The Treasury Department came out swinging Tuesday in favor of a national data breach law and a light regulatory touch for “fintech firms” swarming into the banking and compliance worlds.
Those were two among more than 80 recommendations contained in a 200-page report from the Treasury Department looking at fintech and nonbank financial firms. The report was the last in a series of four the department published as part of the Trump Administration’s deregulation pledge.
Most relevant to compliance officers is the idea of a national data breach law, which the United States currently does not have. The Treasury report didn’t offer any specific proposals. Rather, it articulated four principles any national law should follow: protect consumer financial data; ensure technology-neutral and scalable standards based on an entity’s size and scope of activity; recognize existing federal data security laws for financial institutions; and create a uniform national standard that preempts state laws.
Congress would need to enact any national data breach law, and that last principle about preempting state breach disclosure laws could be a big sticking point politically. Some states (California, Massachusetts) have particularly strict rules, and inevitably states would fight a national law as an intrusion into their consumer protection domain.
Congress has batted around the idea of one national data protection law before, especially after a high-profile breach like Equifax in 2017. Dozens of bills have been proposed in the House and Senate in the last several years calling for a federal law that preempts state regulations. So far all the attempts have withered in committee or subcommittee.
It’s also worth noting that the Treasury report only talks about protecting financial data. That’s not the same as all personally identifiable information consumer protection groups like to talk about, and that the EU General Data Protection Regulation and some state laws address.
When might any of the talk in this report lead to real, thoughtful action in Congress toward a national data breach law? Who knows. But preempting state power and creating carve outs for smaller businesses — those ideas are recurring themes in the Trump Administration’s push for business-friendly regulation. So the administration is placing an early marker on what its idea for a national data breach law should look like.
The Treasury report also called on the Office of the Comptroller of the Currency (OCC) to offer national bank charters to fintech firms. Right on cue, Comptroller of the Currency Joseph Otting said OCC would begin doing so immediately — like, starting this week.
National charters would give fintech firms more room to maneuver around state banking and consumer protection laws. While the Treasury report praised states for their efforts to harmonize licensing and supervisory rules, they weren’t moving fast enough for the administration.
The OCC will supervise the fintech companies that are granted charters, saying it has the authority and the resources to do so. State banking supervisors don’t agree, calling the decision “regulatory overreach” and accusing the OCC of exceeding the authority it was given by Congress.
“An OCC fintech charter is a regulatory train wreck in the making,” John Ryan, president and CEO of the Conference of State Bank Supervisors, said in a statement.
State banking regulators, who would be stripped of significant power here, previously tried to sue the OCC to block a national charter for fintechs and other nonbanks, They argue that overriding state supervision and rules will pave the way for a new wave of predatory lenders, and expose taxpayers to a new risk from failed, uninsured fintechs.