many Federal lawmakers looking to imitate the European Union’s General Data Protection Regulation and the California Consumer Privacy Act, it’s incumbent on the financial services industry to actively educate policymakers on the robust data and privacy regulations that already apply to the industry. Many protections and cybersecurity regulations, such as giving consumers an “opt-out” option for data sharing, and proactively providing privacy notices, are currently in place for banks and other financial services firms.

Under the Gramm-Leach-Bliley Act, financial services companies are mandated to provide customers with an annual privacy notice. The law also restricts the kind of information that can be shared with third parties, provides customers with an “opt-out” option for sharing certain types of information, and requires firms to employ “reasonable” security standards to protect customer information.

By communicating to policymakers the extent to which they are meeting and exceeding existing regulatory requirements, financial firms can inform legislative efforts and ensure that newly developed regulation is not duplicative or excessive. These existing regulations also offer a framework that can be applied to other industries.

Financial services companies have also proactively worked with the government to mitigate cybersecurity risks and threat prevention. Specifically, the Financial Service Information Sharing and Analysis Center, established in 1999 in response to a White House request, works to quickly collect and disseminate cyber threats and other critical information to member companies. And in 2016, top financial services firms created the Financial Systemic Analysis & Resilience Center, which organizes and concentrates the industries efforts to address cybersecurity threats as a systemic risk. Since the center’s founding, the organization has worked with current regulators, policymakers, as well as academics to study cybersecurity threats and the risk poised to the sector at large.

The work the industry does to proactively mitigate risk and pool resources to protect customers, should be a model for other industries. Last year, the Cybersecurity Tech Accord was launched to create a dialogue for tech companies around mitigating risks and other best practices; however, a more robust effort will be needed to calm demands for heightened oversight.

Highlighting this successful model of “self-regulation” is more important than ever, as federal policymakers look to implement stronger penalties against bad actors in new legislation and as financial regulators are increasingly looking at cyber threats as part of broader systemic risk.

In the Financial Stability Oversight Council’s annual report published in December of 2018, the Council included enhanced cybersecurity protection, among its list of policy priorities for the new year. As FSOC is increasingly focused on an activities-based approach to assessing systemic risk for financial institutions, firms that work to address cyber risk and data protection as well as communicate these efforts to stakeholders may be less likely to face regulatory action.

Moreover, for the financial services sector to avoid new regulatory burdens, while continuing to gain the confidence of both regulators and customers, companies must engage in this debate and communicate directly with policymakers.

This is done through firms showcasing this expertise directly, promoting the work of chief information security officers, better explaining engagement with third-party groups and releasing their own recommendations and best practices for other firms and sectors. Failure to do so could result in financial firms being put on the defensive and be the subject of additional scrutiny like their counterparts in the tech space.


Nick Rozzo is a senior account executive in Edelman’s Washington, D.C., Financial Communications practice.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult