August 28, 2025

The Hon. French Hill
Chairman
Committee on Financial Services
United States House of Representatives
2129 Rayburn House Office Building
Washington, DC 20515

The Hon. Andy Barr
Chairman
Subcommittee on Financial Institutions
Committee on Financial Services
United States House of Representatives
2430 Rayburn House Office Building
Washington, DC 20515

Dear Chairman Hill and Chairman Barr:

On behalf of the financial trade associations listed below, please see the accompanying submission in response your Request for Information (RFI) on the state of current federal consumer financial data privacy law. In addition, the joint trades welcome the opportunity to provide feedback on your request for legislative proposals to account for changes in the financial services sector.

The attached response to the RFI is based on initial feedback from our collective member institutions. Given the complexity of these issues and the measure of their potential impact on the financial services industry, we look forward to providing additional feedback on this topic as we receive it from our members and continuing to work with you as the Committee’s work progresses.

Thank you for the opportunity to provide feedback on your RFI on federal consumer financial data privacy law.

Sincerely,
American Bankers Association
America’s Credit Unions
Bank Policy Institute
Consumer Bankers Association
Securities Industry and Financial Markets Association

Joint Financial Trades Response to the
House Financial Services Committee
Request for Information
Current Federal Consumer Financial Data Privacy Law and
Potential Legislative Proposals
August 28, 2025

Chairman Hill and Chairman Barr, we appreciate the opportunity to respond to the Request for Information¹ (RFI) issued by the House Financial Services Committee as it assesses the current federal consumer financial data privacy law and considers appropriate legislative efforts to account for changes in the consumer financial services sector. This letter can be viewed in conjunction with comment letters filed with the House Energy & Commerce Committee on data privacy issues.²

Cumulatively, the assembled joint trade associations (the American Bankers Association, America’s Credit Unions, the Bank Policy Institute, the Consumer Bankers Association, and the Securities Industry and Financial Markets Association; see Appendix A for additional information) represent members comprising the vast majority of financial institutions with decades of experience being supervised for compliance with the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and other consumer privacy laws. They are also well acquainted with related issues such as permissioned data sharing (sometimes referred to as open banking) as well as compliance with the emerging patchwork of state privacy laws.

Further, although not expressly asked, the Committee should consider including data breach notification into its drafting. In addition to federal data breach notification requirements, complying with 50 inconsistent state data breach notification requirements plus the District of Columbia and other territories is overly burdensome on financial institutions and provides little if any value for consumers, as notice to impacted customers is already covered by GLBA. We hope that the Committee will consider addressing this issue when considering amendments to federal privacy legislation.

Our feedback to the RFI questions is based on recent and ongoing conversations with our member organizations. We note that this feedback is preliminary in nature and look forward to continuing productive discussions with Committee members and staff in this essential domain.

Overall, we believe:

• GLBA is a carefully calibrated regime designed to avoid interference with core financial activities that benefit consumers, and will continue to be the most appropriate vehicle to address data privacy for financial institutions;
• The Committee should play an essential role in discussions on federal privacy legislation given its expertise in financial services, including any discussion of amendments to GLBA (e.g., additional data subject rights with appropriate exemptions and tailoring based on the unique fraud, security, and other risk considerations relevant to financial services);
• GLBA should have strong preemptions for state privacy laws; moreover entities, affiliates, and data subject to GLBA must be exempt from any comprehensive federal consumer privacy laws in order to avoid interference with the GLBA and important financial activities such as fraud prevention and underwriting;
• GLBA should continue to be enforced by federal regulators rather than through private litigation;
• GLBA should be amended to create a more consistent regulatory playing field among traditional and novel financial institutions as well as other entities operating in the financial ecosystem;
• GLBA should be amended to include a safe harbor for the sharing of information regarding fraud and scams; and
• GLBA should be harmonized with Section 1033 of the Dodd-Frank Act as appropriate, including to apportion liability for when consumer-permissioned data sharing results in a data breach as well as part of the data subject rights issue.

1. https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=410833. [↩]
2. See https://www.aba.com/advocacy/policy-analysis/joint-trades-letter-to-commerce-committee-on-data-privacy (April 4, 2025) and https://www.aba.com/advocacy/policy-analysis/Joint-supplemental-letter-regarding-data-privacy-bill (August 19, 2025). [↩]