So, what does this mean for your bank? Get educated! states have enacted dedicated state data privacy laws, but all eighteen states have carve-out exclusions for banks! Why? Because the banking sector is supposed to lay down their own rules and govern themselves. They have not done so. The federal government has tried twice to pass comprehensive data privacy legislation. Still, both times, the bill was written in a way that could not be supported and did not touch any organization that was not a big data broker. Does anyone want to take this data privacy issue seriously and help banks understand their requirements? Is there anyone who can put together a thin layer of data privacy requirements as a foundation to get started with data privacy protection at a bank? We always talk about how our sector is based upon customer relationships and trust, yet lawmakers and regulators are leaving the sector alone and driving firm requirements in every other industry. The reality is that it is easier to point the finger at each other while most countries have already passed broad privacy legislation. Canada, Asia, Mexico, Europe and the like have all passed comprehensive data privacy laws, with Europe’s requirements quite onerous. In fact, with GDPR, any organization cannot share data without consumers explicitly “opting in.” The privacy model in Europe is that data is “owned” by the consumer and businesses have to ask to use it. All U.S.-based laws and requirements state organizations can share data but must give the consumer the ability to opt out — very different requirements. Can you imagine if, at your bank, you couldn’t share any data with any third party unless you have express consent? Can you imagine not being able to use data for anything other than the primary reason it was obtained unless you have explicit consent? The data privacy hot potato continues to get passed around. Bankers clearly understand it is important but do not know how to efficiently get started. The CFPB took a bite of the apple with CFPB 1033 but then blamed the states for their “banking sector” exclusions. The feds blame the states for having too onerous requirements (like in California) but then don’t even pass a light version of data privacy rules. The political machine wins, and banks and consumers lose as consumers are not assured of their rights and banks are left guessing where to start and how far to go. Can you blame banks for not doing anything, waiting until the murky water clears before wasting time and resources? So, what does this mean for your bank? Get educated! The short list of tasks includes: • Assign someone to take the lead in understanding data privacy. • Get someone trained or certified in the CFPB 1033 Rule and/or data privacy management. The place to get started is education. The data privacy sky is not falling here! However, it is important to begin the data privacy journal beyond Reg. P of privacy notices. 15 Colorado Banker
RkJQdWJsaXNoZXIy MTg3NDExNQ==