Federal: Letter of Support for a Bill to Make Improvements to Title V of the Gramm-Leach-Bliley Act, and for Other Purposes

March 17, 2026

The Honorable French Hill
Chairman
Committee on Financial Services
United States House of Representatives
Washington, DC 20515

The Honorable Maxine Waters
Ranking Member
Committee on Financial Services
United States House of Representatives
Washington, DC 20515

Re: Letter of Support for a Bill to Make Improvements to Title V of the Gramm-Leach-Bliley Act, and for Other Purposes

Dear Chairman Hill and Ranking Member Waters:

On behalf of the American Fintech Council (AFC),  I write to express our support for the discussion draft to make improvements to Title V of the Gramm-Leach-Bliley Act (GLBA), and for other purposes (the Bill).  AFC appreciates the Committee on Financial Services’ (the Committee) continued work to modernize the federal framework governing consumer financial data privacy for the 21st century financial services industry in a manner that strengthens consumer protections while preserving innovation, competition, and access to financial services. The discussion draft reflects a serious effort to update GLBA for the modern financial ecosystem and to provide a more uniform national standard for the treatment of consumer financial data.

A standards-based organization, the American Fintech Council (AFC) is the largest and most diverse trade association representing financial technology (fintech) companies and innovative banks. On behalf of over 150 member companies and partners, AFC promotes a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC members foster competition in consumer finance and pioneer products to better serve underserved consumer segments and geographies.

As AFC wrote to the Committee in response to the Request for Feedback on Current Federal Consumer Financial Data Privacy Law and Potential Legislative Proposals in August of 2025, the GLBA has long served as the foundation for federal consumer financial data privacy, setting baseline protections for non-public personal information while allowing financial institutions to responsibly collect, share, and use data to provide essential services.  GLBA’s framework has enabled innovation and competition by ensuring flexibility to deliver modern financial products and partnerships, particularly between fintech companies and banks, while also ensuring strong safeguards for consumers. However, data and its movement, both inside and outside of the financial services industry has grown and developed significantly in the years since GLBA’s passage. This growth and development in the data ecosystem necessitates a more modern, harmonized approach for the data ecosystem.

AFC has consistently advocated for clear and consistent “rules of the road” for industry participants to use when developing innovative products and services or engaging in a responsible bank-fintech partnership as well as a unified approach to regulating the financial services industry.  This approach ensures that consumers are not only protected, but also empowered with greater choice, lower costs, and more equitable access to financial services.

Central to this advocacy, is the need to pursue a modern approach to data privacy that reflects the ways that the issue has changed since the passage of GLBA. Ultimately, a federal data privacy law should advance both consumer protection and economic opportunity, principles that are core to AFC’s mission. To that end, AFC believes that pursuing a robust modernization effort regarding federal data privacy provisions in Title V of GLBA would be instrumental in meeting these principles and would ensure that the U.S. data privacy framework effectively recognizes the needs of the 21st century data ecosystem. We believe the discussion draft released by the Committee advances these objectives in several important ways.

I. AFC Supports the Committee’s Efforts to Establish a Strong Federal Standard for Data Privacy

In AFC’s view, the treatment of consumer financial data is inherently national in character and therefore best addressed through uniform federal standards. Consumer financial data and the systems through which it is collected, shared, and safeguarded are not confined by state lines, and the information moves across geographies in real time. As a result, uniform federal standards are the most effective means of ensuring consistent consumer protections, operational clarity, and long-term regulatory certainty. Without federal action, the burden of conflicting rules will continue to grow, stifling innovation and ultimately undermining consumer trust. For several years, Congress has called for and, at times, considered a comprehensive federal data privacy bill.   Further, since 2013, the U.S. Government Accountability Office has called on Congress to “consider strengthening the current consumer privacy framework to reflect the effects of changes in technology and the marketplace—particularly in relation to consumer data used for marketing purposes—while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord”.

In the absence of such federal leadership, however, an increasingly fragmented legal landscape has continued to develop. Currently, 20 states have passed data privacy laws, with some states pursuing a comprehensive framework, while others opted for a narrow framework.   The varied nature of these state laws and their provisions has given rise to inconsistent state regulations that create significant challenges for responsible financial services companies seeking to comply with the myriad and nuanced requirements found within state laws. Extraterritorial jurisdiction within data privacy has also already started to occur in absence of a comprehensive federal data privacy law. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have caused responsible companies both inside and outside of financial services to modify their data practices in an effort to comply with these laws. Thus, overreliance on these statutes in lieu of a comprehensive federal data privacy law may disadvantage responsible companies both inside and outside of the financial services industry and harm consumers.

This fragmentation is especially important in financial services, where GLBA has long provided the baseline federal framework and where responsible institutions rely on clear rules to serve consumers effectively. AFC members, including responsible fintech companies, utilize the existing GLBA exemptions to ensure they can collect and share data the same way traditional financial institutions do to deliver services. However, AFC and our member companies have also seen that the current “federal floor” approach has enabled a patchwork of regulatory requirements to arise across the states. These overlapping and sometimes contradictory requirements are ill suited to the modern financial services ecosystem, leading many states to compete in adopting increasing restrictive frameworks, often to the detriment of consumer access. These high burdens lead to increases in costs, preventing operational efficiencies from being developed. These issues underscore the need for a unified federal approach. Importantly, the preemptive federal standard found in the Committee’s discussion draft would do away with this tangled patchwork, reduce compliance costs, and allow institutions to operate efficiently while maintaining robust consumer protections.

More broadly, AFC believes that this modernization effort should be implemented in a manner that promotes a unified approach to the U.S. data privacy framework responsible innovation. This is especially important on cross-sectoral issues, such as data privacy. Ensuring consumer data remains protected both within and outside of the financial services industry is also important because consumers do not necessarily distinguish their expectations for protection, use, and conveyance of data between types of data or which entity holds the data.  AFC appreciates that the discussion draft recognizes characteristics of the modern financial data ecosystem and advances provisions that ensure a unified approach to consumer financial data privacy by updating GLBA for the modern financial services ecosystem by providing establishing a federal standard. Crucially this establishing the federal standard as the Bill does, ends the fragmented data privacy landscape that has developed over the past decades. In turn, this strong federal policy effort  ensures consistent protections for consumers while supporting responsible innovation and preserving the ability of banks and fintech companies to serve consumers effectively.

II. AFC Supports the Committee’s Efforts to Modernize GLBA Consumer Protections

AFC appreciates that the discussion draft modernizes Title V of GLBA by moving beyond a narrower disclosure-based framework and establishing clearer standards for the treatment of consumer financial data. In particular, the draft would add a data-minimization standard tied to legitimate business, legal, and regulatory purposes; provide consumers with a continuing right to opt out of certain disclosures; impose reasonable limits and disclosure requirements on the use of consumer access credentials; and require enhanced privacy notices addressing, among other things, data-use purposes, retention practices, use of artificial intelligence, and the means by which consumers may exercise their rights.

AFC further supports the discussion draft’s effort to provide consumers with greater transparency and control while preserving a workable framework for responsible financial institutions. The draft would require financial institutions, upon request, to provide customers with copies of their privacy disclosures, establish a process for current and former customers to request access to certain nonpublic personal information, permit former customers to request deletion of information subject to important legal and operational exceptions, and direct regulators to take into account the resource and compliance constraints facing financial institutions with $15 billion or less in assets. These reforms are important not only because they modernize GLBA’s substantive protections, but also because they underscore the need for a clear and durable federal framework for consumer financial data privacy.

* * *

AFC appreciates the Committee’s leadership in examining how GLBA can be modernized to provide consumers with meaningful protections and clearer information while supporting responsible innovation in financial services. We look forward to continuing to engage with the Committee as it considers this discussion draft and related efforts to strengthen the federal consumer financial data privacy framework in a manner befitting of the 21st century financial services ecosystem.

Sincerely,

Ian P. Moloney

Chief Policy Officer

American Fintech Council

CC:

The Honorable Andy Barr, Chairman, Subcommittee on Financial Institutions

The Honorable Barry Loudermilk, Vice Chairman, Subcommittee on Financial Institutions

The Honorable Bill Foster, Ranking Member, Subcommittee on Financial Institutions

‍
[1] AFC’s membership spans technology platforms, non-bank lenders, banks, payments providers, loan servicers, credit bureaus, and personal financial management companies.
[2] U.S. Congress, House, Committee on Financial Services, Discussion Draft to make improvements to title V of the Gramm-Leach-Bliley Act, and for other purposes, 119th Cong., 2nd Sess., 2026, available at https://docs.house.gov/meetings/BA/BA00/20260317/119049/BILLS-119pih-makesimprovementstoTitleVoftheGLBAt.pdf.
[3] American Fintech Council “Request for Feedback on Current Federal Consumer Financial Data Privacy Law and Potential Legislative Proposals” (Aug. 28 2025), available at https://fintechcouncil.org/advocacy/federal-afc-letter-to-house-financial-services-committee-on-current-federal-consumer-financial-data-privacy-law-and-potential-legislative-proposals.
[4] Ibid.
[5] American Fintech Council, “Request for Feedback on “Make Community Banking Great Again” Principles and Slate of Bills” (Mar. 31, 2025), available at https://www.fintechcouncil.org/advocacy/federal-afc-letter-to-house-financial-services-committee-on-principles-to-make-community-banking-great-again.
[6] H.R.8152 - 117th Congress (2021-2022): American Data Privacy and Protection Act, H.R.8152, 117th Cong. (2022), available at https://www.congress.gov/bill/117th-congress/house-bill/8152. and H.R.8818 - 118th Congress (2023-2024): American Privacy Rights Act of 2024, H.R.8818, 118th Cong. (2024), available at https://www.congress.gov/bill/118th-congress/house-bill/8818/text.
[7] U.S. Government Accountability Office, Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, GAO-13-663, (Sept. 25, 2013), available at https://www.gao.gov/products/gao-13-663.
[8] Bloomberg Law, Which States Have Consumer Data Privacy Laws? (April 7, 2025), available at https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/#map-of-state-privacy-laws.
[9[ Ibid [August 2025 Letter]

‍

‍