Credit Union Trades Question FTC Effort to Regulate Data Privacy
Both CUNA and NAFCU raise concerns over potential rule regulating data protection at financial institutions.
Any effort by the Federal Trade Commission to regulate the ways that consumer data is used is likely to be ill-timed or overly broad, credit union trade groups told the commission this week.
The commission has been soliciting comment on how to protect such data.
“Specifically, the Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive,” the FTC said, in announcing the effort.
The agency cited studies showing that most people do not generally understand the market for consumer data operating beyond their communication devices.
These studies, the FTC said, have shown that, “If consumers do not have meaningful access to this information, they cannot make informed decisions about the costs and benefits of using different services.”
Comments on whether the agency should issue a rule were due this week.
Response from CUNA
CUNA agreed that data breaches and misuse of consumer data is a problem.
“Losses to credit unions from merchant data breaches impact credit union members in multiple ways,” wrote Madison Rose, CUNA’s director of advocacy and counsel for payments and technology, noting that since members are owners, any data breach affects every member.
She added, however, that the financial services industry is governed by the strict data practices contained in the Gramm-Leach-Bliley Act, and, as a result, financial institutions—including credit unions—should be exempt from any FTC rule.
“The new rule should encompass all businesses, institutions, and organizations by raising expectations for these other sectors up to a standard very similar to that currently in place for financial institutions,” she said.
Response from NAFCU
On the other hand, a NAFCU official said the trade commission should not adopt any data privacy rule until Congress acts.
“The Federal Trade Commission pursuing a broadly applicable data privacy-related rulemaking under its nebulous authority to regulate unfair or deceptive commercial acts or practices is both an extreme example of regulatory overreach and ill-timed,” Dale Ross Baker, NAFCU’s regulatory affairs counsel, wrote in a letter to the agency.
He continued, “Neither the FTC nor any other regulator should, in the name of regulatory clarity or because it is simply ill-content with the inherent limitations of its present processes, attempt to shoehorn a rulemaking into an agency authority not reasonably connected to the rulemaking.”
Any rulemaking should wait until Congress acts on data privacy issues, Baker added.
However, Congress has been unable to enact data privacy and security legislation during the past several years. The gridlock has been caused, in part, by a battle between retailers, who say that financial services providers should be included in any law, and the financial services industry, which contends that Gramm-Leach-Bliley already sets standards for credit unions and banks.