Banks want to share your secrets, but keep their own

Banks want immunity if they violate your privacy, but don’t want you to be able to read complaints about them.


When it comes information sharing with the government, the position of America’s biggest banks seems to be, “Do as I say, not as I do.”

In the realm of cybersecurity, banking trade groups are busy lobbying for the right to share more customer data with the government, and ensure that data sharing is immunized from any legal ramifications emanating from that disclosure. But when confronted with the possibility of consumers handing their own information about their banks over to the government — well, Wall Street is crying foul.

Wall Street’s largest and most powerful trade groups — including the American Bankers Association, the Financial Services Roundtable and the Securities Industry and Financial Markets Association (Sifma) — have been actively lobbying on behalf of the Cybersecurity Information Sharing Act (CISA), a bill that raises substantial concerns about privacy. But even as they work to immunize themselves from privacy violations, they are simultaneously pretending to care about privacy when faced with the possibility of consumers’ complaints about them going public.

Banks want immunity when sharing your information with the government

CISA—the latest incarnation of a cybersecurity bill Congress has tried and failed to pass 4 times—would substantially widen the scope of when companies could share customer data with government surveillance entities. The way the bill’s advocates tell it, CISA is needed to help prevent cybersecurity threats. But CISA doesn’t just enable government agencies and companies to freely share information about potential hacks or security breaches, it also provides vast legal immunity to companies when they do so.

The immunity CISA grants is so broad that the Electronic Frontier Foundation likened it to “carte blanche immunity to violate long-standing computer crime and privacy law.”

Ostensibly, CISA is about sharing perceived cybersecurity threat information only. But advocates are concerned about CISA’s overreach, including the privacy violations it could permit. EFF has noted that the bill should “require deletion of all information not directly related to a threat,” but it doesn’t.

What’s even scarier about CISA is that it allows companies to launch counter-attacks if they perceive a “cybersecurity threat.” According to EFF, “cybersecurity threat” is defined so broadly, it “could be read by companies to permit attacks on machines that unwittingly contribute to network congestion.” Are you running a slow server? Sorry. CISA may give JPMorgan immunity to cyber-attack it.


So, where does the hypocrisy come in? Well, while the financial services industry argues for wide indemnification when sharing customer information with government surveillance entities like the Department of Homeland Security (DHS) and the National Security Agency (NSA), they’re simultaneously arguing against customers being able to crowd-source and voluntarily share information about their experiences with their banks.

Currently, the Consumer Financial Protection Bureau (CFPB) has a public, consumer complaint database. When consumers file complaints against a financial institution through the CFPB’s website (or via phone or mail), the agency makes part of those complains public: the product, issue, the state, and the company the complaint is about.

A few rows from the Consumer Financial Protection Bureau’s (anonymized) consumer complaint database

But the most important information is currently missing: the actual story of what happened to the consumer. The CFPB calls this bit of information the “complaint narrative,” and they’ve proposed enhancing their complaint database by adding these anonymized stories. Such information can help other consumers make more informed choices about which financial institutions they’d like to do business with.

But the nation’s biggest financial institutions are trying to make sure that sort of transparency never happens.

Banks want to keep consumer’s horror stories secret

The CFPB asked for feedback on their proposal to make the customer narratives public back in July. Wells Fargo and the Financial Services Roundtable were among those who weighed in. Wells Fargo insisted in their comment letter to the CFPB that “well-established privacy rights” could be violated if the CFPB makes consumer complaints about banks public. And the Roundtable argued that the CFPB’s proposal amounted to posting “unverified” data to a “government website.”

Former Minnesota Governor Tim Pawlenty, who now runs the Financial Services Roundtable, has said that information sharing bills like CISA are “vital to ensure consumers’ assets are protected and financial institutions remain secure.” But in their letter to the CFPB about the complaint database, the Roundtable says they are “troubled by risks to the security of sensitive information collected by the Bureau,” even though this is data consumers proactively hand over to the CFPB. According to an email reviewed by The Hill, the Roundtable is so perturbed by the idea of the CFPB publicly sharing consumers complaints about their banks, they are even considering suing to stop it.

The latest version of CISA includes sharing information “in real-time” with the National Security Agency (NSA). So when the Roundtable insists that the CFPB sharing consumer’s horror stories with banks mean “additional risks to consumer privacy,” it’s worth asking them why they remain so ferociously in favor of sharing real-time information with the NSA, an agency with a long record of privacy abuses. It seems the banks’ so-called concerns on privacy are nothing more than concern-trolling meant to keep their dirty laundry secret…even as they lobby for immunity, just in case they air yours.