Treasury Report Recommends National Data Breach Law, TCPA Reforms, and More
August 6, 2018
At the end of July, the Department of Treasury released a Report on Nonbank Financials, Fintech, and Innovation. At over 200 pages, the Report is the fourth in a series on the Administration’s core principles for financial regulation called for by Executive Order 13772. It contains more than 80 recommendations, and “identif[ies] improvements to the regulatory landscape that will better support nonbank financial institutions, embrace financial technology, and foster innovation.” These recommendations are broad in scope and would impact many sectors outside of financial services. The Report touches on data breach notification, the Telephone Consumer Protection Act (TCPA), public-private partnerships, the role of regulations, emerging technologies, and more.
At a high-level, the fact sheet on the Report identifies four strategic goals each with a subset of recommendations:
1. Embrace the efficient and responsible use of consumer financial data and competitive technologies. Several notable recommendations include:
- Modernizing rules for digital communications, such as the TCPA and the Fair Debt Collection Practices Act (FDCPA).
- Strengthening the protection of consumer financial data through enacting a federal data security and breach notification law that is technology-neutral that is scalable to the type of activity and entity, and that recognizes existing federal data security requirements for financial institutions.
- Encouraging work on digital identity by enhancing public-private partnerships that facilitate the adoption of trustworthy digital legal identity products and services, and supporting efforts to fully implement the U.S. government federated digital identity system.
- Modernizing regulatory requirements and guidance for technologies like cloud computing, artificial intelligence, and machine learning in the financial services sector.
2. Streamline the regulatory environment to foster innovation and avoid fragmentation. Broadly, this includes:
- Advancing the harmonization of state licensing and supervision to increase efficiency, particularly for lending and payments companies.
- Harmonizing of guidance related to bank partnerships with third-parties to improve efficiency and further enable technological innovation in a prudent manner.
- Improving the ability of banks to make innovation-related investments and flexibly adapt to new technologies by considering changes to applicable banking regulations.
3. Modernize regulations for an array of financial products and activities. Recommending rules related to:
- Lending and Servicing.
- Wealth Management and Digital Financial Planning.
4. Facilitating innovation. For example, by:
- Working with federal and state regulators to design a system functioning like a “regulatory sandbox” that would establish a unified regulatory approach and facilitate coordination and meaningful experimentation with innovative financial services.
- Reforming procurement rules to allow financial regulators to use other transaction authority for research and development and proof of concept technology projects.
- Strengthening regulator engagement efforts with industry and the establishment of clear points of contact for industry and consumer outreach.
- Promoting the alignment of actions of international organizations with U.S. national interests and the domestic priorities of U.S. regulatory authorities.
Momentum Builds for a National Data Breach Notification Law
Members of the House Financial Services Committee, Representatives Blaine Luetkemeyer (R-MO) and Carolyn Maloney (D-NY) are drafting legislation on a national breach notification standard. The Data Acquisition and Technology Accountability and Security Act would preempt state law. In a memorandum to Members of the Committee on Financial Services, Majority staff outlined that the bill “would replace the current patchwork of state and federal regulations for data breaches with a national law that provides uniform protections. This draft establishes a technology-neutral ‘reasonableness’ standard for data security. The standards would be flexible and commensurate to the covered entity’s size and complexity, activities, sensitivity of the information it maintains, and the cost of available protections,” among other proposals.
The bill has been opposed by State Attorneys General. In a letter to Congressional leaders, they note that, “States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy.” They further argue against the bill’s preemption of state data security and breach notification laws and other particular provisions.
Rep. Luetkemeyer praised the Treasury Report’s recommendation for federal legislation, stating, “it is in the best interest of consumers to have a nationwide data breach standard, and Secretary Mnuchin echoed this sentiment in [the] report. As we increasingly rely on online payments and other technologies to make our lives easier, it is critical to ensure consumers can trust that their sensitive information is being kept safe or that they will be alerted if it is compromised.”
The Report helps develop momentum for national data breach legislation. “Treasury recommends that Congress enact a federal data security and breach notification law to protect consumer financial data and notify consumers of a breach in a timely manner. Such a law should be based on the following principles:
- Protect consumer financial data
- Ensure technology-neutral and scalable standards based on the size of an entity and type of activity in which the entity engages
- Recognize existing federal data security requirements for financial institutions
- Employ uniform national standards that preempt state laws.”
TCPA and FDCPA Recommendations
In making recommendations related to communications laws, “Treasury recognizes that the increasingly digitized nature of the economy and financial system requires revisiting of customer communication and disclosure rules that were designed primarily for an era of physical mail and telephone calls. Treasury has identified some opportunities for reform of the TCPA and FDCPA regulatory regimes but recommends that regulators proactively identify other rules in need of revision.”
Related to the TCPA, Treasury advocates for a reassigned numbers database: “[a] reassigned numbers database — long supported by market participants and consumer advocates — could reduce unwanted calls to consumers and reduce caller liability by permitting callers to conduct due diligence to learn whether a number has been recently reassigned and, if it has, remove that number from their autodialed calls.”
The Report further recommends that “the FCC create a safe harbor for calls to reassigned numbers that provides callers a sufficient opportunity to learn that the number has been reassigned. [Additionally] that the FCC provide clear guidance on reasonable methods for consumers to revoke consent under the TCPA [and] Congress should consider statutory changes to the TCPA to mitigate unwanted calls to consumers and provide for a revocation standard similar to that provided under the [Fair Debt Collection Practices Act (FDCPA)].” Treasury also recommends that “the Bureau promulgate regulations under the FDCPA to codify that reasonable digital communications, especially when they reflect a consumer’s preferred method, are appropriate for use in debt collection.”
The Report recognizes that “both the government and the private sector have important roles in establishing a trustworthy U.S. digital identity ecosystem.” And that: “public and private sector stakeholders need to work together to develop trustworthy digital legal identity products and services for use in the financial sector and elsewhere. To facilitate this objective, stakeholders should address a number of issues, including:
- How to leverage the NIST guidelines to establish flexible, risk-based standards for digital customer identification and verification, keyed to the risk levels associated with specific customers and/or types of financial products and services;
- How to ensure the trustworthiness, privacy, and cybersecurity of identity service providers, such as government or industry certification and supervision;
- Business models and liability allocation appropriate for establishing portable legal identity; [and]
- Ways the public and private sectors can effectively work together to reduce regulatory burden and catalyze the market for trustworthy digital identity products and services.”
The Report considers “the ability of banks to innovate internally, as well as partner with such technology-based firms. Foundational to the report’s findings, we explore the implications of digitization and its impact on access to clients and their data, focusing on several thematic areas, including:
- The collection, storage, and use of financial data;
- Cloud services and ‘big data’ analytics; and
- Artificial intelligence and machine learning.”
Aligning with the core themes of the Report, Treasury states that “[a]gile regulation requires regulators to acquire and understand existing and emerging technologies, to engage with developers and first-movers, and to hire and retain staff with the appropriate technical expertise. To this end, Treasury believes that regulators should increase efforts to proactively engage in collaborative dialogue with the private sector as innovations arise. Regulators should be looking to facilitate U.S. strengths in technology and work toward the common goals of fostering markets and promoting growth through responsible innovation.”
The Treasury Department’s Report makes numerous recommendations which reach beyond the financial services sector. It touches on issues of significant interest to organizations across the modern, digital economy proposing shifts in policies, regulations, and state and federal laws—which could impact technological innovation, public-private collaboration, and data privacy and security.