U.S. public policy on data security has long been shaped in reaction to crises, rather than in steady pursuit of clearly defined principles. Financial services companies today have an unprecedented opening to influence this issue, in which the interests of both the industry and consumers are legitimately aligned.
A key ongoing thread in financial services industry dialogue is how public policy and regulation will impact the future of digital commerce and retail financial services.
U.S. public policy has long been shaped in reaction to crises—for example, the passing of Dodd-Frank in the wake of the 2008 financial crisis—rather than in steady pursuit of more clearly defined principles. As a result, the current U.S. approach to data security and data privacy is a fragmented patchwork of regulatory authorities and practices. No informed observer would argue that there is a coherent U.S. policy on data security and privacy, particularly when looking ahead to the expected growth of digital commerce.
History and the current state of affairs alike beg the question: How might U.S. lawmakers and regulators react to the next big data privacy crisis? Even a crisis caused by a non-bank player in digital commerce could bring a broad response that saddles even the most trusted financial services players with unwelcome new regulatory burdens.
Generally speaking, financial services industry regulators want to keep money in the traditional banking system, which operates with far more consumer and regulatory safeguards than do the new digital aggregators. The historical regulatory framework around banking and payments has sought to maintain the security and stability of commerce, and through that, of the overall economy. Yet U.S. regulators are also inclined to embrace new sources of competition, which they perceive to generally benefit consumers.
Banks' Role in Developing Sound Public Data Policy
With this inherent tension in mind, traditional financial services providers may need to more actively engage regulators, central banks, and government writ large. The industry has an important part to play in helping public policy players understand the consumer and economic benefits of more formal programs to promote consumer confidence in the security of digital commerce, guided by clear and strong consumer-informed standards around privacy and the appropriate uses of consumer data.
Consumer privacy is becoming not only a growing domestic regulatory concern but also a global one, with intensifying pressure on U.S. companies and the U.S. government to provide significant data privacy protections to non-U.S. citizens. Precedent for this was set with the recent ruling by the European Court of Justice that the U.S.-EU Safe Harbor Agreement is invalid, and its February 1, 2016, replacement with the EU-U.S. Privacy Shield, details of which are still forthcoming.
The U.S. Consumer Financial Protection Bureau has a mandate under Dodd-Frank to establish policy and regulation regarding financial services industry data security and data privacy. With the CFPB still exploring what if any regulation is required, it is conceivable that overtures today from the trusted financial services industry could be met with open ears by regulators, particularly if the ideas are clearly in consumers’ interests.
In sum, financial services companies may have an unprecedented opening to influence an issue in which the interests of both the industry and consumers are legitimately aligned.