Joint Financial Trades Supplemental Letter to the
House Energy & Commerce Committee
Request for Information
Data Privacy
August 19, 2025

Chairman Guthrie and Vice Chairman Joyce, we appreciate the opportunity to supplement our April 4, 2025 response to the Committee and the Data Privacy Working Group’s Request for Information¹ on the parameters for a federal, comprehensive data privacy and security framework.

Cumulatively, the assembled joint trades (the American Bankers Association, America’s Credit Unions, the Bank Policy Institute, the Consumer Bankers Association, the Independent Community Bankers of America, the Mortgage Bankers Association, and the Securities Industry and Financial Markets Association; see Appendix A for additional information) represent members comprising the vast majority of supervised financial institutions. As discussed in our previous letter, the financial services industry was among the first sectors subject to a federal framework governing the collection, use, and sharing of consumer personal information pursuant to the Gramm-Leach-Bliley Act of 1999 (GLBA). Accordingly, supervised financial institutions should not be subject to inconsistent or duplicative requirements primarily addressing other types of entities.

Recognizing this state of affairs, the Data Privacy Working Group asked for specific follow-up items that would be of use in crafting a comprehensive federal privacy law while avoiding unintended consequences for banks (including federally chartered savings & loans/savings banks and independent mortgage banks), credit unions, and investment companies. The first deliverable is preferred language that could be utilized to effectuate an entity-level exemption for those businesses already subject to the requirements of GLBA.

The joint trades reviewed language found in several of the states that have enacted comprehensive data privacy laws. Like the Privacy Working Group, many state legislatures have recognized the merits of carving financial institutions out of scope. While the concept is clear, different state laws present it in slightly different language. After careful consideration, we believe that the text found in the Kentucky Consumer Data Protection Act is optimal in clarity and conciseness. The relevant text reads:

KRS 367.3611 to 367.3629 [the substantive provisions] do not apply to any:

Financial institutions, their affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act, 15 U.S.C. sec. 6801 et seq.²

We urge the House Energy & Commerce Committee to include substantially similar language in any germane legislation.

The second request of the Data Privacy Working Group is for information on the compliance costs associated with the status quo patchwork of state laws. As others have observed, all state comprehensive privacy laws have some form of GLBA exception, with most containing an entity-level exemption for either all financial institutions subject to GLBA, or for banks and their prudentially regulated affiliates. Only one law (the California Consumer Privacy Act of 2018, or CCPA, as amended) solely exempts the data subject to GLBA.³

However, regardless of the state exemption in place, our members know that these state laws can change rapidly– a scenario that has already occurred in Connecticut and Montana (although these states still carefully maintained entity-level exemptions for banks and their prudentially regulated affiliates given the robust GLBA regulation that these entities are subject to). This possibility injects a great deal of uncertainty into operational strategy and risk calculus. That does not even address the challenges associated with monitoring state data privacy laws and engaging during active state legislative sessions.

Notwithstanding any carveouts, institutions may deploy a compliance regime to address regulatory gaps, mitigate risk, or accommodate consumer (or agency) confusion. One study determined that the compliance costs associated with the CCPA increased “California banks’ legal, data processing, and telecommunications expenses by $471 per million dollars of assets relative to banks in other states that are not subject to the law. This equates to a $880,000 increase in quarterly operating expenses of the average bank.”⁴ Additionally, the California Privacy Protection Agency (the entity responsible for CCPA rulemaking) estimated that compliance with the latest batch of regulations for updates, cybersecurity audits, risk assessments, and automated decisionmaking technologies will be approximately $3.5 billion in the first year and to average $1.0 billion across the first ten years following implementation across all industries (not financial services-specific).⁵

As touched on above, it is challenging to reduce compliance costs to pure numbers. For that reason, the associations are including anecdotes from their members (please see Appendix B).

We should also note that the undersigned, in some combination of jointly or separately, intend to respond to the House Financial Services Committee’s Request for Information on Current Federal Consumer Financial Data Privacy Law and Potential Legislative Proposals on or about August 28, 2025.⁶ These documents can be read in tandem.

We appreciate the opportunity to provide additional input to the Committee on this important issue and look forward to answering any questions about our views on this subject.

American Bankers Association
America’s Credit Unions
Bank Policy Institute
Consumer Bankers Association
Independent Community Bankers of America
Mortgage Bankers Association
Securities Industry and Financial Markets Association

Appendix A

American Bankers Association. The American Bankers Association is the voice of the nation’s $24.5 trillion banking industry, which is composed of small, regional and large banks that together employ approximately 2.1 million people, safeguard $19.5 trillion in deposits and extend $12.8 trillion in loans.

America’s Credit Unions. America’s Credit Unions is the unified voice for not-for-profit credit unions and their more than 144 million members nationwide. America’s Credit Unions provides strong advocacy, resources and services to protect, empower and advance credit unions and the people and communities they serve. For more information about America’s Credit Unions, visit AmericasCreditUnions.org.

Bank Policy Institute. The Bank Policy Institute (“BPI”) is a nonpartisan group representing the nation’s leading banks. BPI members include universal banks, regional banks, and the major foreign banks doing business in the United States. Collectively, BPI members hold $10.7 trillion in deposits in the United States; make 68% of all loans, including trillions of dollars in funding for small businesses and household mortgages, credit cards, and auto loans; employ nearly two million Americans and serve as a principal engine for the nation’s financial innovation and economic growth.

Consumer Bankers Association. The Consumer Bankers Association represents America’s leading retail banks. We promote policies to create a stronger industry and economy. Established in 1919, CBA’s corporate member institutions account for 1.7 million jobs in America, extend roughly $4 trillion in consumer loans, and provide $275 billion in small business loans annually. Follow us on X @consumerbankers.

Independent Community Bankers of America. The Independent Community Bankers of America ® has one mission: to create and promote an environment where community banks flourish. We power the potential of the nation’s community banks through effective advocacy, education, and innovation. As local and trusted sources of credit, America’s community banks leverage their relationship-based business model and innovation offerings to channel deposits into the neighborhoods they serve, creating jobs, fostering economic prosperity, and fueling their customers’ financial goals and dreams. For more information, visit ICBA’s website at icba.org.

Mortgage Bankers Association. The Mortgage Bankers Association (MBA) is the national association representing the real estate finance industry, an industry that employs more than 275,000 people in virtually every community in the country. Headquartered in Washington, D.C., the association works to ensure the continued strength of the nation’s residential and commercial real estate markets, to expand homeownership, and to extend access to affordable housing to all Americans. MBA promotes fair and ethical lending practices and fosters professional excellence among real estate finance employees through a wide range of educational programs and a variety of publications. Its membership of more than 2,000 companies includes all elements of real estate finance: independent mortgage banks, mortgage brokers, commercial banks, thrifts, REITs, Wall Street conduits, life insurance companies, credit unions, and others in the mortgage lending field. For additional information, visit MBA’s website: www.mba.org.

Securities Industry and Financial Markets Association. The Securities Industry and Financial Markets Association (“SIFMA”) is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”).

Appendix B

In preparing this document, the Associations met with their members to gather information on the challenges stemming from the patchwork of state privacy laws. Please see below for their aggregated feedback.

State privacy law frameworks can create duplicative requirements without corresponding benefit to consumer privacy. As one example, the recently finalized regulations implementing the CCPA impose fairly prescriptive requirements for an annual cybersecurity audit. As required under their GLBA and safety and soundness obligations, banks already conduct extensive cybersecurity audits each year under other industry frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). The California requirements risk forcing banks to begin compiling a single annual cybersecurity audit for purposes of safely satisfying certain idiosyncratic California preferences, which will be duplicative of the numerous cybersecurity audits currently conducted by banks that meet industry and prudential regulator standards.

Many members report fees for outside counsel and consultants to build compliance programs, which can run more than six figures. They must also engage technology and design departments to provide the necessary online disclosures. These disclosures can be confusing to consumers, particularly the “request to know” and “request to delete” rights. Deletion is especially challenging given the number of exceptions and abundance of retention laws for financial institutions. Moreover, many smaller institutions have to rely on vendor solutions, which are geared towards the European Union’s General Data Protection Regulation and CCPA. These are
not built with the banking sector in mind and are accordingly clunky.

Our members spent considerable time and resources building data access/deletion workflows and training staff. However, the number of requests is quite low (but could scale at any time). The population of substantive responses falling outside the GLBA exception is even smaller.

In addition, many of our members disable certain marketing features for states like California due to the potential for compliance risk. It also creates an environment that is onerous for startups and new companies, which might choose to withdraw from certain markets or not expand into them in the first place.

Further, app stores such as those maintained by Apple and Google often require certification with certain processes pursuant to state laws but are not tailored to reflect the nuances of the GLBA exemptions. Our members must adhere to these requirements or run the risk of their mobile apps being delisted. This introduces yet another hurdle for each new state law that is enacted.

1. https://www.aba.com/advocacy/policy-analysis/joint-trades-letter-to-commerce-committee-on-data-privacy [↩]
2. Kentucky Consumer Data Protection Act, KRS Section 367.3613(2)(b); see https://apps.legislature.ky.gov/law/statutes/chapter.aspx?id=39092. [↩]
3. See a table of state laws as compiled by the International Association of Privacy Professionals at https://iapp.org/resources/article/us-state-privacy-legislation-tracker/. [↩]
4. Manish Gupta, Danny McGowean, and Steven Ongena; The Cost of Privacy. The impact of the California Consumer Protection [sic] Act on mortgage markets, November 2023; see page 2. [↩]
5. https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_ins_impact.pdf, page 63. [↩]
6. https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=410833. [↩]