House committee examines updating US financial privacy rules for the digital age

The House Financial Services Committee held a hearing on March 17 focused on whether the existing US financial privacy framework is equipped to handle the realities of how people manage money in 2026. The core problem lawmakers kept returning to is straightforward: the primary federal law governing financial data privacy, the Gramm-Leach-Bliley Act, was signed in 1999. The financial products it was designed to regulate bore little resemblance to AI-powered budgeting apps, buy-now-pay-later platforms, and real-time payment networks that now handle trillions of dollars in transactions annually.

What the Gramm-Leach-Bliley Act actually covers and where it falls short

The Gramm-Leach-Bliley Act, commonly called GLBA, requires financial institutions to explain their data-sharing practices to customers and to safeguard sensitive financial information. It applies to banks, securities firms, and insurance companies. The problem is that many of the companies now handling consumer financial data in the US are not chartered banks or registered securities firms. They are technology companies operating under state money transmitter licenses, payment processors categorized as merchants, and data aggregators that collect financial information from multiple account sources with consumer consent.

When a consumer links a bank account to an app like Mint, Chime, or a newer AI-powered financial management tool, the data flow moves through multiple intermediaries, some of whom are subject to GLBA and some of whom are not. The Consumer Financial Protection Bureau's Section 1033 rulemaking, finalized in 2024, attempted to address open banking data rights, but the House hearing focused on whether GLBA itself needs a statutory update rather than relying on regulatory guidance to fill structural gaps.

AI tools in finance raised specific concerns from both parties

Several committee members pressed witnesses on AI-powered financial tools specifically. These include products that analyze spending patterns, predict creditworthiness, optimize investment allocations, or flag fraud in real time. The underlying concern is not that these tools exist but that they require access to granular personal financial data that, once shared with a model or a third-party service provider, travels through infrastructure with no clear federal privacy floor.

Representative French Hill of Arkansas, who chairs the committee, asked witnesses directly whether current law gives consumers meaningful control over how AI systems use their financial data once they grant initial access. The answer from multiple witnesses was effectively no. The CFPB's Section 1033 rule establishes data portability rights and some access limitations, but it does not set explicit rules for how inferred data, the profiles AI systems build from transaction histories, can be stored, sold, or used for purposes beyond the original consent.

What financial industry groups testified

The American Bankers Association and the Financial Technology Association both sent representatives to testify. Their positions were not identical. The ABA pushed for a single federal privacy standard that would preempt the growing patchwork of state-level financial privacy laws, particularly California's Consumer Privacy Act and its financial data provisions. The FTA, which represents fintech companies, supported stronger data portability rights but cautioned against rules that would entrench large incumbent banks by making data-sharing compliance too expensive for smaller players.

Consumer advocacy groups, including the National Consumer Law Center, argued for opt-in consent requirements rather than the current opt-out model under GLBA. Under current law, financial institutions can share data with affiliated companies and certain third parties unless a consumer actively opts out, and opt-out mechanisms are often buried in annual privacy notices that most people do not read. The NCLC's testimony cited a 2023 Pew Research study finding that 79 percent of Americans are concerned about how companies use their financial data but fewer than 30 percent have ever attempted to exercise an opt-out right.

Whether legislation will actually move through Congress

Financial privacy legislation has a poor track record in Congress. The last significant attempt at a comprehensive federal consumer data privacy bill, the American Data Privacy and Protection Act, passed the House Energy and Commerce Committee in 2022 with bipartisan support but never received a floor vote. Financial data was partially carved out of that bill because GLBA already covers it, which means any update to financial privacy specifically requires a separate legislative vehicle.

The House Financial Services Committee is expected to release a discussion draft of a financial privacy modernization bill in the second quarter of 2026. Whether that draft advances to a markup, and whether it can pass a full House floor vote given competing legislative priorities including the Iran war debate and budget reconciliation, remains an open question. The Senate Banking Committee has not yet announced a companion hearing.