Letter calls for DFPI to adhere to existing federal laws and regulations to avoid unnecessary operational burdens

Washington, D.C. (March 2, 2026) – The American Fintech Council (AFC), the largest industry association representing both responsible fintech companies and innovative banks, submitted a comment letter to the California Department of Financial Protection and Innovation (DFPI) in response to its Second Invitation for Comments regarding potential rulemaking under the California Consumer Financial Protection Law related to the registration and reporting of certain covered persons operating in California’s consumer financial services and data ecosystem. In its letter, AFC provides recommendations for a risk-based, proportionate regulatory framework that strengthens consumer protection and market integrity without imposing compliance burdens on already regulated entities.

“California has an opportunity to strengthen transparency and accountability without layering duplicative requirements on responsible providers already subject to comprehensive federal oversight,” said Phil Goldfeder, CEO of the American Fintech Council. “A balanced, risk-based approach will ensure regulators can focus on real gaps in the marketplace while preserving responsible innovation and consumer access to financial services.”

AFC urges the DFPI to expressly exempt entities and data subject to the Gramm-Leach-Bliley Act (GLBA) from any new registration or reporting requirements adopted under this rulemaking, as these institutions are already subject to robust federal privacy, safeguarding, and supervisory requirements. Imposing additional state-level registration or reporting obligations on GLBA-covered entities would risk regulatory overlap and unnecessary compliance burdens, while diverting supervisory attention from areas where genuine oversight gaps may exist.

For entities not subject to the Gramm-Leach-Bliley Act (GLBA), AFC urges the Department to ensure that any reporting framework is narrowly tailored, risk-based, and proportionate to the size, market footprint, and operational realities of the reporting entity. The letter cautions against overly prescriptive or highly granular mandates that require new data collection or system redesign. AFC instead recommends aligning reporting obligations with information maintained in the ordinary course of business, supported by clear definitions, reasonable implementation timelines, and a principles-based approach that preserves competition, innovation, and consumer access.

“As the DFPI considers next steps, it is essential that the final framework reflect both the complexity of the modern data ecosystem and the practical realities facing regulated entities,” said Ian P. Moloney, Chief Policy Officer at the American Fintech Council. “By clearly defining the scope of covered activities and calibrating requirements to actual risk, the DFPI can obtain meaningful supervisory information without imposing unnecessary operational burdens.”

A standards-based organization, the American Fintech Council (AFC) is the largest and most diverse trade association representing financial technology (fintech) companies and innovative banks. On behalf of over 150 member companies and partners, AFC promotes a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC members foster competition in consumer finance and pioneer products to better serve underserved consumer segments and geographies.

‍