BPI Comments on California Privacy Protection Agency’s AI, Cybersecurity and Risk Assessment Proposal

The Bank Policy Institute^[1] appreciates the opportunity to submit comments to the California Privacy Protection Agency ("Agency") on its rulemaking on cybersecurity audits, risk assessments, and automated decisionmaking technology ("ADMT") under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA").^[2]

I. Executive Summary

BPI's members have invested significant time and resources into building data protection and information security systems and automated decisionmaking models that align with state and federal financial privacy, consumer protection, and other financial services laws and regulation. BPI members are committed to promoting robust privacy protections for California consumers. As described in greater detail below, banking organizations^[3] are heavily regulated and subject to close supervision on cybersecurity, risk, and automated decisionmaking matters. Among other areas of extensive regulation and supervision, banking organizations are required to maintain robust internal security controls to protect their information systems, maintain effective risk assessment and model risk management processes, and comply with various transparency obligations with respect to automated tools.

The proposed rulemaking exceeds the limits on the Agency's authority, including because the Agency does not have authority under the CCPA framework to develop a cybersecurity control framework or to regulate certain processing activities covered by the proposed new rules. For example, to avoid exceeding its statutory authority, the Agency must focus its automated decisionmaking regulations on significant decisions concerning a consumer.

Most of the personal information processed by banking organizations is subject to the Gramm-Leach-Bliley Act ("GLBA") and therefore exempt, by statute, from the CCPA and its implementing regulations. However, the proposed regulations would impose obligations on all businesses, even banking organizations that process only limited information subject to the CCPA. In doing so, the proposed rules would impose backdoor requirements on data subject to GLBA via rules that can only be satisfied through enterprise-wide compliance processes and negatively affect critical bank operations and services that may involve processing various types of personal data, such as safe and sound underwriting for certain small businesses, fraud prevention, and information security activities.

As a result, all three sets of proposed rules have applications that would interfere with banking activities performed by banking organizations and therefore would be subject to federal preemption. Moreover, elements of the proposed regulations would, if applied to banking organizations, interfere with the exclusive visitorial powers granted to federal regulators, irrespective of the application of the GLBA. California cannot directly audit these banking activities, and so it cannot indirectly achieve that result by having banks conduct a highly prescriptive audit on its behalf. These obligations result in the Agency effectively inspecting and supervising banking activities, which is the exclusive purview of prudential regulators under long-established legal principles.

Even if not preempted, the application of new state regulations to banking organizations could undermine and conflict with existing legal regimes applicable to banking organizations. For example, the regulations introduce prescriptive cybersecurity audit requirements that seemingly require a single annual information security audit. This requirement is in tension with the more rigorous approach to cybersecurity audits of banking organizations, which often conduct detailed, area-specific audits and approach cybersecurity audits on a rolling basis rather than an annual basis. As another example, the draft automated decisionmaking regulations are in tension with how banking organizations manage their lending and credit risk management activities to facilitate and protect the U.S. banking system. If bad actors must be given information about or may opt out of the use of their data for training automated fraud detection, there is risk to the safety and soundness of the banking system, which could ultimately limit banking organizations' ability to extend certain small business loans and other financial products and services.

BPI urges the Agency to exempt from the three new proposed rules financial institutions that are subject to examination or supervision by a federal prudential regulator and their affiliates.^[4] This exemption would avoid conflict with visitorial rights and preemption principles and sensibly avoid conflict with these organizations' already robust federal regulation and supervision. The Agency unquestionably has authority to create such an exemption; indeed, its rulemaking authority contemplates that its regulations should "further the purposes of" the CCPA, which include designing cyber audit and risk assessment protections for businesses whose processing of personal information presents significant risk to consumer privacy and security. It does not serve these purposes to impose the proposed requirements on banking organizations and their affiliates that are subject to prudential examination or supervision on these same issues and process limited personal information that is subject to the CCPA framework.

If the Agency does not include an exemption for banking organizations, it must make additional changes to avoid imposing requirements on banking organizations that would result in unintended and detrimental impacts to the banking system, including by implementing the specific recommendations described below. To echo Board member Alastair Mactaggart, the current regulations "undermine[] privacy" in favor of "overreach, [a] lack of privacy protection, and [a] high likelihood of legal challenges." The Agency must revise its regulations in order to avoid these consequences. In an appendix, we suggest in-line changes implementing the suggestions within this letter.

To read the full comment letter, please click here, or click on the download button below.

[1] The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks, and the major foreign banks doing business in the United States. BPI produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues.

[2] Cal. Civ. Code § 1798.100 et seq.

[3] Throughout, BPI uses the term "banking organization" to refer to national and state banks and savings associations and their affiliates, as well as foreign banking organizations and their U.S. branches to the extent the California rules purport to apply to them.

[4] The Agency should keep in mind that affiliates of a bank in a banking holding company structure are subject to consolidated supervision by the Federal Reserve.