• Thu, July 31 2025
  • Contact Us
  • Advertise
Subscribe
CU Daily – theCUDaily.com logo

ACU Rep Testifies on Data Security; Gives Congress List of Things to Consider

WASHINGTON–A representative of America’s Credit Unions told the House Committee on Financial Services Subcommittee on Financial Institutions that any new data privacy legislation must keep a number of things in mind or risk creating even more of a burden for credit unions.

Andrew Morris, director of innovation and technology with America’s Credit Unions, shared the trade group’s perspective as one of the witnesses during the hearing titled,  “Framework for the Future: Reviewing Data Privacy in Today’s Financial System.”

Andrew Morris testifies before Congress.

In his prepared comments, Morris told the committee America’s Credit Unions supports a comprehensive federal data security and privacy framework that includes robust security standards that apply to all who collect or hold sensitive personal data.

But he noted credit unions are already complying with rules on data security and any new rules should ensure CUs can continue to meet members’ needs. 

“America’s Credit Unions believes that the Gramm Leach Bliley Act should remain the model for depository institution compliance with any future federal data privacy and security standard,” Morris said.

8 Things to Consider

Morris offered the committee eight points to be considered with any data privacy legislation, including:

  • There should be an entity-level exemption for credit unions and similarly regulated financial institutions that are subject to the GLBA 
  • The oversight of credit unions, banks and other depository institutions should be left to the functional financial institution regulators that have experience in the field.
  • Preemption of state laws is necessary due to the patchwork of state privacy laws that have created idiosyncratic approaches.
  • There should be limits on data deletion requirements  and prohibitions on collecting certain types of data without consumer opt-in, as a broad right of deletion can frustrate efforts to comply with recordkeeping rules or detect and prevent fraud.
  • The opt-out regime maintained by GLBA and Regulation P generally operate to limit sharing of sensitive consumer information, and that should be continued.
  • A comprehensive federal data privacy framework should provide her principles-based requirements and offer a safe harbor for businesses that take the appropriate steps to comply with the law.
  • Any private right of action should be limited due to the risk of frivolous lawsuits

Views from Each Side of the Aisle

Meanwhile, in opening remarks, subcommittee Chairman Rep. Andy Barr (R-KY)  said the objective is to assess how Congress can ensure consumers data is used only as authorized “while protecting the innovation that has transformed our financial system since the Gramm Leach Bliley…Act became law more than 25 years ago.

Rep. Andy Barr during hearing.

“We’ve seen the rise of mobile banking apps, peer-to-peer payment platforms, and a shift away from cash toward digital transactions,” said Barr. “…While these capabilities bring benefits they also raise serious privacy and security concerns. A key driver of innovation is open banking, allowing consumers to securely share their financial data with third party providers through application programming interfaces, or APIs. Open banking can empower consumers with more control over their financial information, foster competition and spur the development of new tools and services. 

Questions Raised

“But it also raises questions about data privacy liability standard setting and GLBA’s applicability…A quarter of a century is a long time in tech, so we must ask is GLB still a fit…in today’s fast-paced data-driven environment.”

Barr said the current patchwork of related state laws has created “costly compliance” for companies and that if Congress doesn’t act those states could create “de-facto standards.”

“Finally, we must address calls to expand enforcement mechanism mechanisms by granting consumers private rights of action, which allow individuals to sue firms directly for alleged violations,” Barr said. “Private rights of action opened the door to frivolous lawsuits benefiting large firms that can absorb litigation costs and discouraging innovation by increasing legal risks for financial services providers.”

Democratic Rep Cites Irony

In his comments, Dr. Bill Foster (D-IL), who was in Congress when Gramm Leach Bliley was passed in 1999, said he had been pleased to see the CFPB finalized the personal financial data rights rule to implement section 1033 of Dodd-Frank, because it gives consumers greater rights privacy and the security over their personal financial data, as well as makes it easier for consumers to switch between service providers, although the Trump administration has now indicated it will not be enforcing those rules.

He noted that’s ironic, since it was during the first Trump administration when the processing of implementing the rule got underway. 

“It’s been nearly 15 years since the passage of Dodd-Frank and rewriting this rule in its entirety would cause an unnecessary delay that will hurt privacy, hurt innovation and hurt competition,” said Foster.

DOGE, Data & ‘Deep Concerns’

Given that the topic of the hearing was data security, Foster said he was also 
“deeply concerned” President Trump, Elon Musk and members of the DOGE team have “raided government agencies of their data across our government, where they accessed and gathered sensitive data on millions of Americans.”

Facebook
Twitter
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CU Daily – theCUDaily.com logo

Never miss any important news. Subscribe to our newletter today!

Subscribe Now
Copyright 2025 The CUDaily. All Rights Reserved.