BPI Comments on DOJ Proposal on the Handling of Bulk Sensitive Personal Data

Dear Deputy Chief Licata:

The Bank Policy Institute[1] and its technology division BITS[2] appreciate the opportunity to
comment on the Department of Justice, National Security Division’s Advanced Notice of
Proposed Rulemaking soliciting comments concerning the Provisions Regarding Access to
Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of
Concern.[3] Soliciting industry feedback is an integral part of developing effective and enforceable regulations without unintended consequences to key aspects of the U.S. economy like the banking system.

BPI supports the national security objectives described in Executive Order 14117, ‘‘Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,’’[4] and additionally detailed in the ANPRM. BPI recognizes that the U.S. government has legitimate national security interests in protecting the bulk sensitive personal data of U.S. persons and believes that private industry has an important role to play in securing that data. As described in this comment letter, BPI believes that as it is currently written the ANPRM is “carefully calibrated” to enhance U.S. national security “while minimizing disruption to commercial activity.”[5]

Financial institutions are subject to a myriad of security, privacy, operational resilience, and third-party risk management requirements to mitigate risks related to the provision of financial services. These requirements extend to the personal data that may be collected, processed, and stored in connection with such activities. Considering the range of existing regulations in this area, BPI appreciates and strongly supports the ANPRM’s exemption related to data transactions that are ordinarily incident to and part of the provision of financial services, payment processing and regulatory compliance.[6] BPI also values the ANPRM’s guidance specifying that when a U.S. financial institution processes a payment of a covered person, underwrites a loan, or otherwise provides financing for a company that in turn pursues a covered data transaction, such activities of the U.S. financial institution would not be considered as “knowingly directing” a covered data transaction.[7] In response to the ANPRM’s request for feedback concerning bulk thresholds and data anonymization, BPI respectfully suggests that the bulk threshold for personal financial data and covered identifiers be set at 1,000,000 and that anonymized and de-identified sensitive personal data be treated differently under any rule proposal. Finally, BPI recommends that any “security requirements” set forth in a rule proposal consider accepted industry risk frameworks such as the Cyber Risk Institute Profile.[8]

To read the full comment letter, please click here, or click on the download button below.


[1] The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks, and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues. Issues of focus include capital and liquidity regulation, anti-money-laundering, payment systems, consumer protection, bank powers, bank examination, and competition in the financial sector.

[2] BITS – Business, Innovation, Technology, and Security – is BPI’s technology policy division that provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the nation’s financial sector.

[3] See DOJ, National Security Division; Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern, 89 FR 15780 (Mar. 5, 2024).

[4] E.O. 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, 89 FR 15421 (Feb. 28, 2024).

[5] 89 FR 15782.

[6] 89 FR 15794.

[7] 89 FR 15793.

[8] The Cyber Risk Institute Profile is based on the NIST Cybersecurity Framework and incorporates existing financial regulatory requirements and globally recognized standards. The Profile, CYBER RISK INST., https://cyberriskinstitute.org/the-profile/.