Congress Proposes First Major GLBA Update in 25 Years: Mortgage Industry, Take Note
On April 22, two House committees made a coordinated move to reshape U.S. data privacy law. The House Energy & Commerce Committee introduced the SECURE Data Act, a comprehensive federal consumer privacy framework designed to replace the existing state-by-state patchwork. Simultaneously, the House Financial Services Committee introduced the GUARD Financial Data Act, which would modernize Title V of the Gramm-Leach-Bliley Act (GLBA)—the federal law that has governed financial institution data privacy since 1999.
The bills are designed as companion legislation, dividing the regulatory universe cleanly: the SECURE Data Act covers non-financial firms, while the GUARD Act covers GLBA-regulated financial institutions. For mortgage companies, GUARD is the bill to watch.
What the GUARD Act Means for the Mortgage Industry
GLBA's privacy framework is over 25 years old, and GUARD reflects a meaningful modernization. The bill introduces new obligations that go beyond what current GLBA requires. Mortgage companies should pay close attention to the following:
Data Minimization. GUARD requires financial institutions to limit collection and disclosure of nonpublic personal information (NPI) to what is adequate, relevant, and reasonably necessary for each disclosed purpose. Financial institutions that have treated data minimization as a best practice will now face a statutory mandate.
New Consumer Rights. Current and former customers gain expanded rights. Current customers can request access to their NPI and a list of third parties to whom it has been disclosed. Former customers—think paid-off borrowers—gain a new right to request deletion of their data, subject to legal retention requirements. Mortgage servicers, who often hold borrower data for years after loan payoff, will need to stand up entirely new processes to handle these requests.
Opt-In for Sensitive Data. Financial institutions must now obtain affirmative consumer consent before collecting or disclosing sensitive NPI, which is defined to include health information, biometric data, precise geolocation data, and certain demographic information. The existing opt-out framework is not enough for these categories.
Limits on Data Aggregators. Before using a consumer's login credentials to access their financial account, financial data aggregators and third parties must provide specific disclosures and give consumers an opportunity to opt out. This provision directly affects fintech integrations increasingly common in mortgage origination.
Enhanced Privacy Notices. Notices to consumers must now include information on AI use in data processing, data retention practices, and whether NPI is shared with China, Iran, North Korea, or Russia.
National Preemption: A Potential Compliance Win
GUARD would preempt state consumer data privacy and security laws as applied to GLBA-covered financial institutions and their NPI. For mortgage companies operating in multiple states—already navigating CCPA, various state privacy laws, and a growing number of state-specific requirements—a single federal standard could meaningfully reduce compliance overhead.
The Road Ahead
Neither bill is law yet, and the road through Congress is never short. But when two powerful committees move together on legislation of this scope, it is worth paying attention. Mortgage companies should use this window to assess how their current data practices stack up against what GUARD would require, particularly around data minimization, former customer deletion rights, and sensitive data consent. Companies that get ahead of this will be better positioned whether GUARD passes as introduced, passes in amended form, or shapes future regulatory guidance.
Keep an Eye Out for Updates
We will be closely monitoring both bills and providing updates as they advance. Questions about how this legislation could affect your business? Contact troy@garrishorn.com.