Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act

This Act may be cited as the Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act or the GUARD Financial Data Act.

The table of contents for this Act is as follows:

The Gramm-Leach-Bliley Act is amended—

(1) in title V (15 U.S.C. 6801 et seq.)—

(A) in subtitle A, in the heading of the subtitle, by striking Disclosure and inserting Treatment; and

(B) in section 502, by striking DISCLOSURES OF and inserting NONPUBLIC; and

(2) in the table of contents for such Act—

(A) in the item relating to subtitle A of title V, by striking Disclosure and inserting Treatment; and

(B) in the item relating to section 502, by striking disclosures of and inserting nonpublic.

Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended—

(1) in subsection (e), by striking Subsections (a) and (b) and inserting Subsections (a), (b), and (f);

(2) in subsection (e), by inserting collection or before disclosure; and

(3) by adding at the end the following:

A financial institution shall limit the collection or disclosure of nonpublic personal information to what is adequate, relevant, and reasonably necessary in relation to each purpose for which the nonpublic personal information is collected or disclosed, and if such collection or disclosure is not otherwise prohibited by this subtitle or the amendments made by this subtitle.

Nothing in paragraph (1) shall be construed to prevent a financial institution from disclosing nonpublic personal information—

(A) to a nonaffiliated third party pursuant to subsection (b)(2);

(B) to a nonaffiliated third party as required by section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5533);

(C) to comply with a request from a consumer reporting agency (as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f))) to the extent the consumer reporting agency is engaged in activities subject to the Fair Credit Reporting Act;

(D) to an agency with regulatory jurisdiction over the financial institution;

(E) to a self-regulatory organization of which the financial institution is a member;

(F) as otherwise permitted or required by this subtitle; or

(G) as otherwise required by law.

This section shall take effect 2 years after the date of enactment of this Act.

Section 502(b)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(b)(1)) is amended—

(1) in subparagraph (B), by inserting after initially disclosed the following: and with that opportunity exercisable by the consumer at any time thereafter; and

(2) in subparagraph (C), by inserting before the period at the end the following: before the time that such information is initially disclosed and with that explanation accessible to the consumer at any time thereafter.

Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), as amended by section 102(3), is further amended by adding at the end the following:

A financial data aggregator or nonaffiliated third party may not use the access credentials of a consumer to access an electronic form of the consumer’s account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution unless—

(A) before the time that such access credentials are initially collected, the financial data aggregator or nonaffiliated third party provides a clear and conspicuous disclosure to such consumer that includes—

(i) how the financial data aggregator or nonaffiliated third party will use such access credentials;

(ii) whether the financial data aggregator or nonaffiliated third party will disclose such access credentials to a third party not affiliated with the financial data aggregator or nonaffiliated third party; and

(iii) a notification of—

(I) the risks to privacy and security of nonpublic personal information associated with use of access credentials to obtain nonpublic personal information held by a financial institution; and

(II) the practices of the financial data aggregator or nonaffiliated third party to ensure the privacy and security of nonpublic personal information obtained using access credentials; and

(B) the consumer is given the opportunity to direct that such access credentials not be used to access the consumer’s account at, or otherwise obtain nonpublic personal information of the consumer from, the financial institution.

A financial institution may not deny a disclosure request from a financial data aggregator or a nonaffiliated third party using the access credentials of a consumer if the consumer—

(A) has received the disclosure described in paragraph (1)(A); and

(B) has been given the opportunity to direct that such access credentials not be used, as described in paragraph (1)(B).

Notwithstanding paragraphs (1) and (2), when complying with this subsection, a financial institution, financial data aggregator, or nonaffiliated third party shall comply with any requirements of section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5533) with respect to the use of the access credentials of a consumer to access an electronic form of the consumer’s account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution.

This section shall take effect 1 year after the date of enactment of this Act.

Section 503(c) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(c)) is amended—

(1) in paragraph (3) by striking and at the end;

(2) by redesignating paragraph (4) as paragraph (11); and

(3) by inserting after paragraph (3) the following:

(4) the categories of purposes for which the financial institution—

(A) collects nonpublic personal information; and

(B) discloses nonpublic personal information to a nonaffiliated third party;

(5) the categories of practices of the financial institution with respect to the financial institution’s retention of nonpublic personal information;

(6) the categories of practices of the financial institution with respect to the financial institution’s use of artificial intelligence in the collection, processing, and utilization of nonpublic personal information;

(7) whether any nonpublic personal information of the consumer is processed in, retained in, or disclosed to a covered nation;

(8) an explanation of how a consumer can exercise the option pursuant to section 502(b) to direct that nonpublic personal information not be disclosed to a nonaffiliated third party before the time that such information is initially disclosed and at any time thereafter;

(9) an explanation of how a customer can exercise the option to request a copy of the disclosure required by subsection (a) pursuant to subsection (g);

(10) an explanation of how a customer or former customer can exercise the option to request disclosure of nonpublic personal information and how a former customer can exercise the option to request deletion of nonpublic personal information pursuant to section 503A; and

The agencies referred to in section 504(a)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)) shall, in consultation with the Federal functional regulators, jointly develop updates to the model form mandated by section 503(e) of such Act.

During the 2-year period beginning on the date the agencies finalize updates to the model form under paragraph (1), a financial institution shall be deemed to be compliant with section 502(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(a)) if the disclosures of the financial institution under section 503 of such Act comply with the model form issued pursuant to section 503(e) in effect on the date of enactment of this Act.

Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is amended by inserting at the end the following:

A financial institution shall, upon a customer request, provide such customer with a copy of the disclosure required by subsection (a) in writing or in electronic form or other form permitted by the regulations prescribed under section 504.

Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended by inserting after section 503 the following:

Upon a request from a customer or former customer of a financial institution, such financial institution shall disclose to the customer or former customer—

(A) pursuant to the requirements of section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5533), any nonpublic personal information of the customer or former customer in the control or possession of the financial institution; and

(B) a list of the categories of affiliates and nonaffiliated third parties to whom the financial institution has disclosed nonpublic personal information of the customer or former customer (other than disclosures of nonpublic personal information made to an affiliate or a nonaffiliated third party pursuant to an exception under section 502(e)).

Paragraph (1) shall not apply to the extent that disclosure of nonpublic personal information to a customer or former customer is prohibited under other provisions of law.

Upon a request from a former customer, a financial institution shall delete any nonpublic personal information of the former customer held by the financial institution.

Paragraph (1) shall not require deletion of nonpublic personal information of a former customer by a financial institution where—

(A) the nonpublic personal information is required to be retained for a continuing purpose pursuant to an exception described under section 502(e);

(B) the holder of the nonpublic personal information is a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)), and the nonpublic personal information is held solely to the extent that it is used in activities subject to the Fair Credit Reporting Act;

(C) the nonpublic personal information is required to be retained to respond to a dispute under the Fair Credit Reporting Act; or

(D) the nonpublic personal information is required to be retained as otherwise required by law.

A financial institution shall establish and implement procedures to verify the identity of a former customer submitting a request under paragraph (1) before deleting nonpublic personal information that is the subject of such request.

The procedures established by a financial institution pursuant to subparagraph (A) shall be designed to—

(i) confirm that the individual making the request is the former customer to whom the nonpublic personal information relates;

(ii) protect against unauthorized deletion of nonpublic personal information resulting from fraudulent requests; and

(iii) protect against deletion of nonpublic personal information resulting from requests made by a former customer in error.

A financial institution shall not be required to grant a request under paragraph (1) if the financial institution cannot confirm that the identity of the individual making such request is the same as the former customer to whom the nonpublic personal information relates.

A financial institution shall respond to a former customer submitting a request under paragraph (1) without undue delay, but in all cases within 45 days of receiving such request.

A financial institution may extend the response period in subparagraph (A) once for an additional 45 days when necessary, taking into account the complexity and number of requests by the former customer, but must inform the former customer of such extension and the reason for such extension within the initial 45 day response period under subparagraph (A).

A former customer may submit 2 requests per year free of charge to a financial institution under paragraph (1).

For any request of a former customer under paragraph (1) subsequent to the requests described in subparagraph (A), a financial institution may—

(i) charge the former customer a fee, if the financial institution has notified the former customer of such fee and the former customer has consented to such fee; or

(ii) decline to act on such request, if the former customer does not consent to the fee described under clause (i).

Subject to the exceptions in paragraph (2), a financial institution receiving a request under paragraph (1) shall—

(A) establish a process for a former customer to appeal a determination by a financial institution to deny a request under paragraph (1);

(B) make such appeal process under subparagraph (A) clearly and conspicuously disclosed to the former customer in the response required under paragraph (4) if the request under paragraph (1) is to be denied by the financial institution;

(C) respond to such an appeal request by the former customer—

(i) not later than 60 days after the date on which such appeal request is received; and

(ii) by informing the former customer in writing or in electronic form or other form permitted by the regulations prescribed under section 504 of any action taken in response to the appeal, including an explanation of the reason for each action taken; and

(D) if such an appeal is denied, provide the former customer with an online mechanism, if available, or other method through which the former customer may contact the appropriate enforcement agency or authority as described in section 505 to submit a complaint.

This section shall take effect 2 years after the date of enactment of this Act.

The table of contents in section 1(b) of the Gramm-Leach-Bliley Act is amended by inserting after the item relating to section 503 the following:

Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), as amended by sections 102(3) and 104, is further amended by adding at the end the following:

Notwithstanding subsection (b)(1), a financial institution may not collect sensitive nonpublic personal information or disclose sensitive nonpublic personal information to a nonaffiliated third party unless—

(A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, that such information may be collected or that such information may be disclosed to such third party;

(B) such financial institution obtains the consent of the consumer to collect such information or to disclose such information to such third party before the time that such information is initially collected or disclosed; and

(C) the consumer is given an explanation of how the consumer can revoke that consent pursuant to paragraph (2).

A consumer may revoke their consent under paragraph (1)(B) at any time.

Paragraph (1) shall not be construed to prevent a financial institution from disclosing sensitive nonpublic personal information—

(A) pursuant to section 502(e)(3)(A);

(B) pursuant to section 502(e)(3)(B);

(C) pursuant to section 502(e)(5); or

(D) pursuant to section 502(e)(8).

This section shall take effect 1 year after the date of enactment of this Act.

Section 504 of the Gramm-Leach-Bliley Act (15 U.S.C. 6804) is amended by adding at the end the following:

Each of the agencies authorized under subsection (a)(1) to prescribe regulations shall take into account the effects of the regulations on financial institutions with $15,000,000,000 or less in assets, including the resource, technical, and personnel limitations of such financial institutions to comply with the regulations and the regulatory compliance costs relative to the size, complexity, financial activities, revenues, and noncompliance costs of such financial institutions.

By April 1, 2031, and the 1st day of each subsequent 5-year period, the agencies authorized under subsection (a)(1) to prescribe regulations shall increase the threshold described in paragraph (1) by the ratio, if greater than 1, of the annual value of current-dollar United States gross domestic product, published by the Department of Commerce, for the calendar year preceding the year in which the adjustment is calculated under this section, to the published annual value of such index for the calendar year preceding April 1, 2026.

Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is amended to read as follows:

This subtitle and the amendments made by this subtitle shall supersede and preempt the application of any State statute, regulation, order, interpretation, or other law that establishes consumer data privacy or security requirements to nonpublic personal information subject to this subtitle. This subtitle and the amendments made by this subtitle shall supersede and preempt the application of any State statute, regulation, order, interpretation, or other law that establishes consumer data privacy or security requirements to a financial institution subject to this subtitle.

Subsection (a) shall not be construed to alter, affect, or otherwise limit the authority of a State insurance authority to enforce this subtitle pursuant to section 505 or to adopt regulations to carry out this subtitle pursuant to section 504 in a manner consistent and comparable with, and not more restrictive than, the regulations prescribed by the Federal agencies authorized to prescribe regulations under section 504 as required by section 504(a)(2).

Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended—

(1) in paragraph (3)(A), by inserting before the period at the end the following: or a financial data aggregator;

(2) by amending paragraph (4)(A) to read as follows:

(A) The term nonpublic personal information means—

(i) personally identifiable financial information—

(I) provided by a consumer to a financial institution;

(II) resulting from any transaction with the consumer or any service performed for the consumer; or

(III) otherwise obtained by the financial institution;

(ii) access credentials; and

(iii) when used by a financial institution while engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k))—

(I) biometric data; and

(II) precise geolocation data.

(3) in paragraph (11), by striking Customer and inserting Time of establishing a customer; and

(4) by adding at the end the following:

The term access credentials means personally identifiable nonfinancial information that a consumer uses to access an account of such consumer at a financial institution, including a username, password, personal identification number, access code, answer to a security question, or a substantially similar item of personally identifiable nonfinancial information.

The term artificial intelligence has the meaning given such term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401).

The term biometric data —

(A) means personally identifiable nonfinancial information of a consumer generated by automatic measurements of biological characteristics, including a fingerprint, voiceprint, eye retinas, eye irises, or other unique biological patterns or characteristics that are used to identify a specific consumer; and

(B) does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act or the amendments made by that Act.

The term consent means a clear affirmative act by a consumer that—

(A) signifies the freely given, specific, informed, and unambiguous agreement by the consumer to an action; and

(B) is—

(i) in writing or in electronic form or other form permitted by the regulations prescribed under section 504; or

(ii) in any other unambiguous affirmative form.

The term covered nation has the meaning given such term in section 4872(f) of title 10, United States Code.

The term customer means a consumer who has a customer relationship with a financial institution.

The term customer relationship means a continuing relationship between a consumer and a financial institution under which the financial institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

The term financial data aggregator —

(A) means any person that operates a commercial enterprise for the primary business purpose of accessing, aggregating, collecting, processing, selling, or otherwise disclosing nonpublic personal information; and

(B) does not include—

(i) a person that receives, processes, or discloses nonpublic personal information solely to the extent that it performs services for or functions on behalf of a financial institution pursuant to section 502(b)(2) or pursuant to an exception described under section 502(e);

(ii) a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)), solely to the extent that it engages in activities subject to the Fair Credit Reporting Act;

(iii) an attorney, accountant, investment adviser, or other person acting in a fiduciary or representative capacity on behalf of a consumer pursuant to section 502(e)(3)(E);

(iv) a person—

(I) to the extent that such person is not a financial institution; and

(II) that operates a commercial enterprise that receives, processes, or discloses nonpublic personal information for the purpose of making or receiving payments associated with a sale, purchase, or exchange of goods or services; or

(v) a self-regulatory organization that receives or processes nonpublic personal information disclosed to it by its members, or that discloses nonpublic personal information to an agency.

The term former customer means a consumer who has previously had a customer relationship with a financial institution and that is no longer a customer of the financial institution because that customer relationship has terminated.

The term precise geolocation data —

(A) means personally identifiable nonfinancial information of a consumer generated by technological means, including global positioning systems, telemetry, telematics, and level, latitude, and longitude coordinates, or other means, that directly identifies the specific location of a consumer with precision and accuracy within a radius of 1,750 feet; and

(B) does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

The term self-regulatory organization —

(A) has the meaning given that term in section 3(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)); and

(B) means—

(i) a contract market, derivatives transaction execution facility, registered futures association, or other self-regulatory organization registered with the Commodity Futures Trading Commission; and

(ii) any other self-regulatory organization registered with an agency authorized under section 504(a)(1) to prescribe regulations or with a Federal functional regulator, as determined by such agency or such Federal functional regulator.

The term sensitive nonpublic personal information means, when used by a financial institution while engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k))—

(A) personally identifiable nonfinancial information of a consumer that discloses the consumer’s racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

(B) genetic or biometric data of a consumer that is disclosed for the purpose of uniquely identifying a specific consumer; and

(C) precise geolocation data.

The term State means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.