As Congress considers updating financial privacy laws, including potential changes to the Gramm-Leach-Bliley Act (GLBA), the stakes couldn't be higher for millions of Americans applying for financial products every day. The challenge facing lawmakers is how to strengthen consumer privacy protections while preserving the tools financial institutions need to protect those same consumers from identity fraud.
At the heart of this challenge lies a fundamental principle: effective privacy protection requires effective fraud prevention. SentiLink has a strong perspective on this fundamental truth: You cannot truly protect consumers' personal information if you cannot protect them from having their identities stolen in the first place.
The critical role of fraud prevention in privacy protection
Every day, SentiLink helps protect over 3 million consumers applying for financial products and services, preventing approximately 60,000 cases of identity fraud daily. This isn't just about stopping criminals—it's about ensuring that legitimate consumers can access financial services quickly and safely while keeping their personal information secure.
The reality is that privacy and fraud prevention are not competing interests—they're complementary ones. When identity thieves successfully steal someone's personal information and use it to open fraudulent accounts, they don't just harm the victim financially. They compromise that person's entire data privacy ecosystem, potentially for years to come.
Why fraud prevention exemptions are essential
Current financial privacy frameworks, including GLBA, recognize this relationship through carefully crafted fraud prevention exemptions. These provisions allow financial institutions to share necessary information to prevent fraud without the typical notice and consent requirements that apply to other uses of personal data -- for example, the consent and permissible purpose requirements necessary to access a consumer's credit report.
These exemptions aren't loopholes—they're lifelines. Here's why:
Identity fraud operates across boundaries. When criminals target victims, they don't respect corporate privacy policies or state regulatory boundaries. Effective fraud prevention requires financial institutions and their service providers to share critical information quickly and comprehensively. From that viewpoint, a uniform and preemptive federal standard is a policy imperative.
Data use restrictions can backfire spectacularly. Consider a simple example: requiring consumer consent to collect IP addresses for fraud prevention. A legitimate consumer might readily agree, but a criminal attempting identity theft? They're unlikely to grant consent knowing that such data would help expose their illicit activities. The result is that financial institutions lose a powerful fraud detection signal precisely when they need it most.
Historical data is essential for accuracy. Many of the most sophisticated fraud detection models gain their precision by evaluating identities based on historical patterns. If privacy laws require deletion of data upon request or after periods of inactivity, criminals will exploit these requirements to erase the evidence trails that would expose their activities.
The need for national consistency
As financial services increasingly operate across state lines through digital platforms, patchwork state privacy regulations create dangerous gaps that criminals can exploit. More importantly, inconsistent state privacy laws can inadvertently undermine fraud prevention effectiveness.
When financial institutions must navigate dozens of different state requirements for data collection, retention, and sharing, the complexity can delay or prevent the rapid information sharing necessary to stop identity theft in real time.
A coherent federal approach that maintains robust exemptions for identity verification and fraud prevention activities and associated data would ensure that critical fraud prevention tools remain available nationwide, while still providing comprehensive privacy protections for consumers.
The real-world impact of getting this right
The consequences of inadvertently weakening fraud prevention capabilities in the name of privacy protection would be severe and ironic. Every successful case of identity fraud represents a massive privacy breach for the victim—one that could have lasting consequences far beyond the initial financial harm.
Consider what happens when an identity thief successfully opens a fraudulent account:
- The victim's credit report may be damaged.
- The victim may face years of disputes and remediation efforts.
- The victim's personal information may be further compromised as criminals use the fraudulent account to gather additional data.
- The victim may be denied legitimate financial services due to the fraudulent activity on their record.
- The victim may experience the deep personal sense of violation and intrusion that privacy laws have long sought to combat.
These privacy violations could all be prevented through effective identity verification and fraud prevention at the point of application.
The path forward
As policymakers work to strengthen financial privacy protections, they should remember that the most effective privacy protection often comes through preventing privacy violations before they occur. This means preserving and strengthening the tools that financial institutions use to verify identities and detect fraud.
The choice isn't between privacy and security—it's between effective consumer protection and ineffective consumer protection. Strong privacy laws that include robust fraud prevention exemptions can deliver both comprehensive data protection and effective identity theft prevention.
Financial institutions, fraud prevention service providers, and regulators all have important roles to play in this ecosystem. But they can only be effective if the legal framework permits them the tools they need to protect consumers from the criminals continually devise new strategies to steal and abuse personal information.
Read our recent submission to the House Financial Services Committee to learn more about SentiLink's views on federal privacy legislation.
