The Gramm-Leach-Bliley Act (GLBA) established federal ground rules for financial privacy in 1999. The Republicans of the House Financial Services Committee now offer an update, the ‘‘Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act,” or GUARD Financial Data Act. The GUARD Act would preempt state laws that regulate entities and data already covered by GLBA, but it imposes new federal rules likely to do more harm than good.
Federal Lawmakers Should Not Assume that Pro-Regulation States Are Leaders
The drafters of federal privacy bills tend to assume that states that have passed privacy statutes (about 20) are “leaders” and model the federal bills on state statutes; the perspective of states with no privacy statute is left out. Though the GUARD Act omits punitive state measures like California’s private right of action, the bill reflects the pro-regulatory idea that data collection is inherently harmful and should be minimized. Especially in the age of artificial intelligence, where accurate data has tremendous potential for good, this perspective should not guide federal legislation.
Also, like most privacy laws, the bill fails to address the core problem of financial privacy: the Bank Secrecy Act and warrantless law enforcement access to financial data. The GUARD Act has its priorities backwards. Private-sector financial services often use data to fight fraud or offer new products: the police can use it to put people in jail or seize their life savings.
Less Data Is Not Better When Fighting Fraud or Assessing Risk
The GUARD Act ostensibly seeks to ensure that financial service firms collect, keep, and process less personal information. If successful, these limits might impede efforts to fight fraud or develop new services. Three problematic provisions are as follows:
The bill’s data minimization provision requires financial service firms to collect only the data that is “adequate, relevant, and reasonably necessary” for the purpose disclosed in the firms’ private policy. Disputes as to whether specific data is truly necessary could arise—unless firms write privacy policies that describe their purpose for collecting the data very broadly, which they would be likely to do.
If this provision did minimize data collection, it could do more harm than good. For example, sophisticated forms of fraud that use artificial intelligence are rampant. Anti-fraud measures also use AI to identify suspicious patterns in real-time data flows. But it will be harder to spot patterns accurately in patchy data.
The bill gives the former customers of a financial service provider the right to request that their data be deleted, except when the data is used for credit reporting or to comply with other laws. Again, disputes as to whether data qualify for the exemptions are likely. New methods of credit risk assessment are being developed to better serve consumers with scanty credit files. The new methods may not use the same information as traditional credit reports. If the credit reporting exemption is read narrowly, the right of deletion could hinder such innovations. Furthermore, exercise of the right of deletion could also lead to thin data for use in fraud detection and other beneficial purposes.
The GUARD Act requires that a customer opt in before a financial service shares sensitive information with third parties. Sensitive information includes demographic information such as citizenship status, genetic or biometric data, and precise geolocation data. If a customer’s refusal to opt in meant that law enforcement could not access the information without a warrant, an opt-in rule would make sense. But law enforcement and regulators would be exempt. Thus, the rule is another hoop for financial service firms to jump through and could hamper efforts to fight fraud. Precise location information aids fraud detection: the opt-in rule could put unaffiliated third-party fraud detection services at a disadvantage.
Screen Scraping with Disclosures Still Could Be a Security Risk
“Screen scraping” happens when a third party visits a website to collect any available data, including when a third party uses a customer’s logon credentials to access a financial service provider’s site. In addressing the use of customer credentials for screen scraping, the GUARD Act does a good thing and a bad thing.
The GUARD Act requires screen scrapers to make key disclosures to the customer describing how their data will be used, to whom it will be disclosed, and so on. This is a reasonable policy.
The GUARD Act also provides that a financial service may not bar a screen scraper from entering the service’s site, if the scraper has made the required disclosures to customers. This is unwise. Screen scraping creates security risks. The scraper’s disclosures to the customer may not eliminate these risks. Financial service providers such as banks negotiate secure open banking arrangements with third parties to end to screen scraping. If financial service providers cannot block or ban screen scraping, they will have less incentive to participate in open banking. And they may be unable to stop security breaches.
Going Forward, Policymakers Should Focus on Harmful Uses of Data
The best approach to financial privacy is to recognize that legitimate private-sector firms put information to valuable uses such as fraud detection. Inconsistent state laws are a problem, but overregulation at the federal level would also be a problem. Policymakers should consider laws that target specific, tangible harms by private-sector bad actors, and end law enforcement’s warrantless access to financial data. The power of government to arrest or deport those they surveil presents unique risks. The GUARD Act takes privacy policy in the wrong direction.
