House Committee Approves CFPB Guidance, Data Breach Legislation

The House Financial Services Committee on Thursday approved legislation that would require the CFPB to develop standards for agency guidance it issues.

“The rules of the road aren’t clear when they come from the bureau,” bill sponsor Rep. Sean Duffy (R-Wis.), said as the committee considered the bill.

The committee approved the legislation, H.R. 5534, on a 38-14 vote.

The committee also approved legislation that would establish a national data breach response standard for financial institutions.

The CFPB legislation would prohibit the CFPB from taking action against financial companies if they are making a good faith effort to follow guidance and would require the agency to develop a matrix of penalties the agency may impose.

Duffy said a companion bill is expected to be introduced in the Senate.

“You need a crystal ball on your desk or a team of attorneys” to stay in compliance with CFPB rules, Rep. Blaine Luetkemeyer (R-Mo.) said.

However, Ranking committee Democrat Maxine Waters of California accused the Trump Administration of attempting to dismantle the CFPB, adding that Congress needs to do everything it can to protect the bureau.

The legislation, she said, would “unduly hamstring the bureau’s ability to be nimble.”

Just this week, financial regulators, including the CFPB and NCUA, issued a statement specifying how they will issue guidance in the future.

Credit union officials have said they are troubled by the manner in which the CFPB issues guidance.

“Credit unions across the country continue to be frustrated with the sluggish issuance of guidance from the [agency], which has created uncertainty and ambiguity not only for credit unions, but all industry stakeholders,” CUNA President/CEO Jim Nussle wrote in a letter to the committee.

For instance, Nussle wrote, the agency was not clear in issuing guidance dealing with the recent Truth in Lending Act and Real Estate Settlement Procedures Act Integrated Disclosure (TRID) rules.

“These complex regulatory requirements spurred numerous questions from the industry with little guidance from the BCFP, creating massive confusion for the industry and consumer,” Nussle wrote.

The committee also voted, 32-20, to approve H.R. 6743, legislation that would establish a national standard governing how financial institutions must notify consumers when a data breach occurs.

The legislation also would preempt state laws governing data breaches.

Several groups representing financial institutions, including CUNA and NAFCU, this week wrote a letter supporting the legislation.

“Data security breaches continue to put millions of consumers at risk, and we share your views that protecting the sensitive personal and financial information of consumers is vitally important,” the groups said. “Stopping breaches is critical for consumers, and also important to our members who often have the closest relationships with those affected.”

The groups added, however, that they would have preferred that the legislation cover merchants, as well as financial institutions.

Bill sponsor Luetkemeyer said he too would have preferred that legislation but added that passage of that measure is “going to take more than the Financial Services Committee alone.”

For the past several years, the Republican leadership of the Financial Services Committee has pushed data security legislation that includes merchants.

However, the House Energy and Commerce Committee has opposed that approach.

The conflict between the two committees has stalled legislative efforts.

While CUNA and NAFCU said they supported the bill, NASCUS said it opposes the measure because it would preempt state law.

“NASCUS believes that where a state has an existing data security and breach notification apparatus in place that provides for more stringent protections– deference should be given to the state law,” NASCUS President/CEO Lucy Ito said, in a letter to committee leaders.

Ito also criticized the legislation for not having addressed merchants.

“It should be noted that the vast majority of companies responsible for data breaches are not financial institutions and are not subjected to the same rigorous requirements as financial service providers,” she wrote.