Jeff Jinnett: IT Approaches to State Law Preemption Under the Proposed Consumer Financial Protection Agency

On June 17, 2009, the U.S. Department of the Treasury issued a white paper entitled “Financial Regulatory Reform – A New Foundation: Rebuilding Financial Supervision and Regulation”(1).  This document sets forth the vision of the Obama administration for a new federal regulatory regime for the U.S. financial services industry. One proposed change is to create a new Consumer Financial Protection Agency (CFPA) with broad jurisdiction to protect consumers of financial products and services such as credit, savings and payment products (including mortgages).  On June 30, 2009, the Treasury Department submitted a bill to the U.S. Congress to create the CFPA, substantially as proposed in the “New Foundation” white paper(2).  Notable is that the CFPA’s rules would serve as a “floor” and not as a ceiling(3). Each of the states would have the ability to adopt and enforce stricter laws for institutions of all types, regardless of charter. 

In light of the broad mandate of the proposed CFPA, if the CFPA is created by the U.S. Congress, financial institutions will need to develop an approach that permits them to quickly identify (a) which CFPA rules govern their activities, and (b) which state rules are either (i) preempted by the CFPA rules, or (ii) not preempted because they provide greater consumer protection than the CFPA rules.  Fortunately, there are precedents to guide companies in navigating this minefield. For example, under Section 1178 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the requirements of HIPAA supersede any contrary provision of state law, with three exceptions, one of which is where the state privacy law is deemed “more stringent” than HIPAA in protecting “individually identifiable health information”(4).  HIPAA therefore adopts a “floor” preemption approach similar to the “floor” approach adopted in the CFPA bill. In order to identify those state privacy laws that were “more stringent” than HIPAA (and the HIPAA Privacy Rule(5) adopted by the U.S. Department of Health & Human Services pursuant to HIPAA), some organizations conducted reviews of the various state medical privacy laws and published the results in chart form(6). As an example of using technology to streamline legal reviews, the BlueCross BlueShield Association retained a law firm to develop a database of the state laws not preempted for ease of use(7).  It is possible that a similar database of state laws not preempted by CFPA rules might prove similarly useful.

Although the HIPAA preemption databases generally were simple query databases, it might be advisable for a CFPA preemption database to be semi-automated in order to permit users to quickly query the database and apply the result to transactions that need to be completed in real-time.  Semi-automated compliance rules engines and databases are often difficult and daunting to develop,  but have been successfully utilized in certain areas.  Compliance rules engines have been fairly successful in the area of tax calculations (e.g., in the calculation of sales taxes using automated systems as part of the multi-state Streamlined Sales Tax Project)(8).  Other successful efforts to utilize technology to semi-automate compliance and legal processes include the projects currently being undertaken by the Stanford University Center for Computers and Law (CodeX)(9).  It remains to be seen how financial institutions will seek to adapt to new CFPA rules and whether they (a) will follow the example of the healthcare industry by developing regulatory databases in simple query format or (b) develop more sophisticated, semi-automated compliance databases comparable to what has been developed as part of the Streamlined Sales Tax Project and by the Stanford Center for Computers and Law. 

  1. See
  2. See
  3. See, e.g., Section 5136C(c)(2) of the CFPA Bill and page 14 of the “New Foundation” white paper. 
  4. See, generally, WEDI/SNIP Security and Privacy Workgroup, “Preemption White Paper”, located at
  5. See
  6. See, e.g.,
  7. See, e.g.,
  8. See
  9. See



JeffJeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group., for the Microsoft Corporation. Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companies in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs. Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersection of law and technology. He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).