Washington Eyes a National Framework for Financial Data Sharing

At a House Financial Services Committee hearing titled “Updating America’s Financial Privacy Framework for the 21st Century,” testimony focused on how transaction data, account information and credentials are accessed through application programming interfaces (APIs) and aggregators to support payments, lending and financial management tools.

How Data Moves Through the Financial System

Laura MacCleery, senior director for policy and advocacy at UnidosUS, described a system in which consumer data is routinely accessed through intermediaries rather than directly by financial institutions.

“When a consumer connects an app to a bank account, the app generally does not communicate with the bank directly,” she testified. “An aggregator reaches into the account, pulls transaction data and delivers it.” MacCleery added that earlier models relied on collecting login credentials, which allowed aggregators to access accounts in ways that limited transparency and control.

Steven Boms, executive director of the Financial Data and Technology Association, emphasized that these same data flows underpin widely used financial tools. Consumers rely on services such as real-time fraud notifications, while small businesses use platforms that extend credit based on “actual sales history and cash flow rather than relying solely on traditional credit scores.”

What Data Is at Issue

Witnesses described financial data as extending beyond basic account records.

Under the Gramm-Leach-Bliley Act (GLBA), institutions must protect nonpublic personal information, including transaction histories, balances and payment activity.

MacCleery testified that the data environment now includes additional elements such as “biometric, geolocation, and access credential definitions,” reflecting how digital platforms collect and use broader datasets.

Clara Kim, senior vice president, BSA/AML and sanctions, for the Bank Policy Institute, testified that banks collect and retain this data for specific purposes that are operational rather than optional, including efforts to “prevent fraud, money laundering, terrorist financing, and other illicit activity,” and to support underwriting and credit extension, including in underserved communities.

Banks, FinTechs and Uneven Oversight

A central issue at the hearing was whether all entities handling financial data operate under comparable rules.

MacCleery argued that they do not, stating that banks were subject to GLBA privacy requirements, federal supervisory examinations, security standards and state privacy laws, while “data aggregators were subject to essentially none of these at the federal level.”

Boms’ testimony contended that platforms and aggregators are already governed by GLBA and related rules, including requirements to maintain “robust, written information security programs,” encryption and breach response protocols.

Kim distinguished between legal coverage and supervision. Banks, she noted, operate under continuous examination and must manage third-party risk when sharing data, while other entities handling similar data are not subject to the same level of ongoing oversight.

Nathan Taylor, partner at Morrison Foerster, testified that GLBA applies broadly to entities engaged in financial activities, including those processing and transmitting financial data.

Consumer Control and the Limits of Consent

The hearing also examined how consumers authorize, and should authorize, access to their financial data.

Boms described a system where “consumers and small business owners should have full control over their financial data, including the right to share it with third parties free of charge … and the right to withdraw their consent.”

MacCleery questioned whether that control is effective in practice. “Under an opt-out, the default is that consumer data is shared unless the individual acts to stop it,” she said, noting that many consumers do not change default settings.

The Constraint: Why Financial Data Is Different

Taylor’s testimony framed the limits of applying broader privacy rights to financial data.

“It can be far harder to craft a workable and meaningful privacy right … with respect to, for example, a consumer’s 30-year mortgage,” he said.

Financial data is tied to ongoing obligations, including payments processing, loan servicing, fraud detection and regulatory compliance. Taylor noted that rights such as deletion or correction must be constrained to avoid disrupting these functions.

He supported targeted updates, including access rights and limited deletion rights for former customers, while maintaining exceptions for fraud prevention, legal requirements and operational needs.

Fees and Access to Data

The issue of whether banks may charge for access to consumer data surfaced in testimony tied to broader regulatory debates.

MacCleery referenced discussions about whether financial institutions could impose fees for data access as part of evolving rules.

Boms opposed such fees, stating that consumers should be able to share their data “free of charge” as part of maintaining control over their financial information.

Recommendations

Witnesses offered distinct recommendations, reflecting different views of how the system should be governed.

As Rep. Bryan Steil, R-Wis., stated, the financial services landscape is markedly different than it had been during the time when GLBA was signed into law during the Clinton administration. Taylor indicated that the Act is sufficiently “technology neutral,” and added that, in reference to definitions of various providers, aggregators are financial institutions, for example, and thus covered under GLBA.

Boms urged lawmakers to reinforce a consumer-permissioned framework that ensures individuals can access, share and revoke control over their data without barriers, including fees.

Taylor and Kim supported targeted updates to GLBA rather than a broad rewrite. Taylor recommended adding access rights and limited deletion rights with clear exceptions, while Kim emphasized maintaining a framework that supports fraud prevention, compliance and credit underwriting under consistent standards.

John Crenshaw, testifying for the U.S. Chamber of Commerce, argued for a national standard, stating that a framework should include “strong federal preemption to eliminate the growing patchwork of state privacy laws.”

MacCleery called for stronger statutory protections across all entities handling financial data, including clearer limits on data collection and use, improved consent standards and enforcement that does not rely solely on contractual arrangements.

During the back and forth with lawmakers, Rep. Frank Lucas, R-Okla., asked where “a national standard might be most helpful.” Crenshaw responded that “the bottom line is that what we need to see is one set of rules of the road nationwide” as smaller institutions do not have the same resources as larger ones. Small businesses, especially, are vulnerable in devoting resources to compliance, especially when facing the prospect of “conflicting regulations across the country.”