A proposed rulemaking by California's privacy agency is drawing criticism from the Bank Policy Institute (BPI), which argues that it imposes excessive requirements on banks' cybersecurity programs, automated decision-making tools, and risk management. In a comment letter submitted today, BPI expressed concerns that the proposal undermines established federal regulations.
"A patchwork approach to bank regulation is bad policy and contrary to law. Banks are already subject to stringent federal rules on their cybersecurity, AI tools, and risk management, and invest billions of dollars into protecting their customers’ data," said Greg Baer, BPI President and CEO. He added that the new rule "disregards the longstanding federal framework" which allows national banks to operate efficiently across the country.
The proposal reportedly extends beyond what California's legislature authorized for its privacy agency. It seeks to regulate banks' cybersecurity practices and use of AI technology in ways that could interfere with essential operations such as underwriting small business loans and fraud prevention.
California's privacy agency was granted authority only over activities not covered by the Gramm-Leach-Bliley Act (GLBA), which oversees banks' privacy practices under federal supervision. However, BPI warns that the rulemaking might encroach on areas already governed by GLBA.
Federal law prevents states from imposing regulations on national banks if those laws would significantly hinder their operations. This principle of national bank preemption ensures that banks can function effectively across state borders without facing a multitude of conflicting regulations.
The proposed rules would require banks to undergo specific risk assessments and cybersecurity audits as dictated by California's agency. BPI contends this would infringe upon powers reserved for federal regulators since California cannot directly inspect national banks in these areas.
National bank preemption has been a contentious issue recently as various states have enacted new banking laws. An example includes an Illinois interchange fee restriction that was recently halted for national banks.
To prevent regulatory duplication and conflicts with federal law, BPI advocates exempting federally overseen banks from California’s proposed rules.
The Bank Policy Institute represents universal banks, regional banks, and major foreign banks operating in the United States. The organization conducts research on regulatory topics and provides analysis on issues like cybersecurity and fraud within the financial services industry.
Tara Payne at Bank Policy Institute can be contacted via Tara.Payne@bpi.com for further information.