Prevention and risk mitigation are key components in every aspect of bank operations - the same holds true in the protection of customer data.

ICBA Policy Resolution

Data Security and Fraud


  • Any new Federal or state legislation, regulation, or guidance related to data or cybersecurity should be non-proscriptive and non-duplicative.
  • ICBA suggests that regulators broaden their supervision to include all companies that have access to consumer financial data.
  • Regulators should not mandate the use of any one framework, tool, or assessment, but rather support community banks’ ability to use the framework, tool or assessment that best suits their institution’s size, complexity, and risk tolerance.
  • ICBA supports bi-directional sharing of threat intelligence between the financial sector and the government.
  • ICBA supports stronger cybersecurity standards and practices for government.
  • ICBA supports financial sector initiatives such as .BANK and Sheltered Harbor.


To better address increasingly sophisticated threats, state and federal legislation, regulation, and guidance should enable community banks to implement risk-based security programs. Lawmakers and regulators should harmonize future legislation or regulatory action with existing regulatory requirements. Additionally, regulators should broaden their supervision to include all companies that have access to, use, or store consumer financial data. These companies should be subject to the standards outlined in the Gramm-Leach-Bliley Act (GLBA).

Community banks have various sizes, complexities, and risk tolerances. As such, regulators should allow community banks to choose the assessment tool that best fits their institution’s risk profile.

ICBA recognizes that the U.S. Government also has a responsibility to safeguard financial and personally identifiable information (PII) and to provide banks with visibility into the government’s business continuity, incident response, and other critical resiliency plans. Bi-directional threat information sharing initiatives, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), are critical to threat mitigation.

.BANK, Sheltered Harbor, and other financial sector efforts enhance protection for bank customer account data.

ICBA Policy Resolution



  • ICBA supports national cyber incident reporting standards.
  • ICBA supports national data breach legislation to fix the patchwork of state data breach laws.
  • ICBA supports third-party incident and breach notifications to banks.
  • ICBA supports assigning the cost of an incident or data breach to the party that incurs the breach.
  • ICBA supports U.S. Government reporting incidents to banks.


Safeguarding customer information is critical to maintaining the public’s trust in the banking system. Data breaches in the private and public sectors jeopardize consumer financial data and increase the chances of financial fraud of all types.

Community banks currently face a myriad of incident reporting laws at the state and federal level. The federal government should focus efforts on harmonizing incident reporting requirements to enable community banks to focus more on response and recovery, and less on compliance and paperwork.

Similarly, ICBA supports a federal data breach law that preempts the current patchwork of state laws. These laws create requirements that are overly, broad, conflict with one another, increase costs and foster confusion.

Following a breach in the private or public sectors, community banks must receive timely notification concerning the nature and scope of any breach that may have compromised customer data. The costs of data breaches should be borne by the party that incurs the breach.

Barring a shift in liability to the breached entity, community banks should have continued access to various cost-recovery options, including account recovery programs and litigation. Too often, the breached entity evades accountability while financial institutions are left to mitigate damages to their customers.

Lastly, the government, including regulatory agencies, continues to experience cyber incidents and data breaches resulting in the loss of consumer data. Governmental departments and agencies have a responsibility to report incidents, and liability for the breach of governmental systems should not be unfairly born by community banks.

ICBA Policy Resolution



  • ICBA supports privacy measures which hold all entities that handle personal information to the same standards that community banks and other financial institutions are held to through the Gramm-Leach-Bliley Act (GLBA) and other financial regulatory oversight.
  • ICBA supports a national privacy standard as opposed to a patchwork of state privacy acts and standards.
  • ICBA supports GLBA entity-level exemption from proposed state privacy laws.



By their very nature, community banks and other financial institutions must collect sensitive nonpublic personally identifiable information (PII) about customers to meet their needs for financial services, which includes an array of deposit and loan services.

This information is also used to prevent fraud, identity theft and comply with various regulatory requirements. Safeguarding customer information is central to financial institutions maintaining public trust and retaining customers.

Third Party and Non-Bank Privacy. Information that is gathered by entities outside of the financial services industry is not held to the same standards as it relates to safeguarding information. Once information is shared with permissioned third-parties, consumers may no longer have control of their personal and financial information.

The potential for abuse is real and can be extremely harmful to consumers. This leaves consumers vulnerable to entities that may mislead them about what they do with the information they collect. This places an extraordinary burden on consumers to be vigilant in their research and knowledge of firms to which they may provide their online account credentials.

For this reason, ICBA has profound concerns that non-bank entities which may be authorized by consumers to access their information and store their bank login credentials may not take the same care in protecting consumer privacy and data as community banks.

At a minimum, consumers must have the same GLBA-like privacy protections with permissioned third parties as they have with banks, including limitations on the use of consumer information and limitations on the disclosure of the consumer’s information to third parties.

Privacy Standards. Community banks are committed to complying with existing standards to protect customer privacy as outlined in the GLBA and the Safeguards Rule. However, many states are establishing privacy requirements to enhance consumer protection.

While ICBA fully supports privacy standards, particularly as it relates to protecting consumer financial information and PII, creating a patchwork of differing state privacy laws and requirements creates unnecessary costs and burdens for community banks and other small businesses.

It is important to maintain one standard as opposed to many complex and potentially competing state-level standards. 

GLBA Exemption. Community banks have protected consumer privacy for the last two decades under the Gramm-Leach-Bliley Act. ICBA supports the GLBA and the privacy standards and enforcement it requires.

Given the patchwork of state privacy laws currently in place and being signed into law, ICBA supports an entity-level exemption from proposed laws due to the strict privacy requirements in GLBA and stringent enforcement by federal regulators. Complying to both the GLBA and the various state laws which community banks may fall under, would be both unnecessarily burdensome and duplicative.

The GLBA requires financial institutions to provide protections for consumer’s data and prevents financial institutions from sharing consumers’ personal information under certain circumstances without offering consumers a reasonable opportunity to opt out of such sharing.

Further, the GLBA’s Safeguards Rule requires financial institutions to review their consumer data, identify security risks and develop a comprehensive security program to protect consumer data from unauthorized use and disclosure. Including such an exemption in state privacy laws will continue to protect consumers while avoiding any unnecessary barriers to community banks.

Staff Contacts: Steven Estep and Susan Sullivan.