WASHINGTON—During a House hearing earlier this week on financial data privacy, witnesses offered sharply different views on whether current laws adequately govern banks, financial technology firms and data aggregators.
During the House Financial Services Committee hearing titled “Updating America’s Financial Privacy Framework for the 21st Century,” testimony focused on how transaction data, account information and login credentials flow through application programming interfaces, or APIs, and third-party intermediaries to power payments, lending and personal finance tools.
Witnesses agreed that consumer financial data now circulates well beyond traditional banking channels, but they diverged on who controls that data and whether oversight is sufficient.
How Data Moves Through the System
Laura MacCleery, senior director for policy and advocacy at UnidosUS, described a system in which consumer data is frequently accessed indirectly.
“When a consumer connects an app to a bank account, the app generally does not communicate with the bank directly,” MacCleery testified. “An aggregator reaches into the account, pulls transaction data and delivers it.”
She said earlier models often relied on collecting login credentials, giving aggregators broad access to accounts with limited transparency for consumers.
Steven Boms, executive director of the Financial Data and Technology Association, said those same data flows support widely used services, including real-time fraud alerts and small-business lending tools that rely on cash-flow data rather than traditional credit scores.
What Data Is at Issue
Witnesses said financial data now extends beyond basic account information.
Under the Gramm-Leach-Bliley Act, financial institutions must safeguard nonpublic personal information such as transaction histories and balances. But MacCleery said modern data collection includes additional elements like biometric and geolocation data, as well as access credentials.
Clara Kim, senior vice president for BSA/AML and sanctions at the Bank Policy Institute, said FIs collect and retain such data for operational purposes, including fraud prevention, anti-money laundering compliance and credit underwriting.
Banks, Fintechs and Oversight
One key point of disagreement centered on whether banks and nonbank firms face comparable regulatory scrutiny.
MacCleery argued they do not, saying banks are subject to federal examinations, security standards and privacy laws, while data aggregators face little direct federal oversight.
Boms countered that fintech platforms and aggregators are already covered under existing law, including requirements to maintain information security programs and breach response protocols.
Kim told the hearing the distinction lies in supervision, noting that banks undergo continuous regulatory examinations and must manage third-party risks, while other entities handling similar data are not subject to the same level of ongoing oversight.
Nathan Taylor, a partner at Morrison Foerster, testified that existing law broadly applies to firms engaged in financial activities, including those that process and transmit financial data.
Consumer Control and Consent
Witnesses also debated whether consumers have meaningful control over how their financial data is shared.
Boms said consumers should have the right to share their data freely with third parties and to revoke that access at any time.
MacCleery questioned whether such control is effective in practice, noting that many systems rely on opt-out frameworks in which data sharing continues unless consumers take action to stop it.
“Under an opt-out, the default is that consumer data is shared unless the individual acts,” she said.
Lawmakers did not signal a consensus on next steps, but testimony highlighted competing approaches, including calls for a national data privacy framework, stronger consumer protections and clearer enforcement standards.
Rep Calls for Stronger Controls
Later during the hearing, Rep. Ayanna Pressley (D-MA) called for stronger consumer control over personal financial data during a House Financial Services Committee hearing, arguing that Americans often have little visibility into how their information is shared across the financial system.
In her comments, Pressley framed the issue through a hypothetical renter using digital payment tools, noting that many consumers unknowingly allow their financial data to be shared with marketers, credit agencies and data brokers.
“That doesn’t happen by chance. It is by design,” Pressley said, arguing that banks and financial technology firms profit from widespread data sharing while consumers lack meaningful control.
The proposed rule would allow consumers not only to authorize data sharing for payments and services, but also to move their financial histories between providers, potentially increasing competition and consumer choice.
The Debate
MacCleery said current privacy protections under the Gramm-Leach-Bliley Act rely too heavily on “opt-out” mechanisms that place the burden on consumers.
She argued that most people do not fully understand or act on mailed privacy notices, leaving them automatically enrolled in data-sharing arrangements.
“Opt-in” systems — where consumers must actively consent — better reinforce a sense of ownership over personal data, MacCleery said, adding that such frameworks are favored by many consumer advocates and reflected in some state privacy laws.
Resistance Questioned
Pressley also questioned why some financial institutions oppose open banking reforms. MacCleery responded that companies benefiting from retaining customer data may resist changes that make it easier for consumers to switch providers.
The exchange highlighted broader tensions between consumer advocates and industry stakeholders over how financial data should be governed in an increasingly digital marketplace.
Accessibility Concerns
MacCleery also emphasized the need for clearer and more inclusive disclosures, particularly for consumers with limited English proficiency.
She said financial documents and disclosures should be provided in the same language used to market products, warning that mismatched communications can leave consumers unable to fully understand their rights.
Pressley concluded by stressing that financial privacy reforms must center on consumer empowerment, saying individuals should have control over both their money and the data tied to it.
