AFC Response to DFPI Second Invitation on Proposed Rulemaking Under the California Consumer Financial Protection Law Regarding Registration and Reporting of Covered Persons

February 26, 2026

Commissioner KC Mohseni
California Department of Financial
Protection and Innovation
651 Bannon Street, Suite 300
Sacramento, California 95811

Re: Response to Second Invitation for Comments on Proposed Rulemaking Under the California Consumer Financial Protection Law Regarding Registration and Reporting of Covered Persons (PRO 07-24)

Dear Commissioner Mohseni,

On behalf of the American Fintech Council (AFC),  I appreciate the opportunity to submit this comment letter in response to the California Department of Financial Protection and Innovation’s (“DFPI” or “the Department”) Second Invitation for Comments regarding potential rulemaking under the California Consumer Financial Protection Law related to the registration and reporting of certain covered persons (Proposed Rulemaking).

AFC is a standards-based organization and the largest and most diverse trade association representing financial technology companies and innovative banks. On behalf of over 150 member companies and partners, AFC promotes a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC members foster competition in consumer finance and pioneer products and services that expand access, improve efficiency, and better serve underserved consumers and communities across the United States.

AFC and its members share the Department’s commitment to promoting consumer protection, market integrity, and responsible oversight within California’s financial services marketplace. The perspectives offered in this letter are intended to support the Department’s efforts to develop a regulatory framework that advances transparency and accountability while remaining appropriately risk-based, practicable, and aligned with existing federal and state regulatory structures.

As the Department considers whether and how to expand registration and reporting requirements to additional participants in the consumer data and information ecosystem, it is important that any resulting framework avoid duplicative or overlapping obligations, clearly define the scope of covered activities, and calibrate requirements to the nature, size, and risk profile of the entities involved. A balanced approach will help ensure that supervisory resources are directed toward areas of greatest consumer risk while preserving innovation, competition, and continued access to beneficial financial products and services.

I. AFC Supports Exempting Entities and Data Subject to the Gramm-Leach-Bliley Act to Avoid Duplicative Regulation, Preserve Regulatory Consistency, and Focus Supervisory Resources on True Market Gaps

Financial services companies who are currently subject to the comprehensive federal privacy, data security, and information governance requirements of the Gramm-Leach-Bliley Act (GLBA), as well as the data that falls under their purview, should be exempt from any additional registration or reporting requirements pursuant to this rulemaking. Such an exemption would promote regulatory efficiency, reduce duplicative compliance obligations, and allow supervisory resources to be directed toward areas where meaningful regulatory gaps may exist.

The GLBA establishes a robust and well-developed framework governing the collection, use, safeguarding, and sharing of consumer financial information by financial institutions and their service providers. Covered entities are subject to extensive requirements, including the Safeguards Rule, Privacy Rule, and ongoing federal and state supervisory oversight designed to ensure the confidentiality, integrity, and security of consumer data.  These obligations are further reinforced through examination authority exercised by federal banking agencies, the Consumer Financial Protection Bureau, and state regulators, depending on the institution’s charter and business model. As a result, GLBA-covered entities, and the data under their purview, already operate within multiple layers of federal and state supervision, and additional reporting requirements would provide marginal oversight benefit at the expense of augmented compliance burdens.

In addition to superfluous reporting requirements, there also exists the added risk of creating overlapping and potentially inconsistent regulatory requirements without any commensurate consumer protection benefit. Such a duplicative reporting regime may increase operational complexity, divert compliance resources away from substantive risk management, and may introduce uncertainty where reporting definitions or expectations differ from established federal standards. These outcomes would likely undermine regulatory clarity while providing limited incremental supervisory value.

An exemption for GLBA-covered entities would also align with the statutory principle reflected in the California Consumer Financial Protection Law that registration should not be required where a covered person is already licensed or registered by another agency for the same regulated activity.  Where entities are already subject to comprehensive federal privacy and data security oversight, additional state-level reporting requirements addressing substantially similar subject matter is simply unnecessary.

Consistent with this approach, a GLBA-based exemption for both entities and data covered under the statute would ensure that the Department’s regulatory framework is appropriately risk-based. The entities covered by GLBA operate within mature supervisory structures and established compliance programs, and they are routinely examined for adherence to data protection and information governance standards. By contrast, the areas of greatest potential supervisory value lie with entities operating outside of existing federal financial regulatory frameworks.

A risk-based framework that accounts for existing federal and state oversight, clearly defines the scope of covered activities, and calibrates requirements to the size and risk profile of affected entities will enable the Department to focus its supervisory resources where they are most effective. In light of the foregoing, AFC recommends that any final rule expressly exempt entities and data subject to GLBA from new registration and reporting requirements under this rulemaking.

II. AFC Supports Calibrating Reporting Requirements for Non-GLBA Entities to be Risk-Based, Proportionate, and Practicable to Promote Compliance and Preserve Market Participation

To the extent that the Department exerts jurisdictional purview over entities who are not subject to GLBA, the ensuing regulatory framework should be narrowly tailored, risk-based, and designed to avoid overly burdensome and impracticable requirements. Reporting obligations that are disproportionate to the risks presented may discourage market participation, increase costs for consumers, and divert resources away from substantive consumer protection efforts. Overly burdensome requirements may also reduce competition and innovation by discouraging responsible providers from entering or remaining in the market, ultimately limiting consumer access to beneficial financial products and services.

Such an occurrence may emerge from rulemaking that prescribes broad or highly granular reporting requirements, including for example, the creation of new data fields, extensive manual aggregation, or system redesign. The resulting costs may be especially acute where the requested information is not already collected in the ordinary course of business. Accordingly, to mitigate these risks, reporting requirements should be narrowly tailored to information that is demonstrably necessary to support defined supervisory objectives and that cannot be obtained through existing regulatory channels or targeted supervisory inquiries. In this effort, the Department should align any required reporting with data that entities already maintain in the ordinary course of business and with established industry standards wherever possible. The required reporting frequency and scope should be calibrated to the risk profile and operational realities of the activity, and requirements should be proportionate to the size, market footprint, and nature of the services provided by the reporting entity. In conjunction with these requirements, the Department should provide clear definitions, reasonable implementation timelines, and opportunities for phased compliance to allow responsible providers to develop sustainable systems and controls without disrupting ongoing consumer services.

Furthermore, given the continuously developing data ecosystem, pursuing an overly prescriptive regulatory reporting framework could stymie innovation—ultimately harming both industry progress and consumer benefit. Therefore, A reporting framework should be principles-based and avoid an overly prescriptive set of reporting requirements. Pursuing a principles-based reporting framework would enable the Department to obtain meaningful supervisory information while preserving competition, innovation, and consumer access. Aligning any new obligations with information maintained in the ordinary course of business, supported by clear standards and reasonable implementation timelines, will promote compliance while preserving innovation and competition. Grounded in principles of proportionality, regulatory consistency, and operational feasibility, such an approach will strengthen consumer protection and oversight without creating unintended barriers for responsible providers or limiting access to beneficial financial products and services. By ensuring that requirements are proportionate and practicable, the Department can strengthen oversight without creating barriers that would drive responsible providers from the market or reduce the availability of consumer financial services.

* * *

AFC appreciates the Department’s thoughtful and transparent approach to engaging stakeholders as it evaluates whether additional registration and reporting requirements are warranted under the California Consumer Financial Protection Law. As expressed in this letter, any expansion of the existing framework should be carefully tailored to advance supervisory objectives while avoiding duplicative oversight, unnecessary operational burden, or regulatory uncertainty that could undermine responsible market participation.

AFC welcomes continued engagement with the California Department of Financial Protection and Innovation and stands ready to serve as a resource as the Department considers next steps in this important policy area.

Sincerely,

Ian P. Moloney
Chief Policy Officer
American Fintech Council

[1] American Fintech Council’s (AFC) membership spans banks, non-bank lenders, payments providers, EWA providers, loan servicers, credit bureaus, and personal financial management companies.
[2] Gramm–Leach–Bliley Act, 15 U.S.C. §§ 6801–6809; Standards for Safeguarding Customer Information, 16 C.F.R. pt. 314; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. pt. 1016.
[3] Cal. Fin. Code § 90009(a)(2)(B).

‍

‍