Photo of Kim Phan

Kim Phan

Subscribe to Kim Phan's Posts

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Follow:Read more about Kim PhanKim's Linkedin Profile

A new discussion draft from Representative Bill Huizenga (R-MI) would significantly update Title V of the Gramm‑Leach‑Bliley Act (GLBA) to reflect how financial data is collected, shared, and monetized in today’s market. Released in connection with the March 17, 2026 House Financial Services Committee (Committee) hearing, “Updating America’s Financial Privacy Framework for the 21st Century,” the draft purports to give consumers greater control over their financial data, impose new limits on financial institutions and data aggregators, and create a more uniform national privacy regime for consumer financial information.

In this episode of FCRA Focus, host Kim Phan is joined by Michael Yaghi, partner in Troutman Pepper Locke’s Regulatory Investigations, Strategy + Enforcement practice group, to unpack the California Department of Financial Protection and Innovation’s (DFPI) latest effort to require registration for the credit reporting industry. They discuss DFPI’s second request for comment, how it fits into California’s broader push to regulate nonbank financial services, and which entities may be swept in beyond the “big three” consumer reporting agencies — such as furnishers, data brokers, specialty credit reporting agencies, resellers, and fintechs. Kim and Michael also explore how narrowly (or broadly) the rules might be drawn, potential overlap and tension with existing FCRA requirements, what registration and reporting could mean in practice for covered entities, and what companies should be doing now as the February 26 comment deadline approaches.

In this special joint episode of The Consumer Finance Podcast and Payments Pros, Taylor Gess and Kim Phan discuss key privacy and data security risks in point-of-sale finance. They dive into regulators’ growing view that every player in the payments chain shares responsibility for protecting data, highlighting best practices for vendor management, PCI DSS oversight, and incident response planning. The episode also touches on the shifting patchwork of state privacy and breach notification laws, GLBA exemptions, and the risks of data monetization, including when packaging and selling transaction data can trigger Fair Credit Reporting Act obligations.

In 2025, the U.S. digital asset landscape evolved more dramatically than in any year since the industry’s inception. A pro‑innovation White House, an active Congress, and key regulators — including the U.S. Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Office of the Comptroller of the Currency (OCC), the Department of

On January 12, the California Department of Financial Protection and Innovation (DFPI) issued a second invitation for comments on potential regulations under the California Consumer Financial Protection Law (CCFPL) that would require registration and reporting by firms engaged in consumer reporting and related data activities. Comments are due by February 26.

On December 22, the National Credit Union Administration (NCUA) updated its Artificial Intelligence (AI) resource page to consolidate key technical and policy references for federally insured credit unions. The page sits within NCUA’s broader cybersecurity and financial technology resources and is explicitly framed as support for evaluating and performing due diligence on third‑party AI vendors. It links AI oversight back to existing NCUA guidance on third‑party relationships, including 07‑CU‑13 (Evaluating Third Party Relationships) and 01‑CU‑20 (Due Diligence Over Third Party Service Providers).

In this episode of The Consumer Finance Podcast, Chris Willis is joined by Ted Augustinos and Kim Phan to introduce The Money Matrix, an upcoming webinar series helping financial institutions navigate privacy, data security, and AI in today’s complex digital landscape. The teaser highlights strategies to secure financial data, overcome barriers to adopting AI, and stay ahead of regulatory trends. Each session offers practical guidance to help teams like Neo, Trinity, and Morpheus remain innovative, compliant, and trusted. The series explores how financial institutions can balance innovation with data privacy while leveraging AI responsibly.

On December 11, the White House issued an Executive Order (EO) titled Ensuring a National Policy Framework for Artificial Intelligence (AI). The EO states a federal policy to sustain and enhance U.S. AI leadership through a minimally burdensome national policy framework and to limit conflicting state requirements. It directs rapid actions by multiple federal entities to evaluate, challenge, or preempt state AI laws viewed as inconsistent with that policy and to use federal funding and standard-setting to influence state approaches.

In two recent litigation status reports, the Consumer Financial Protection Bureau (CFPB or Bureau) indicated that it is working to issue interim final rules for both Section 1071 and Section 1033 in light of an opinion from the U.S. Department of Justice’s Office of Legal Counsel (OLC) concluding that the Bureau cannot lawfully draw funds from the Federal Reserve Board at this time. Specifically, as discussed here, the OLC concluded that the Federal Reserve System presently has no “combined earnings” from which the CFPB may lawfully draw funds under the Dodd‑Frank Act, and the CFPB has publicly stated it anticipates having sufficient funds to continue normal operations through at least December 31, 2025.

On this episode of FCRA Focus, Kim Phan is joined by Rachel Kelley and Alisha Sears from the Mortgage Bankers Association to discuss the Homebuyers Privacy Protection Act, which amends the Fair Credit Reporting Act to address residential mortgage trigger leads with the goal of curbing abusive calls while preserving meaningful competition. This law now requires both a firm offer of credit and documented consumer authorization, with limited exceptions for current originators, servicers, and depository institutions/credit unions holding an account. They discuss how the law places the primary obligations on consumer reporting agencies, what lenders should expect around consent certifications, the Government Accountability Office study on trigger-leads, and the upcoming effective date.