November 8, 2018
Via Electronic Mail
National Telecommunications and Information Administration (NTIA)
Docket No. 180821780-8780-01
RIN 0660-XC043
Request for Comments: “Developing the Administration’s Approach to Consumer Privacy.”
The Honorable David Redl
Assistant Secretary for Communications and Information
National Telecommunications Information Administration (NTIA)
U.S. Department of Commerce
Washington D.C. 20230
Dear Administrator Redl:
The Bank Policy Institute (BPI) through its technology policy division known as “BITS,” the American Bankers Association (ABA), and the Securities Industry and Financial Markets Association (SIFMA) (collectively, the Associations) appreciate the opportunity to provide comments to the National Telecommunications and Information Administration (NTIA) on its Request for Comments (RFC) on “Developing the Administration’s Approach to Consumer Privacy.”
I. Executive Summary
Creating a federal privacy framework (Framework) is an important effort to help ensure that consumer data and privacy are protected across all sectors, including those that are not subject to the long-standing and extensive legal and regulatory requirements that have long applied to the financial services sector. The Associations, and the members they represent, are strongly committed to the protection of consumer data, privacy and security and, as a result, support a national effort that can apply appropriate protections across all sectors. As the RFC notes, any new privacy Framework must promote greater trust, transparency and protections for consumers in order to “advance consumer privacy while protecting prosperity and innovation” so that “users… trust that organizations will respect their interests, understand what is happening with their personal data, and decide whether they are comfortable with this exchange.”
As NTIA is aware, financial services firms have long been subject to comprehensive federal, state and international standards relating to the privacy and security of customer information. The need to protect customer information and preserve confidentiality and privacy has been deeply embedded in the policies and operations of banks, insurance companies, wealth and asset management firms and other financial institutions for decades. Indeed, few other sectors have as extensive or robust a series of legal and regulatory requirements, that together with equally important industry standards, govern the collection, use, control and transparency of customer data. In fact, all seven of the privacy principles articulated by the NTIA in the RFC are already existing cornerstones in the current legal mandates that apply to the financial services industry: (1) transparency; (2) control; (3) reasonable minimization; (4) security; (5) access and correction; (6) risk management and (7) accountability.
Given this robust and well-established regulatory framework already in place for financial institutions, it is important that any voluntary framework developed by NTIA be synergistic with, and not overlapping, inconsistent, or duplicative of the myriad of existing regulatory and legal requirements that the financial services sector already observes and operationalizes on a daily basis. Ultimately, a single, national standard should preempt the current patchwork of state laws to ensure uniformity and provide consumers a clear understanding of their privacy rights.
The following comments are intended to provide (1) contextual information on the legal and regulatory requirements financial services firms must adhere to and are regularly examined against, (2) suggestions on how NTIA should use these extensive requirements as a baseline for a Framework, as well as (3) suggestions on key selected themes in the RFC. The requirements discussed below are just a subset of the existing state, federal and global requirements for financial firms and are intended to help inform how the financial sector should be considered in the development of a Framework.