Banking, Data Privacy, and Cybersecurity
February 24March 13, 2023 , 2023
Regulation
Andrew P. Scott
Financial data contains significant amounts of sensitive information, and ensuring the privacy of
Financial data contains significant amounts of sensitive information, and ensuring the privacy of
Analyst in Financial
Analyst in Financial
such data among financial institutions is a goal of many policymakers. In particular, Congress
such data among financial institutions is a goal of many policymakers. In particular, Congress
Economics
Economics
has demonstrated an interest in prioritizing data privacy standards in the financial system. Much
has demonstrated an interest in prioritizing data privacy standards in the financial system. Much
of the legislative and regulatory data privacy framework established for banks and credit unions
of the legislative and regulatory data privacy framework established for banks and credit unions
Paul Tierno
is constructed from a patchwork of cybersecurity provisions. Similarly, the implementation of
is constructed from a patchwork of cybersecurity provisions. Similarly, the implementation of
Analyst in Financial
Analyst in Financial
cybersecurity supervisory programs among financial institution regulators is fragmented, and
cybersecurity supervisory programs among financial institution regulators is fragmented, and
Economics
Economics
potential risks to the financial system have emerged as new technologies evolve.
potential risks to the financial system have emerged as new technologies evolve.
Cybersecurity threats pose
Cybersecurity threats pose
operational risk, ,
reputational risk, and, potentially, , and, potentially,
systemic risk. .
Operational risk is the threat that an event such as a natural disaster, pandemic, or cyberattack
Operational risk is the threat that an event such as a natural disaster, pandemic, or cyberattack
limits or completely obstructs an institution’s ability to do business. Reputational risk is the threat that customers will avoid limits or completely obstructs an institution’s ability to do business. Reputational risk is the threat that customers will avoid
future business with an institution due to such an event.future business with an institution due to such an event.
Systemic risk is the threat that an event may trigger instability in an Systemic risk is the threat that an event may trigger instability in an
entire industry or the overall economy. entire industry or the overall economy.
No single law provides a framework for regulating cybersecurity in the United States. Instead, several laws cover different
No single law provides a framework for regulating cybersecurity in the United States. Instead, several laws cover different
industries, and numerous laws cover aspects of cybersecurity for the financial system. The Gramm-Leach-Bliley Act of 1999 industries, and numerous laws cover aspects of cybersecurity for the financial system. The Gramm-Leach-Bliley Act of 1999
(GLBA; P.L. 106-102) is the most comprehensive of these laws and directs financial regulators to implement disclosure (GLBA; P.L. 106-102) is the most comprehensive of these laws and directs financial regulators to implement disclosure
requirements and security measures to safeguard private information. GLBA provides a cybersecurity framework built upon requirements and security measures to safeguard private information. GLBA provides a cybersecurity framework built upon
two pillars: (1) privacy standards that impose disclosure limitations or limit financial institutions concerning disclosure of two pillars: (1) privacy standards that impose disclosure limitations or limit financial institutions concerning disclosure of
consumers’ information, and (2) security standards that require institutions to implement certain practices to safeguard the consumers’ information, and (2) security standards that require institutions to implement certain practices to safeguard the
information from unauthorized access, use, and disclosure. The two major rules for implementing this framework are known information from unauthorized access, use, and disclosure. The two major rules for implementing this framework are known
as the Privacy Rule (Regulation P) and the Safeguards Rule, respectively. Other laws—such as the Sarbanes-Oxley Act of as the Privacy Rule (Regulation P) and the Safeguards Rule, respectively. Other laws—such as the Sarbanes-Oxley Act of
2002 (P.L. 107-204), Fair and Accurate Credit Transactions Act (FACT Act; P.L. 108-159), Bank Protection Act (P.L. 90-2002 (P.L. 107-204), Fair and Accurate Credit Transactions Act (FACT Act; P.L. 108-159), Bank Protection Act (P.L. 90-
389), and Bank Service Company Act of 1962 (P.L. 87-856)—complete the general legislative framework for depository 389), and Bank Service Company Act of 1962 (P.L. 87-856)—complete the general legislative framework for depository
institution cybersecurity. institution cybersecurity.
Banking regulators implement the cybersecurity legislative framework through rulemaking, and then supervise institutions to
Banking regulators implement the cybersecurity legislative framework through rulemaking, and then supervise institutions to
ensure that banks are following regulations. Oversight of bank cybersecurity reflects a complex and sometimes overlapping ensure that banks are following regulations. Oversight of bank cybersecurity reflects a complex and sometimes overlapping
array of state and federal laws, regulators, regulations, and guidance—many of which predate the emergence of cybersecurity array of state and federal laws, regulators, regulations, and guidance—many of which predate the emergence of cybersecurity
risk. Congress is debating the extent to which it should unify or modernize the legislative framework for depository risk. Congress is debating the extent to which it should unify or modernize the legislative framework for depository
institutions. For example, one issue is how new technologies that facilitate financial data sharing should be treated under the institutions. For example, one issue is how new technologies that facilitate financial data sharing should be treated under the
existing cybersecurity framework. Another issue is how and whether the data privacy protections that exist for data sharing existing cybersecurity framework. Another issue is how and whether the data privacy protections that exist for data sharing
should also apply to data collection. The Data Privacy Act of 2023should also apply to data collection. The Data Privacy Act of 2023
, scheduled for markup (H.R. 1165), which the House Financial Services Committee ordered to be reported as amended in February 2023, examines several in February 2023, examines several
of these issues. Further, technology partnerships, particularly at smaller banks, with institutions such as cloud management of these issues. Further, technology partnerships, particularly at smaller banks, with institutions such as cloud management
companies, has led to new cybersecurity risks to the banking system. This has raised concerns among policymakers about the companies, has led to new cybersecurity risks to the banking system. This has raised concerns among policymakers about the
capacity of the existing framework to address new risks. capacity of the existing framework to address new risks.
Congressional Research Service
Congressional Research Service
link to page 4 link to page 4 link to page 5 link to page 6 link to page 7 link to page 7 link to page 8 link to page 8 link to page 9 link to page 10 link to page 10 link to page 10 link to page 11 link to page 12 link to page 13 link to page 13 link to page 13 link to page 7 link to page 8 link to page 8 link to page 10 link to page 11 link to page
link to page 4 link to page 4 link to page 5 link to page 6 link to page 7 link to page 7 link to page 8 link to page 8 link to page 9 link to page 10 link to page 10 link to page 10 link to page 11 link to page 12 link to page 13 link to page 13 link to page 13 link to page 7 link to page 8 link to page 8 link to page 10 link to page 11 link to page
1514 Banking, Data Privacy, and Cybersecurity Regulation
Contents
Introduction ..................................................................................................................................... 1
Cybersecurity Risks to the Banking System ................................................................................... 1
Current Legislative Framework ....................................................................................................... 2
Recent Legislative Developments ............................................................................................. 3
Regulatory Framework .................................................................................................................... 4
GLBA Data Privacy and Safeguards ......................................................................................... 4
GLBA Rulemaking Authorities ........................................................................................... 5
Recent Updates on Depository Regulation of GLBA Cybersecurity Provisions ................ 5
Other Regulatory Developments ......................................................................................... 6
Supervisory Process ........................................................................................................................ 7
GLBA Supervision .................................................................................................................... 7
Depository Institution Supervision............................................................................................ 7
Third-Party Service Providers ................................................................................................... 8
Policy Issues for Congress............................................................................................................... 9
Data Privacy ............................................................................................................................ 10
Technology Service Providers ................................................................................................. 10
Cloud Computing .............................................................................................................. 10
Tables
Table 1. Regulatory Jurisdiction for Different Banking Institutions ............................................... 4
Table 2. Summary of Privacy and Safeguards Rules ....................................................................... 5
Table 3. Relevant Rulemaking Authority for GLBA ....................................................................... 5
Table 4. Supervision and Enforcement Authority for GLBA .......................................................... 7
Table 5. Depository Supervision Toolkit for Cybersecurity ............................................................ 8
Contacts
Author Information ........................................................................................................................ 12. 11
Congressional Research Service
Congressional Research Service
Banking, Data Privacy, and Cybersecurity Regulation
Introduction
Cybersecurity is a major concern of banks and banking regulators. Data breaches at large Cybersecurity is a major concern of banks and banking regulators. Data breaches at large
financial institutions and credit reporting agencies have increased concern about the privacy and financial institutions and credit reporting agencies have increased concern about the privacy and
security of the large amounts of consumer financial information that these companies gather, use, security of the large amounts of consumer financial information that these companies gather, use,
and store.1 Many in Congress have demonstrated an interest in data privacy and cybersecurity, as and store.1 Many in Congress have demonstrated an interest in data privacy and cybersecurity, as
evidenced by a number of hearings on large-scale data breaches in prior Congresses. In the 118th evidenced by a number of hearings on large-scale data breaches in prior Congresses. In the 118th
Congress, the Chair of the House Financial Services Committee identified data privacy as a Congress, the Chair of the House Financial Services Committee identified data privacy as a
legislative priority for the current session.2 This report examines the existing legislative legislative priority for the current session.2 This report examines the existing legislative
framework for financial cybersecurity, and provides some context for how regulators currently framework for financial cybersecurity, and provides some context for how regulators currently
promulgate, supervise, and enforce various data privacy provisions.promulgate, supervise, and enforce various data privacy provisions.
The implementation of cybersecurity policy among banking regulators is fragmented, and
The implementation of cybersecurity policy among banking regulators is fragmented, and
potential risks to the financial system have emerged as new technologies evolve. This report potential risks to the financial system have emerged as new technologies evolve. This report
focuses on the cybersecurity regulatory framework among the federal banking regulators—the focuses on the cybersecurity regulatory framework among the federal banking regulators—the
Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency
(OCC), and the Federal Reserve—as well as the National Credit Union Administration (NCUA) (OCC), and the Federal Reserve—as well as the National Credit Union Administration (NCUA)
and the Consumer Financial Protection Bureau (CFPB). and the Consumer Financial Protection Bureau (CFPB).
Cybersecurity Risks to the Banking System
Cybersecurity means protecting systems, networks, devices, and data from digital attacks by Cybersecurity means protecting systems, networks, devices, and data from digital attacks by
criminals and other adversaries.3 Cybersecurity threats pose criminals and other adversaries.3 Cybersecurity threats pose
operational risk, ,
reputational risk, ,
and, potentially, and, potentially,
systemic risk.4.4
Operational risk is the threat that an event such as a natural disaster, pandemic, or cyberattack is the threat that an event such as a natural disaster, pandemic, or cyberattack
limits or completely obstructs an institution’s ability to do business. Banks face risk from cyber limits or completely obstructs an institution’s ability to do business. Banks face risk from cyber
threats, which could interrupt their daily operations. threats, which could interrupt their daily operations.
Reputational risk is the threat that customers will avoid future business with an institution due to is the threat that customers will avoid future business with an institution due to
an event such as a cyberattack. The financial system depends on trust. For example, if a breach at an event such as a cyberattack. The financial system depends on trust. For example, if a breach at
a bank results in the release of personal data, customers may be reluctant to continue their a bank results in the release of personal data, customers may be reluctant to continue their
relationship with the bank. They may choose to pull their deposits out from the bank and close relationship with the bank. They may choose to pull their deposits out from the bank and close
1 For example, in spring and summer 2017, Equifax, one of the big three credit reporting agencies, announced that 1 For example, in spring and summer 2017, Equifax, one of the big three credit reporting agencies, announced that
hackers had gained unauthorized access to the company’s data, including that of 145 million customers. The data hackers had gained unauthorized access to the company’s data, including that of 145 million customers. The data
included Social Security numbers and drivers licenses. According to media reports, hackers were able to access the included Social Security numbers and drivers licenses. According to media reports, hackers were able to access the
company’s computer systems and consumer data for around two months before they realized it. See, for example, Tara company’s computer systems and consumer data for around two months before they realized it. See, for example, Tara
Siegel Bernard, Tiffany Hsu, Nicole Perlroth, et al., “ Equifax Says Cyberattack May Have Affected 143 Million in the Siegel Bernard, Tiffany Hsu, Nicole Perlroth, et al., “ Equifax Says Cyberattack May Have Affected 143 Million in the
U.S.,” U.S.,”
The New York Times, September 7, 2017, at https://www.nytimes.com/2017/09/07/business/equifax-September 7, 2017, at https://www.nytimes.com/2017/09/07/business/equifax-
cyberattack.html. For an overview of cyber incidents involving financial firms dating back to 2007, see cyberattack.html. For an overview of cyber incidents involving financial firms dating back to 2007, see
Timeline of
Cyber Incidents Involving Financial Institutions, Carnegie Endowment for International Peace, at , Carnegie Endowment for International Peace, at
https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline#click-hide. https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline#click-hide.
2 For example, on February 23, 2023, the House Committee on Financial Services scheduled a markup of several bills
2 For example, on February 23, 2023, the House Committee on Financial Services scheduled a markup of several bills
in February 2023, including the “Data Privacy Act of 2023.” For more, see in February 2023, including the “Data Privacy Act of 2023.” For more, see
https://financialservices.house.gov/uploadedfiles/hmkp-118-ba00-20230228-sd002-u1.pdf. https://financialservices.house.gov/uploadedfiles/hmkp-118-ba00-20230228-sd002-u1.pdf.
3 See “Cybersecurity Awareness,” Federal Financial Institution Examination Council, at
3 See “Cybersecurity Awareness,” Federal Financial Institution Examination Council, at
https://www.ffiec.gov/cybersecurity.htm. https://www.ffiec.gov/cybersecurity.htm.
4 For more on this landscape, see CRS Insight IN11621,
4 For more on this landscape, see CRS Insight IN11621,
Cross-Cutting Issues in Cybersecurity: Financial Institutions, ,
by Chris Jaikaran and Andrew P. Scott; and CRS In Focus IF11717, by Chris Jaikaran and Andrew P. Scott; and CRS In Focus IF11717,
Introduction to Financial Services: Financial
Cybersecurity, by Andrew P. Scott and Paul Tierno. , by Andrew P. Scott and Paul Tierno.
Congressional Research Service
Congressional Research Service
1
1
Banking, Data Privacy, and Cybersecurity Regulation
their accounts. Without trust that customers’ money and personal data are safe, the financial
their accounts. Without trust that customers’ money and personal data are safe, the financial
system cannot operate smoothly. system cannot operate smoothly.
Systemic risk is the threat that a cyberattack may affect more than just the institution targeted is the threat that a cyberattack may affect more than just the institution targeted
and may jeopardize an industry or the entire economy. Banks, particularly large ones, can be and may jeopardize an industry or the entire economy. Banks, particularly large ones, can be
highly interconnected, and many institutions depend on the same technological infrastructure. highly interconnected, and many institutions depend on the same technological infrastructure.
Thus, an attack on one information technology (IT) system could result in significant losses Thus, an attack on one information technology (IT) system could result in significant losses
across the entire industry, both by costing the bank money to repair damages, and also the across the entire industry, both by costing the bank money to repair damages, and also the
correlated risks that stem from consumers avoiding future business with the bank or other banks correlated risks that stem from consumers avoiding future business with the bank or other banks
with similar exposure. Financial regulators consider the systemic risks to the entire industry. In with similar exposure. Financial regulators consider the systemic risks to the entire industry. In
doing so, they seek to ensure the safety and soundness not only of individual organizations but doing so, they seek to ensure the safety and soundness not only of individual organizations but
also their partners. The Financial Stability Oversight Council (FSOC) has identified three also their partners. The Financial Stability Oversight Council (FSOC) has identified three
channels through which a cybersecurity event could threaten the stability of the U.S. financial channels through which a cybersecurity event could threaten the stability of the U.S. financial
system:5 system:5
1. Disrupting a key financial service or a financial market utility for which there are
1. Disrupting a key financial service or a financial market utility for which there are
few substitutes (e.g., the central bank, securities and derivatives exchanges, and
few substitutes (e.g., the central bank, securities and derivatives exchanges, and
payment clearing and settlement institutions); payment clearing and settlement institutions);
2. Causing a loss of confidence among a broad set of customers or market
2. Causing a loss of confidence among a broad set of customers or market
participants; and
participants; and
3. Compromising the integrity of critical data (e.g., altering balance sheets),
3. Compromising the integrity of critical data (e.g., altering balance sheets),
rendering information critical to financial firms either inaccurate or unusable.
rendering information critical to financial firms either inaccurate or unusable.
Systemic risk from cybersecurity may have increased in 2020, as the pandemic has increased
Systemic risk from cybersecurity may have increased in 2020, as the pandemic has increased
reliance on technology (e.g., remote payment systems, among others). reliance on technology (e.g., remote payment systems, among others).
Current Legislative Framework
No single law provides a framework for regulating cybersecurity in the United States. Instead, No single law provides a framework for regulating cybersecurity in the United States. Instead,
multiple laws cover different industries or cover aspects of cybersecurity for the broader financial multiple laws cover different industries or cover aspects of cybersecurity for the broader financial
system, while others apply more directly to banks. Some of these laws require financial regulators system, while others apply more directly to banks. Some of these laws require financial regulators
to establish cybersecurity standards for financial institutions, and provide regulators the authority to establish cybersecurity standards for financial institutions, and provide regulators the authority
to ensure compliance with such standards. Other laws provide broad authority to regulators to to ensure compliance with such standards. Other laws provide broad authority to regulators to
supervise some financial institutions for safety and soundness. supervise some financial institutions for safety and soundness.
The
The
Gramm-Leach-Bliley Act of 1999 (GLBA; P.L. 106-102) is the most comprehensive of (GLBA; P.L. 106-102) is the most comprehensive of
these laws and directs financial regulators to implement disclosure requirements and mandate these laws and directs financial regulators to implement disclosure requirements and mandate
security measures to safeguard private information. Specifically, Subtitle A of Title V of GLBA security measures to safeguard private information. Specifically, Subtitle A of Title V of GLBA
provides a framework for regulating data privacy and security practices for financial institutions. provides a framework for regulating data privacy and security practices for financial institutions.
The
The
Sarbanes-Oxley Act of 2002 (P.L. 107-204) requires certain corporations, including banks, (P.L. 107-204) requires certain corporations, including banks,
to identify internal and external risks to their business and the ways that the company guards to identify internal and external risks to their business and the ways that the company guards
against those risks. against those risks.
The
The
Fair and Accurate Credit Transactions Act of 2004 (FACT Act; P.L. 108-159) amended (FACT Act; P.L. 108-159) amended
the Fair Credit Reporting Act to require regulatory agencies to develop identity theft guidelines, the Fair Credit Reporting Act to require regulatory agencies to develop identity theft guidelines,
which outline “patterns, practices, and specific forms of activity that indicate the possible which outline “patterns, practices, and specific forms of activity that indicate the possible
existence of identity theft” (15 U.S.C. §1681). existence of identity theft” (15 U.S.C. §1681).
There are also two relevant laws specific to banks.
There are also two relevant laws specific to banks.
5 FSOC, Annual Report 2022, p. 66, at https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf. 5 FSOC, Annual Report 2022, p. 66, at https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf.
Congressional Research Service
Congressional Research Service
2
2
Banking, Data Privacy, and Cybersecurity Regulation
The
The
Bank Protection Act (1968) (P.L. 90-389), as amended in 2010, directs the federal bank (1968) (P.L. 90-389), as amended in 2010, directs the federal bank
regulators to establish minimum security standards for banks and savings associations to regulators to establish minimum security standards for banks and savings associations to
“discourage robberies, burglaries, and larcenies” (12 U.S.C. §§1881-1884). Although the law “discourage robberies, burglaries, and larcenies” (12 U.S.C. §§1881-1884). Although the law
does not mention cybersecurity specifically, the statutory language is broad enough to include does not mention cybersecurity specifically, the statutory language is broad enough to include
protection against cyber threats.6 protection against cyber threats.6
Other federal laws, such as the
Other federal laws, such as the
Bank Service Company Act of 1962 (BSCA; P.L. 87-856) and (BSCA; P.L. 87-856) and
the laws that establish the authorities for financial regulators to conduct safety and soundness the laws that establish the authorities for financial regulators to conduct safety and soundness
examinations, allow regulators to supervise financial institution activities and partnerships (e.g., examinations, allow regulators to supervise financial institution activities and partnerships (e.g.,
with technology service providers). Regulators rely on these broad authorities to shape and with technology service providers). Regulators rely on these broad authorities to shape and
impose cybersecurity regulations on the institutions they regulate. For example, the banking impose cybersecurity regulations on the institutions they regulate. For example, the banking
regulators conduct on-site examinations under their authority to examine banks for safety and regulators conduct on-site examinations under their authority to examine banks for safety and
soundness and can require banks to take remedial action if their cybersecurity policies are soundness and can require banks to take remedial action if their cybersecurity policies are
deficient. deficient.
Recent Legislative Developments7
Division Y of the Consolidated Appropriations Act, 2022 (P.L. 117-103) requires that “covered Division Y of the Consolidated Appropriations Act, 2022 (P.L. 117-103) requires that “covered
entities” report a “covered cyber incident” to the Cybersecurity and Infrastructure Security entities” report a “covered cyber incident” to the Cybersecurity and Infrastructure Security
Agency within 72 hours and a ransomware payment within 24 hours of occurrence, respectively.8 Agency within 72 hours and a ransomware payment within 24 hours of occurrence, respectively.8
Covered incidents include, at a minimum, any incident that leads “to substantial loss of Covered incidents include, at a minimum, any incident that leads “to substantial loss of
confidentiality, integrity, or availability of such information system or network, or a serious confidentiality, integrity, or availability of such information system or network, or a serious
impact on the safety and resiliency of operational systems and processes.” impact on the safety and resiliency of operational systems and processes.”
In June 2022, then Ranking Member Patrick McHenry of the House Financial Services Committee released a discussion draft of a financial data privacy bill that sought to modernize elements of the Gramm-Leach-Bliley Act and provide a set of consumer protections with respect to what data is collected and how it is used.9 On February 23, 2023, Representative McHenry (now chair of the Committee) announced a markup of several bills, including the Data Privacy Act of 202310 to take place at the end of February 2023.11 On February 8, the House Financial Services Committee held a hearing12 on various efforts to update bank regulation, including a discussion draft on data privacy; on February 24, Chair McHenry introduced an amendment inOn February 8, the House Financial Services Committee held a hearing9 on various efforts to update bank regulation, including a discussion draft on data privacy. On February 28, 2023, the committee held a markup of several bills, including the Data Privacy Act of 2023 (H.R. 1165), introduced by Chair McHenry.10 The bill would amend GLBA, clarify the inclusion of data aggregators11 under the scope of the law, and give consumers some added control over certain data, such as the ability to access and remove it from financial institution records. Also, the draft includes a national preemption measure, which would supersede state law.12 During the markup, a number of amendments were introduced. While all eight amendments introduced by Democrats
6 For example, 12 C.F.R. §208.61 states that a bank must develop and maintain a security program and devices that 6 For example, 12 C.F.R. §208.61 states that a bank must develop and maintain a security program and devices that
ensure protection against robberies and other crimes. ensure protection against robberies and other crimes.
7 There are a number of legislative developments (e.g., H.R. 3912 and H.R. 3911) that pertain more broadly to
7 There are a number of legislative developments (e.g., H.R. 3912 and H.R. 3911) that pertain more broadly to
cybersecurity policy and could impact the banking sector. The scope of this paper is limited to data privacy among cybersecurity policy and could impact the banking sector. The scope of this paper is limited to data privacy among
banking regulators and depository institutions, and the legislation noted in this section reflects only bills that became banking regulators and depository institutions, and the legislation noted in this section reflects only bills that became
law or bills in the current Congress that are being acted upon, which directly impact those entities. law or bills in the current Congress that are being acted upon, which directly impact those entities.
8 The term “covered entity” applies to “an entity in a critical infrastructure sector, as defined in Presidential Policy
8 The term “covered entity” applies to “an entity in a critical infrastructure sector, as defined in Presidential Policy
Directive 21.” The financial sector is included in the Policy Directive as a critical infrastructure sector. For more, see Directive 21.” The financial sector is included in the Policy Directive as a critical infrastructure sector. For more, see
https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-
security-and-resil. security-and-resil.
9
9
“McHenry Releases Discussion Draft of Financial Data Privacy Bill,” June 23, 2022, at U.S. House Financial Services Committee, “Hearing Entitled: Revamping and Revitalizing Banking in the 21st Century, February 8, 2023, at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408512.
10 In this report, references to this bill are made to thehttps://financialservices.house.gov/news/documentsingle.aspx?DocumentID=408373.
10 The bill was introduced as an amendment in the nature of a substitute and does not have a bill number as of February 24, 2023. The amendment in the nature of a substitute amendment in the nature of a substitute
, which can be found at can be found at
https://https://
financialservicesdocs.house.gov/meetings/BA/BA00/20230228/115381/BILLS-118-HR1165-M001156-Amdt-12.pdf.
11 Data aggregators are entities that pull together various data to analyze and yield additional insights. This could be information that is public, such as names, geographical locations, and time, or more sensitive data such as account numbers.
12 U.S. Congress, House Committee on Financial Services, To Amend the Gramm-Leach-Bliley Act to [Modernize the Protection of the Nonpublic Personal Information of Consumers, discussion draft.house.gov/uploadedfiles/mchenry.pdf.
11 The markup schedule can be found at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408575.
12 U.S. House Financial Services Committee, “Hearing Entitled: Revamping and Revitalizing Banking in the 21st Century, February 8, 2023, at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408512. .
Congressional Research Service
Congressional Research Service
3
3
link to page 7
link to page 7
link to page 8 Banking, Data Privacy, and Cybersecurity Regulation
the nature of a substitute entitled the Data Privacy Act of 2023.13 The draft bill would amend GLBA further, clarify the inclusion of data aggregators14 under the scope of the law, and give consumers some added control over certain data, such as the ability to access and remove it from financial institution records. Also, the discussion draft includes a national preemption measure, which would supersede state law.15were rejected, the committee adopted a substitute amendment that would “allow exceptions for disclosures of personal information permitted under the Gramm-Leach-Bliley Act. The amendment also would specify that disclosure of data retention policies would include the period of time data is held and the criteria the institution uses to determine that time.”13 The bill was ordered to be reported to the full House, as amended, by a vote of 26-21.
Regulatory Framework
As mentioned earlier, this report focuses largely on the cybersecurity regulatory framework As mentioned earlier, this report focuses largely on the cybersecurity regulatory framework
among the federal banking regulators—the FDIC, the OCC, and the Federal Reserve—as well as among the federal banking regulators—the FDIC, the OCC, and the Federal Reserve—as well as
the NCUA and the CFPB. Together these agencies are responsible for implementing and ensuring the NCUA and the CFPB. Together these agencies are responsible for implementing and ensuring
compliance with banking laws. compliance with banking laws.
Generally, banking institutions are regulated by a primary federal regulator (PFR). The PFR for
Generally, banking institutions are regulated by a primary federal regulator (PFR). The PFR for
each type of banking institution depends on its charter, as summarized ieach type of banking institution depends on its charter, as summarized i
n Table 1. In addition, the In addition, the
CFPB promulgates a number of consumer protection rules for a variety of financial institutions, CFPB promulgates a number of consumer protection rules for a variety of financial institutions,
including certain banks. including certain banks.
Table 1. Regulatory Jurisdiction for Different Banking Institutions
Bank Charter Type
Primary Federal Regulator
State charter, member of Federal Reserve
State charter, member of Federal Reserve
Federal Reserve
Federal Reserve
State charter, nonmember
State charter, nonmember
Federal Deposit Insurance Corporation
Federal Deposit Insurance Corporation
Federal charter
Federal charter
Office of the Comptrol er of the Currency
Office of the Comptrol er of the Currency
Credit unions
Credit unions
National Credit Union Administration
National Credit Union Administration
Source: CRS analysis. CRS analysis.
NotesNote: All national banks are also members of the Federal Reserve. All national banks are also members of the Federal Reserve.
GLBA Data Privacy and Safeguards
As mentioned above, GLBA provides the most comprehensive framework for cybersecurity As mentioned above, GLBA provides the most comprehensive framework for cybersecurity
regulation among financial institutions. While this section largely focuses on the GLBA regulation among financial institutions. While this section largely focuses on the GLBA
provisions for regulating data privacy and security practices for banks, GLBA applies to a broad provisions for regulating data privacy and security practices for banks, GLBA applies to a broad
range of financial institutions.range of financial institutions.
1614 This framework is built upon two pillars: (1) privacy standards This framework is built upon two pillars: (1) privacy standards
that impose disclosure limitations concerning consumers’ information, and (2) security standards that impose disclosure limitations concerning consumers’ information, and (2) security standards
that require institutions to implement certain practices to safeguard the information from that require institutions to implement certain practices to safeguard the information from
unauthorized access, use, and disclosure. The two major rules for implementing this framework unauthorized access, use, and disclosure. The two major rules for implementing this framework
13 The discussion draft can be found at https://financialservices.house.gov/uploadedfiles/financial_data_privacy_bill_v.2.pdf. The amendment in the nature of a substitute can be found at https://financialservices.house.gov/uploadedfiles/mchenry.pdf.
14 Data aggregators are entities that pull together various data to analyze and yield additional insights. This could be information that is public, such as names, geographical locations, and time, or more sensitive data such as account numbers.
15 U.S. Congress, House Committee on Financial Services, To Amend the Gramm-Leach-Bliley Act to [Modernize the
Protection of the Nonpublic Personal Information of Consumers, discussion draft.
16are known as the Privacy Rule (Regulation P) and the Safeguards Rule, respectively. Each rule is summarized below in Table 2.
13 CQ Markup Report, H.R. 1165: Data Privacy Act, at https://plus.cq.com/bill/118/HR1165?3. 14 Financial institutions are defined under P.L. 106-102 as any institution that engages in activities that are financial in Financial institutions are defined under P.L. 106-102 as any institution that engages in activities that are financial in
nature. See 12 U.S.C. §6809. nature. See 12 U.S.C. §6809.
Congressional Research Service
Congressional Research Service
4
4
link to page 8 link to page
link to page 8 link to page
8 link to page 10 link to page 10 10 link to page 10
Banking, Data Privacy, and Cybersecurity Regulation
are known as the Privacy Rule (Regulation P) and the Safeguards Rule, respectively. Each rule is summarized below in Table 2.
Table 2. Summary of Privacy and Safeguards Rules
Requirements for Financial Institutions
Requirements for Financial Institutions
Privacy Rule
Safeguards Rule
provide initial, annual, and revised privacy policy
provide initial, annual, and revised privacy policy
design and implement a safeguards program; and
design and implement a safeguards program; and
notices to customers; and
notices to customers; and
identify and assess the risks to customer
identify and assess the risks to customer
set the conditions for when a financial institution
set the conditions for when a financial institution
information in each relevant area of the company’s
information in each relevant area of the company’s
may or may not disclose nonpublic personal
may or may not disclose nonpublic personal
operation, including service providers and changes
operation, including service providers and changes
information.
information.
in the firm’s operations.
in the firm’s operations.
Source: CRS analysis of relevant provisions of the Gramm-Leach-Bliley Act (P.L. 106-102)CRS analysis of relevant provisions of the Gramm-Leach-Bliley Act (P.L. 106-102)
.
These rules are promulgated by several government agencies, and the regulators generally have
These rules are promulgated by several government agencies, and the regulators generally have
supervisory and enforcement authority over the entities in their jurisdiction. This is shown in supervisory and enforcement authority over the entities in their jurisdiction. This is shown in
Table 3 and Table 4.
GLBA Rulemaking Authorities
Rulemaking authority to implement the Privacy Rule through Regulation P is vested in four
Rulemaking authority to implement the Privacy Rule through Regulation P is vested in four
agencies. The CFPB promulgates the Privacy Rule for banks. The Federal Trade Commission agencies. The CFPB promulgates the Privacy Rule for banks. The Federal Trade Commission
(FTC) has the rulemaking authority for the Safeguards Rule(FTC) has the rulemaking authority for the Safeguards Rule
. Table 4 provides an overview of provides an overview of
federal agencies with GLBA rulemaking authority and which entities they regulate under each federal agencies with GLBA rulemaking authority and which entities they regulate under each
rule. rule.
Table 3. Relevant Rulemaking Authority for GLBA
Federal Regulator
Privacy Rule
Safeguards Rule
Consumer Financial Protection
Consumer Financial Protection
Depository and nonbank financial
Depository and nonbank financial
None
None
Bureau (CFPB)
Bureau (CFPB)
institutions involving consumer
institutions involving consumer
financial products or services in the financial products or services in the
CFPB’s jurisdiction CFPB’s jurisdiction
Federal Trade Commission (FTC)
Federal Trade Commission (FTC)
n/a
n/a
Financial institutions significantly
Financial institutions significantly
engaged in financial activities (e.g., engaged in financial activities (e.g.,
bank and nonbank lenders, real bank and nonbank lenders, real
estate appraisers, professional tax estate appraisers, professional tax
preparers, courier services, credit preparers, courier services, credit
reporting agencies, and ATM reporting agencies, and ATM
operators) operators)
SourceSources: 15. U.S.C. §6804; 12 C.F.R. §1016.1(b). 15. U.S.C. §6804; 12 C.F.R. §1016.1(b).
Recent Updates on Depository Regulation of GLBA Cybersecurity Provisions
Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-
Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-
Frank; P.L. 111-203) transferred rulemaking authority for most provisions of Subtitle A of Title V Frank; P.L. 111-203) transferred rulemaking authority for most provisions of Subtitle A of Title V
of GLBA to the CFPB. As can be seen in more detail in the following section, Dodd-Frank also of GLBA to the CFPB. As can be seen in more detail in the following section, Dodd-Frank also
granted authority to the CFPB to examine and enforce compliance with respect to entities, granted authority to the CFPB to examine and enforce compliance with respect to entities,
including banks, under its jurisdiction.including banks, under its jurisdiction.
1715 In December 2011, the CFPB effectively In December 2011, the CFPB effectively
re-codifiedrecodified Regulation P in Title 12, Part 1016, of the Code of Federal Regulations.16 The most recent 1715 CFPB, CFPB,
Laws and Regulations, “GLBA Privacy,” October 2016, at “GLBA Privacy,” October 2016, at
https://files.consumerfinance.gov/f/documents/102016_cfpb_GLBAExamManualUpdate.pdf.
16 See CFPB, “Privacy of Consumer Financial Information (Regulation P),” 76 Federal Register 79025, December 21,
Congressional Research Service
Congressional Research Service
5
5
Banking, Data Privacy, and Cybersecurity Regulation
Regulation P in Title 12, Part 1016, of the Code of Federal Regulations.18 The most recent amendment to its rulemaking occurred in 2018, when a 2015 statutory amendment from the amendment to its rulemaking occurred in 2018, when a 2015 statutory amendment from the
Fixing America’s Surface Transportation (FAST Act; P.L. 114-94) provided an exception to the Fixing America’s Surface Transportation (FAST Act; P.L. 114-94) provided an exception to the
annual notice requirement for financial institutions that meet certain conditions.annual notice requirement for financial institutions that meet certain conditions.
1917
The FTC codified its implementation of the Safeguards Rule in 2002 in Title 16, Part 314, of the
The FTC codified its implementation of the Safeguards Rule in 2002 in Title 16, Part 314, of the
Code of Federal Regulations..
2018 In 2016, the FTC sought public comments on the Safeguards Rule In 2016, the FTC sought public comments on the Safeguards Rule
to assess the economic impact and benefits of the rule; possible conflict between the rule and to assess the economic impact and benefits of the rule; possible conflict between the rule and
state, local, or other federal laws or regulations; and the effect on the rule of any technological, state, local, or other federal laws or regulations; and the effect on the rule of any technological,
economic, or other industry changes.economic, or other industry changes.
2119
On October 27, 2021, the FTC announced that it had issued a new final
On October 27, 2021, the FTC announced that it had issued a new final
rulemaking22rulemaking20 to specify to specify
safeguards financial institutions must implement as part of their information security programs—safeguards financial institutions must implement as part of their information security programs—
including limiting who can access consumer data and requiring encryption to secure the data. including limiting who can access consumer data and requiring encryption to secure the data.
Under the updated Safeguards Rule, institutions must also explain the administrative, technical, Under the updated Safeguards Rule, institutions must also explain the administrative, technical,
and physical safeguards used to “access, collect, distribute, process, protect, store, use, transmit, and physical safeguards used to “access, collect, distribute, process, protect, store, use, transmit,
dispose of, or otherwise handle” customer information. Further, the definition of dispose of, or otherwise handle” customer information. Further, the definition of
financial
institution was expanded to include institutions that charge fees to connect consumers to potential was expanded to include institutions that charge fees to connect consumers to potential
lenders. In addition, the rule requires a financial institution to designate a single qualified lenders. In addition, the rule requires a financial institution to designate a single qualified
individual to oversee its information security program and provide periodic reports to the individual to oversee its information security program and provide periodic reports to the
institution’s board or information security officials. The FTC also announced that it is seeking institution’s board or information security officials. The FTC also announced that it is seeking
comment in a supplemental notice of proposed rulemaking on an additional change to the comment in a supplemental notice of proposed rulemaking on an additional change to the
Safeguards Rule to require financial institutions to report certain data breaches and other security Safeguards Rule to require financial institutions to report certain data breaches and other security
events to the FTC.events to the FTC.
2321
Other Regulatory Developments
In November 2021, the OCC, Federal Reserve, and FDIC announced a joint final rulemaking that
In November 2021, the OCC, Federal Reserve, and FDIC announced a joint final rulemaking that
imposed rapid notification requirements on banking organizations and bank service providers imposed rapid notification requirements on banking organizations and bank service providers
following “significant” computer-security incidents.following “significant” computer-security incidents.
2422 The rule requires a financial institution to The rule requires a financial institution to
notify its supervisor as soon as possible and no later than 36 hours after the banking organization notify its supervisor as soon as possible and no later than 36 hours after the banking organization
believes in good faith that the incident occurred. This notification requirement is intended to believes in good faith that the incident occurred. This notification requirement is intended to
serve as an early alert to a banking organization’s primary federal regulator and is not meant to serve as an early alert to a banking organization’s primary federal regulator and is not meant to
provide an assessment of the incident. Additionally, a bank service provider is required to notify provide an assessment of the incident. Additionally, a bank service provider is required to notify
each affected banking organization customer immediately after the provider experiences a each affected banking organization customer immediately after the provider experiences a
https://files.consumerfinance.gov/f/documents/102016_cfpb_GLBAExamManualUpdate.pdf.
18 See CFPB, “Privacy of Consumer Financial Information (Regulation P),” 76 Federal Register 79025, December 21, 2011.
19computer security incident that has caused or is likely to cause a material service disruption for four or more hours.
2011.
17 CFPB, “Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation CFPB, “Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation
P),” 83P),” 83
Federal Register 40945, August 17, 2018. 40945, August 17, 2018.
2018 See FTC, “Standards for Safeguarding Customer Information,” 67 See FTC, “Standards for Safeguarding Customer Information,” 67
Federal Register 36484, May 23, 2002. 36484, May 23, 2002.
2119 See FTC, “Standards for Safeguarding Customer Information,” 81 See FTC, “Standards for Safeguarding Customer Information,” 81
Federal Register 61632, September 7, 2016. 61632, September 7, 2016.
2220 See FTC, “Standards for Safeguarding Customer Information,” 86 See FTC, “Standards for Safeguarding Customer Information,” 86
Federal Register 70272-70314, December 9, 70272-70314, December 9,
2021. 2021.
2321 See FTC, “Standards for Safeguarding Customer Information,” 86 See FTC, “Standards for Safeguarding Customer Information,” 86
Federal Register 70062-70067, December 9, 70062-70067, December 9,
2021. 2021.
2422 OCC, Federal Reserve, and FDIC, “Computer-Security Incident Notification Requirements for Banking OCC, Federal Reserve, and FDIC, “Computer-Security Incident Notification Requirements for Banking
Organizations and Their Bank Service Providers,” 86Organizations and Their Bank Service Providers,” 86
Federal Register 66444, November 23, 2021 at 66444, November 23, 2021 at
https://www.federalregister.gov/documents/2021/11/23/2021-25510/computer-security-incident-notification-https://www.federalregister.gov/documents/2021/11/23/2021-25510/computer-security-incident-notification-
requirements-for-banking-organizations-and-their-bank. requirements-for-banking-organizations-and-their-bank.
Congressional Research Service
Congressional Research Service
6
6
link to page 10
link to page 10
link to page 11 Banking, Data Privacy, and Cybersecurity Regulation
computer security incident that has caused or is likely to cause a material service disruption for four or more hours.
Supervisory Process
In addition to writing rules to implement provisions of law, banking regulators have authority to In addition to writing rules to implement provisions of law, banking regulators have authority to
conduct examinations or supervise institutions in their jurisdiction to ensure they are complying conduct examinations or supervise institutions in their jurisdiction to ensure they are complying
with the rules. As noted earlier, cybersecurity threats pose operational risk, reputational risk, and with the rules. As noted earlier, cybersecurity threats pose operational risk, reputational risk, and
potentially systemic risk. Banking regulators together monitor these risks through the Federal potentially systemic risk. Banking regulators together monitor these risks through the Federal
Financial Institutions Examination Council (FFIEC).Financial Institutions Examination Council (FFIEC).
2523 FSOC monitors systemic risks to the FSOC monitors systemic risks to the
financial system, including cyber threats. The FFIEC coordinates bank examinations for safety financial system, including cyber threats. The FFIEC coordinates bank examinations for safety
and soundness, as well as for compliance and information technology. Further, bank partnerships and soundness, as well as for compliance and information technology. Further, bank partnerships
with third-party service providers are subject to the supervisory processes set forth in the BSCA. with third-party service providers are subject to the supervisory processes set forth in the BSCA.
GLBA Supervision
Agencies responsible for privacy and safeguard rulemaking are sometimes not the same agencies Agencies responsible for privacy and safeguard rulemaking are sometimes not the same agencies
responsible for implementing and enforcing these rules for a particular entity. For instance, while responsible for implementing and enforcing these rules for a particular entity. For instance, while
the FTC has rulemaking authority for the Safeguards Rule, the banking and credit union the FTC has rulemaking authority for the Safeguards Rule, the banking and credit union
regulators share supervisory authority for the rule. Further, most of the financial regulators have regulators share supervisory authority for the rule. Further, most of the financial regulators have
some supervisory or enforcement authority to ensure that the institutions in their respective some supervisory or enforcement authority to ensure that the institutions in their respective
jurisdictions comply with the Privacy and Safeguards Rules (sejurisdictions comply with the Privacy and Safeguards Rules (se
e Table 4).
Table 4. Supervision and Enforcement Authority for GLBA
Federal Regulator
Privacy Rule
Safeguards Rule
CFPB
CFPB
Supervision and enforcement
Supervision and enforcement
None
None
authority over depository and
authority over depository and
nonbank financial institutions nonbank financial institutions
involving consumer financial involving consumer financial
products or services in the CFPB’s products or services in the CFPB’s
jurisdiction jurisdiction
Bank and Credit Union Regulators
Bank and Credit Union Regulators
Supervision and enforcement
Supervision and enforcement
Supervision and enforcement
Supervision and enforcement
authority over banks or credit
authority over banks or credit
authority over banks or credit
authority over banks or credit
unions in their jurisdiction
unions in their jurisdiction
unions in their jurisdiction
unions in their jurisdiction
Source: 15 U.S.C. §6805. 15 U.S.C. §6805.
Note: The depository agencies include the Office of the Comptrol er of the Currency, the Federal Deposit The depository agencies include the Office of the Comptrol er of the Currency, the Federal Deposit
Insurance Corporation, the Federal Reserve, and the National Credit Union Administration. Insurance Corporation, the Federal Reserve, and the National Credit Union Administration.
Depository Institution Supervision
Bank and credit union regulators have dedicated teams of examiners who conduct both routine Bank and credit union regulators have dedicated teams of examiners who conduct both routine
and special examinations of depository institutions to ensure that they are operating in a safe and and special examinations of depository institutions to ensure that they are operating in a safe and
sound manner, complying with relevant laws, and maintaining adequate information technology sound manner, complying with relevant laws, and maintaining adequate information technology
systems. Each of the regulators inform the financial institutions under their jurisdiction about systems. Each of the regulators inform the financial institutions under their jurisdiction about
their supervisory expectations. In addition, while the regulatory framework for banks and credit their supervisory expectations. In addition, while the regulatory framework for banks and credit
25 Federal Reserve, FDIC, NCUA, OCC, and the CFPB, along with representatives from state supervising organizations, comprise FFIEC.
Congressional Research Service
7
link to page 11 Banking, Data Privacy, and Cybersecurity Regulation
unions is complex and fragmented among several agencies, the examination procedures among unions is complex and fragmented among several agencies, the examination procedures among
these agencies are largely coordinated through the FFIEC. these agencies are largely coordinated through the FFIEC.
The depository regulators each approach cybersecurity examinations and supervision in different
The depository regulators each approach cybersecurity examinations and supervision in different
wayway
s. Table 5 illustrates the general approaches and resources that each agency has established illustrates the general approaches and resources that each agency has established
23 Federal Reserve, FDIC, NCUA, OCC, and the CFPB, along with representatives from state supervising organizations, comprise FFIEC.
Congressional Research Service
7
Banking, Data Privacy, and Cybersecurity Regulation
with respect to cybersecurity and information security. While each agency has developed its own with respect to cybersecurity and information security. While each agency has developed its own
approaches, tools, and resources, each agency relies on the FFIEC resources as well. The basic approaches, tools, and resources, each agency relies on the FFIEC resources as well. The basic
approaches include providing guidance to industry on how certain activities will be treated, policy approaches include providing guidance to industry on how certain activities will be treated, policy
manuals and handbooks that lay out the guidelines for examinations, and technical assistance. manuals and handbooks that lay out the guidelines for examinations, and technical assistance.
Table 5. Depository Supervision Toolkit for Cybersecurity
Agency
Supervisory Approaches & Resources
FFIEC Resources for Examinations
NCUA
NCUA
Automated Cybersecurity Evaluation Toolbox
Automated Cybersecurity Evaluation Toolbox
Examinations (NCUA Examinations Guidebook Examinations (NCUA Examinations Guidebook
and FFIEC Handbook) and FFIEC Handbook)
National Supervision Policy ManualGuidance National Supervision Policy ManualGuidance
Letters to Credit Unions Letters to Credit Unions
Risk Alerts Risk Alerts
FDIC
FDIC
Examinations for IT (IT Risk Management
Examinations for IT (IT Risk Management
Program and FFIEC Handbook) Program and FFIEC Handbook)
Technical Assistance Video Series Technical Assistance Video Series
IT Examination Handbook
IT Examination Handbook
Supervisory Insights Journal
Supervisory Insights Journal
Cybersecurity Assessment Tool
Cybersecurity Assessment Tool
Cyber Challenge for Community Banks
Cyber Challenge for Community Banks
IT and Related Guidance
IT and Related Guidance
Guidance (FDIC Financial Institution Letters)
Guidance (FDIC Financial Institution Letters)
OCC
OCC
Examinations for IT (FFIEC Handbook and
Examinations for IT (FFIEC Handbook and
Comptrol er’s Handbook for Bank Supervision) Comptrol er’s Handbook for Bank Supervision)
Guidance (OCC Bul etins) Guidance (OCC Bul etins)
Federal Reserve
Federal Reserve
Examinations for IT (Commercial Bank
Examinations for IT (Commercial Bank
Examination Manual and FFIEC Handbook) Examination Manual and FFIEC Handbook)
Policy Letters (Supervision and Regulation Policy Letters (Supervision and Regulation
Letters) Letters)
Source: CRS analysis of each agency’s cybersecurity, IT, and examination websites. CRS analysis of each agency’s cybersecurity, IT, and examination websites.
Notes: Intended for il ustrative purposes only; not intended to capture all measures taken by an agency. Intended for il ustrative purposes only; not intended to capture all measures taken by an agency.
Regulatory resources for information on these supervisory programs can be found at Regulatory resources for information on these supervisory programs can be found at
https://ithandbook.ffiec.gov/it-booklets.aspx; https://www.fdic.gov/resources/bankers/information-technology/; https://ithandbook.ffiec.gov/it-booklets.aspx; https://www.fdic.gov/resources/bankers/information-technology/;
and https://ncua.gov/regulation-supervision/regulatory-compliance-resources/cybersecurity-resources/ncuas-and https://ncua.gov/regulation-supervision/regulatory-compliance-resources/cybersecurity-resources/ncuas-
information-security-examination-and-cybersecurity-assessment. information-security-examination-and-cybersecurity-assessment.
Third-Party Service Providers
As banks facilitate more transactions through digital channels, financial institutions are As banks facilitate more transactions through digital channels, financial institutions are
increasingly relying on third-party vendors, specifically technology service providers (TSPs), to increasingly relying on third-party vendors, specifically technology service providers (TSPs), to
provide software and technical support. In light of this development, regulators are scrutinizing provide software and technical support. In light of this development, regulators are scrutinizing
how banks manage their how banks manage their
operational risks..
2624 Rising operational risks—particularly cyber risks Rising operational risks—particularly cyber risks
(e.g., data breaches, insufficient customer data backups, and operating system hijackings)—have (e.g., data breaches, insufficient customer data backups, and operating system hijackings)—have
compelled regulators to scrutinize banks’ security programs. Regulators require an institution that compelled regulators to scrutinize banks’ security programs. Regulators require an institution that
uses a TSP to ensure that the TSP performs in a safe and sound manner, and activities performed uses a TSP to ensure that the TSP performs in a safe and sound manner, and activities performed
26 See Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011, at https://www.bis.org/publ/bcbs195.pdf.
Congressional Research Service
8
Banking, Data Privacy, and Cybersecurity Regulation
by a TSP for a bank must meet the same regulatory requirements as if they were performed by the by a TSP for a bank must meet the same regulatory requirements as if they were performed by the
bank itself. bank itself.
The BSCA gives regulators a broad set of authorities to supervise TSPs that have contractual
The BSCA gives regulators a broad set of authorities to supervise TSPs that have contractual
relationships with banks. The BSCA directs the regulators to treat all activities performed by relationships with banks. The BSCA directs the regulators to treat all activities performed by
contract as if they were performed by the bank and grants them the authority to examine and contract as if they were performed by the bank and grants them the authority to examine and
24 See Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011, at https://www.bis.org/publ/bcbs195.pdf.
Congressional Research Service
8
Banking, Data Privacy, and Cybersecurity Regulation
regulate third-party vendors that provide services to banks, including check and deposit sorting regulate third-party vendors that provide services to banks, including check and deposit sorting
and posting, statement preparation, notices, bookkeeping, and accounting. and posting, statement preparation, notices, bookkeeping, and accounting.
The banking regulators issued interagency guidelines in 2001 regarding information security
The banking regulators issued interagency guidelines in 2001 regarding information security
programs. The guidance requires banks to provide continuous oversight of third-party vendors programs. The guidance requires banks to provide continuous oversight of third-party vendors
such as TSPs. The regulators periodically update guidance and have since released additional such as TSPs. The regulators periodically update guidance and have since released additional
guidance pertaining to third-party vendors.guidance pertaining to third-party vendors.
2725 For example, the Federal Reserve, FDIC, and OCC For example, the Federal Reserve, FDIC, and OCC
have each issued guidance addressing third-party relationships and appropriate risk management have each issued guidance addressing third-party relationships and appropriate risk management
practices in 2008 and 2013, respectively.practices in 2008 and 2013, respectively.
2826 In July 2021, the FDIC, Federal Reserve, and OCC In July 2021, the FDIC, Federal Reserve, and OCC
issued joint proposed guidance on third-party relationships.issued joint proposed guidance on third-party relationships.
2927 The proposed guidance assists The proposed guidance assists
banking organizations in managing third-party relationships. Further, in August 2021, the OCC banking organizations in managing third-party relationships. Further, in August 2021, the OCC
issued guidance on financial technology third-party relationships.issued guidance on financial technology third-party relationships.
3028
Policy Issues for Congress
Oversight of financial services and bank cybersecurity reflects a complex and sometimes Oversight of financial services and bank cybersecurity reflects a complex and sometimes
overlapping array of state and federal laws, regulators, regulations, and guidance—many of overlapping array of state and federal laws, regulators, regulations, and guidance—many of
which predate the emergence of cybersecurity risk. Whether this framework provides adequate which predate the emergence of cybersecurity risk. Whether this framework provides adequate
protection against cyberattacks without imposing undue cost burdens on banks is an open protection against cyberattacks without imposing undue cost burdens on banks is an open
question. Successful hacks of banks and other financial institutions, in which large amounts of question. Successful hacks of banks and other financial institutions, in which large amounts of
personal information were stolen or compromised, highlight arguments about the importance of personal information were stolen or compromised, highlight arguments about the importance of
ensuring bank cybersecurity. ensuring bank cybersecurity.
That several regulators implement, supervise, and enforce federal provisions has also raised
That several regulators implement, supervise, and enforce federal provisions has also raised
questions over the patchwork nature of regulatory standards for consumer privacy and security. questions over the patchwork nature of regulatory standards for consumer privacy and security.
With so many agencies involved with the cybersecurity of financial institutions, With so many agencies involved with the cybersecurity of financial institutions,
GAO has raisedthe Government Accountability Office (GAO) has raised concerns over interagency cooperation and tracking the success of agency efforts.29 Some argue that a unified and modernized legislative framework could improve this patchwork approach.
As Congress continues to explore this issue, a few policy considerations, detailed below, may be informative.
2725 For example, see the following releases: NCUA, For example, see the following releases: NCUA,
Evaluating Third Party Relationships, Letter No.: 07-CU-13, , Letter No.: 07-CU-13,
December 2007; FDIC, December 2007; FDIC,
Guidance for Managing Third-Party Risk, FIL-44-2008, June 6, 2008; FFIEC, “Financial , FIL-44-2008, June 6, 2008; FFIEC, “Financial
Regulators Release Guidance for the Supervision of Technology Service Providers,” press release, October 31, 2012, at Regulators Release Guidance for the Supervision of Technology Service Providers,” press release, October 31, 2012, at
https://www.ffiec.gov/press/pr103112.htm; FDIC, https://www.ffiec.gov/press/pr103112.htm; FDIC,
Technology Outsourcing: Informational Tools for Community
Bankers, FIL-13-2014, April 7, 2014; FDIC Office of Inspector General, , FIL-13-2014, April 7, 2014; FDIC Office of Inspector General,
Technology Service Provider Contracts with
FDIC-Supervised Institutions, Office of Audits and Evaluations, Report No. EVAL-17-004, February 2017; and NCUA , Office of Audits and Evaluations, Report No. EVAL-17-004, February 2017; and NCUA
Office of Inspector General, Office of Inspector General,
Audit of the NCUA Information Technology Examination Program’s Oversight of Credit
Union Cybersecurity Programs, Report No OIG-17-08, September 28, 2017. , Report No OIG-17-08, September 28, 2017.
2826 For example, see FDIC, “Guidance for Managing Third-Party Risk,” June 6, 2008, at For example, see FDIC, “Guidance for Managing Third-Party Risk,” June 6, 2008, at
https://www.fdic.gov/news/financial-institution-letters/2008/fil08044.html; Federal Reserve, “Guidance on Managing https://www.fdic.gov/news/financial-institution-letters/2008/fil08044.html; Federal Reserve, “Guidance on Managing
Outsourcing Risk,” December 5, 2013 (revised February 26, 2021), at Outsourcing Risk,” December 5, 2013 (revised February 26, 2021), at
https://www.federalreserve.gov/supervisionreg/srletters/sr1319.htm; and OCC, “Third-Party Relationships: Risk https://www.federalreserve.gov/supervisionreg/srletters/sr1319.htm; and OCC, “Third-Party Relationships: Risk
Management Guidance,” October 30, 2013, at https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-Management Guidance,” October 30, 2013, at https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-
29.html. 29.html.
2927 Federal Reserve, FDIC, and OCC, “Proposed Interagency Guidance on Third-Party Relationships: Risk Federal Reserve, FDIC, and OCC, “Proposed Interagency Guidance on Third-Party Relationships: Risk
Management,” July 13, 2021, at https://www.fdic.gov/news/financial-institution-letters/2021/fil21050.html. Management,” July 13, 2021, at https://www.fdic.gov/news/financial-institution-letters/2021/fil21050.html.
3028 OCC, “OCC Bulletin 2021-40,” August 27, 2021, at https://www.occ.gov/news-issuances/bulletins/2021/bulletin- OCC, “OCC Bulletin 2021-40,” August 27, 2021, at https://www.occ.gov/news-issuances/bulletins/2021/bulletin-
2021-40.html. 2021-40.html.
Congressional Research Service
9
Banking, Data Privacy, and Cybersecurity Regulation
concerns over interagency cooperation and tracking the success of agency efforts.31 Some argue that a unified and modernized legislative framework could improve this patchwork approach.
As Congress continues to explore this issue, a few policy considerations, detailed below, may be informative.29 U.S. Government Accountability Office, Critical Infrastructure Protection: Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation Efforts, GAO-20-631, September 17, 2020, https://www.gao.gov/products/gao-20-631.
Congressional Research Service
9
Banking, Data Privacy, and Cybersecurity Regulation
Data Privacy
GLBA’s financial data privacy provisions covers only nonpublic personal information held by GLBA’s financial data privacy provisions covers only nonpublic personal information held by
financial institutions significantlyfinancial institutions significantly
engaged in financial activities. However, as the industry’s data engaged in financial activities. However, as the industry’s data
use has grown, some have debated whether the law covers all sensitive individual financial use has grown, some have debated whether the law covers all sensitive individual financial
information. For example, data brokers can compile public and private data from different information. For example, data brokers can compile public and private data from different
sources, many of which may not be subject to GLBA’s provisions; combining these data might sources, many of which may not be subject to GLBA’s provisions; combining these data might
reveal financially sensitive information about a consumer. Further, consumers have a limited reveal financially sensitive information about a consumer. Further, consumers have a limited
ability to know, control, or correct financial data, which can make it difficult to obtain redress for ability to know, control, or correct financial data, which can make it difficult to obtain redress for
violations such as data breaches. violations such as data breaches.
Technology Service Providers
Regulation aimed at banks’ relationships with third-party vendors such as TSPs has benefits in Regulation aimed at banks’ relationships with third-party vendors such as TSPs has benefits in
mitigating operational risks but also imposes costs on banks. Some banks, particularly community mitigating operational risks but also imposes costs on banks. Some banks, particularly community
banks and small credit unions, may find it difficult to comply with regulatory standards banks and small credit unions, may find it difficult to comply with regulatory standards
applicable to their relationship with third-party vendors. For example, certain institutions may be applicable to their relationship with third-party vendors. For example, certain institutions may be
unable to conduct appropriate due diligence when selecting TSPs or to structure contracts that unable to conduct appropriate due diligence when selecting TSPs or to structure contracts that
adequately protect against potential TSPs-related risks. Some banks may also lack the resources adequately protect against potential TSPs-related risks. Some banks may also lack the resources
to monitor whether the TSPs are adhering to GLBA and other regulatory or contract to monitor whether the TSPs are adhering to GLBA and other regulatory or contract
requirements. Regulatory compliance costs are sometimes cited as a factor in banking industry requirements. Regulatory compliance costs are sometimes cited as a factor in banking industry
consolidation, because compliance costs may be subject to economies of scale that incentivize consolidation, because compliance costs may be subject to economies of scale that incentivize
small banks to merge with larger ones or other small banks to combine their resources to meet small banks to merge with larger ones or other small banks to combine their resources to meet
their compliance obligations.their compliance obligations.
3230
Cloud Computing
Financial institutions may outsource the management of different controls over information assets
Financial institutions may outsource the management of different controls over information assets
and operations to cloud service providers (CSPs).and operations to cloud service providers (CSPs).
3331 Banks pay CSPs to use their computing Banks pay CSPs to use their computing
resources (e.g., servers and mainframes), rather than purchasing and maintaining their own. This resources (e.g., servers and mainframes), rather than purchasing and maintaining their own. This
relationship is referred to as a shared responsibility model, in which banks and CSPs are relationship is referred to as a shared responsibility model, in which banks and CSPs are
responsible for discrete tasks of a shared work stream. Failure to implement an effective risk responsible for discrete tasks of a shared work stream. Failure to implement an effective risk
management process could put sensitive information at risk. management process could put sensitive information at risk.
The BSCA gives bank regulators supervisory authority over service providers.
The BSCA gives bank regulators supervisory authority over service providers.
3432 Exercising this Exercising this
authority over CSPs, however, may raise challenges. Despite the integration of cloud services by authority over CSPs, however, may raise challenges. Despite the integration of cloud services by
31 U.S. Government Accountability Office, Critical Infrastructure Protection: Treasury Needs to Improve Tracking of
Financial Sector Cybersecurity Risk Mitigation Efforts, GAO-20-631, September 17, 2020, https://www.gao.gov/products/gao-20-631.
32the banking industry, different expectations from bank regulators and the cloud service industry,—such as what to expect during bank-like examinations—may persist.
Large, systemically important banks are reportedly moving significant portions of their operations onto cloud services, which could exacerbate the effects of a disruption at a CSP.33 The cloud market is concentrated in three major CSPs—Amazon Web Services, Microsoft Azure, and
30 For more information on banking industry consolidation, see CRS In Focus IF11956, For more information on banking industry consolidation, see CRS In Focus IF11956,
Bank Mergers and
Acquisitions, by Marc Labonte and Andrew P. Scott. , by Marc Labonte and Andrew P. Scott.
3331 For more on bank use of cloud technology, see CRS In Focus IF11985, For more on bank use of cloud technology, see CRS In Focus IF11985,
Bank Use of Cloud Technology, by Paul , by Paul
Tierno. Tierno.
3432 12 U.S.C. §1867(c). 12 U.S.C. §1867(c).
33 Ibid.
Congressional Research Service
Congressional Research Service
10
10
Banking, Data Privacy, and Cybersecurity Regulation
the banking industry, different expectations from bank regulators and the cloud service industry, —such as what to expect during bank-like examinations—may persist.
Large, systemically important banks are reportedly moving significant portions of their operations onto cloud services, which could exacerbate the effects of a disruption at a CSP.35 The cloud market is concentrated in three major CSPs—Amazon Web Services, Microsoft Azure, and Google Cloud—that collectively account for between 60%36 and 70%37Google Cloud—that collectively account for between 60%34 and 70%35 of market share and of market share and
perhaps more among banks. In its 2022 annual report, FSOC identified “the financial sector’s perhaps more among banks. In its 2022 annual report, FSOC identified “the financial sector’s
concentrated dependency on a limited number of service providers, such as cloud service concentrated dependency on a limited number of service providers, such as cloud service
providers, for critical information technology services as a potential risk to financial stability.”providers, for critical information technology services as a potential risk to financial stability.”
3836 Traditional bank risks such as market and liquidity risks—not normally cloud computing Traditional bank risks such as market and liquidity risks—not normally cloud computing
concerns—can arise if the banks’ abilities to transact are impeded by cloud-related disruptions. concerns—can arise if the banks’ abilities to transact are impeded by cloud-related disruptions.
Banking regulators are concerned with risks to financial stability, so policymakers may choose to Banking regulators are concerned with risks to financial stability, so policymakers may choose to
consider whether their authorities to regulate CSPs are appropriately calibrated. consider whether their authorities to regulate CSPs are appropriately calibrated.
Considering this close relationship, the scope of bank supervision may expand to CSPs. This may
Considering this close relationship, the scope of bank supervision may expand to CSPs. This may
lead to technical resource mismatches, and regulators, like banks,lead to technical resource mismatches, and regulators, like banks,
3937 may find themselves with a may find themselves with a
shortage of cloud skills necessary to examine CSPs. CSPs may also not be familiar with or shortage of cloud skills necessary to examine CSPs. CSPs may also not be familiar with or
amenable to audits or bank-like examinations.amenable to audits or bank-like examinations.
4038 The Federal Reserve Bank of Richmond The Federal Reserve Bank of Richmond
performed a formal exam of Amazon Web Services in April 2019, which reportedly exposed this performed a formal exam of Amazon Web Services in April 2019, which reportedly exposed this
culture clash.culture clash.
4139 Close integration between banks and CSPs may accelerate regulators’ call for Close integration between banks and CSPs may accelerate regulators’ call for
regular examination of CSPs to monitor aspects of their relationships with banks, including regular examination of CSPs to monitor aspects of their relationships with banks, including
security and financial system stability risks.security and financial system stability risks.
Obstacles to data portability, such as proprietary technology and restrictive vendor contracts, may
Obstacles to data portability, such as proprietary technology and restrictive vendor contracts, may
make switching CSPs difficult. Therefore, banks may adopt multi-cloud strategies—contracts make switching CSPs difficult. Therefore, banks may adopt multi-cloud strategies—contracts
with multiple CSPs—to avoid lock-in risk.with multiple CSPs—to avoid lock-in risk.
4240 In addition to increasing costs, this introduces In addition to increasing costs, this introduces
potentially two or more providers in the form of CSPs, and banks must manage these potentially two or more providers in the form of CSPs, and banks must manage these
relationships effectively to ensure cybersecurity. relationships effectively to ensure cybersecurity.
35 Ibid. 36
Author Information
Andrew P. Scott
Paul Tierno
Analyst in Financial Economics
Analyst in Financial Economics
34 Felix Richter, “Amazon Leads $150-Billion Cloud Market,” Felix Richter, “Amazon Leads $150-Billion Cloud Market,”
Statista, July 5, 2021, at , July 5, 2021, at
https://www.statista.com/chart/18819/worldwide-market-share-of-leading-cloud-infrastructure-service-providers/. https://www.statista.com/chart/18819/worldwide-market-share-of-leading-cloud-infrastructure-service-providers/.
3735 Gartner, “Gartner Says Worldwide IaaS Public Cloud Services Market Grew 40.7% in 2020,” press release, June 28, Gartner, “Gartner Says Worldwide IaaS Public Cloud Services Market Grew 40.7% in 2020,” press release, June 28,
2021, at https://www.gartner.com/en/newsroom/press-releases/2021-06-28-gartner-says-worldwide-iaas-public-cloud-2021, at https://www.gartner.com/en/newsroom/press-releases/2021-06-28-gartner-says-worldwide-iaas-public-cloud-
services-market-grew-40-7-percent-in-2020. services-market-grew-40-7-percent-in-2020.
3836 FSOC, FSOC,
2022 Annual Report, December 16, 2022, p. 70, at , December 16, 2022, p. 70, at
https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf. https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf.
3937 Abbott, Michael, “Challenges and Opportunities in Banks’ Cloud Migration,” Accenture, January 27, 2021, at Abbott, Michael, “Challenges and Opportunities in Banks’ Cloud Migration,” Accenture, January 27, 2021, at
https://bankingblog.accenture.com/challenges-opportunities-banks-cloud-migration. https://bankingblog.accenture.com/challenges-opportunities-banks-cloud-migration.
4038 Penny Crossman, “Timely Reminder About Who Bears Responsibility For Cloud Security,” Penny Crossman, “Timely Reminder About Who Bears Responsibility For Cloud Security,”
American Banker, May , May
4, 2020, at https://www.americanbanker.com/news/timely-reminder-about-who-bears-responsibility-for-cloud-security. 4, 2020, at https://www.americanbanker.com/news/timely-reminder-about-who-bears-responsibility-for-cloud-security.
4139 Liz Hoffman, Dana Mattioli, and Ryan Tracy, “Fed Examined Amazon’s Cloud in New Scrutiny for Tech,” Liz Hoffman, Dana Mattioli, and Ryan Tracy, “Fed Examined Amazon’s Cloud in New Scrutiny for Tech,”
The Wall
Street Journal, August 1, 2019, at https://www.wsj.com/articles/fed-examined-amazons-cloud-in-new-scrutiny-for-, August 1, 2019, at https://www.wsj.com/articles/fed-examined-amazons-cloud-in-new-scrutiny-for-
tech-11564693812. tech-11564693812.
4240 Matthew Leybold, Hrishi Hrishikesh, and Benjamin Rehberg, “Financial Institutions Need to Pursue Their Own Path Matthew Leybold, Hrishi Hrishikesh, and Benjamin Rehberg, “Financial Institutions Need to Pursue Their Own Path
to the Cloud,” BCG, May 5, 2021, at https://www.bcg.com/publications/2021/strategies-for-financial-institutions-to the Cloud,” BCG, May 5, 2021, at https://www.bcg.com/publications/2021/strategies-for-financial-institutions-
transitioning-to-the-cloud. transitioning-to-the-cloud.
Congressional Research Service
Congressional Research Service
11
11
Banking, Data Privacy, and Cybersecurity Regulation
Author Information
Andrew P. Scott
Paul Tierno
Analyst in Financial Economics
Analyst in Financial Economics
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material. copy or otherwise use copyrighted material.
Congressional Research Service
Congressional Research Service
R47434
R47434
· VERSION 1 · NEW3 · UPDATED
12
12