5 Areas Where Regulations Are Transforming North American Financial Institutions
In the face of a global pandemic, financial institutions have had to rethink the way they do business with consumers. From finding new ways to onboard customers remotely to enhancing customer due diligence through new digital identity standards, 2020 brought changes for financial institutions seeking to achieve regulatory compliance while addressing customer needs. These regulatory changes will continue to impact business decisions in 2021 and beyond.
In the United States and Canada, the regulatory environment was impacted by the COVID-19 pandemic as federal and state policymakers and regulators were forced to make changes to accommodate social distancing. While it was an unprecedented year on this front, five key areas of interest stand out for North America: data privacy and protection, open banking, digital identity, e-signature, and remote online notarization.
In this blog, we pull the highlights from our inaugural OneSpan Global Financial Regulations Report to provide a summary of how these themes are driving transformation for North American financial institutions and the financial services industry.
Data Privacy and Data Protection
Data privacy and data protection remain top concerns for federal and state regulators alike. Much of this has been driven by consumer demand and analyst findings that inadequate data privacy and protection safeguards are extremely costly to financial institutions.
At the moment, the U.S. does not have a dedicated national data protection authority. However, the Federal Trade Commission (FTC) has authority over most national data protection issues. It is possible the U.S. will have a federal data protection authority under a recently proposed bill called the Data Protection Act of 2020, but Congress hasn’t voted on it yet.
At the state level, two of the most noteworthy developments in 2020 are the much-heralded California Consumer Privacy Act (CCPA) and New York’s SHIELD Act. The CCPA took effect in January, impacting virtually every financial institution in the state. Just two months later, the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) took effect. It includes breach notification provisions, requires reasonable data security, establishes standards, and provides protections from liability for certain entities.
The insurance industry has also seen regulatory updates specifically to protect against cyber threats. Modeled after the New York Department of Financial Services’ (NYDFS) Cybersecurity Regulation, the National Association of Insurance Commissioners published the Insurance Data Security Model Law in 2017 designed to strengthen cybersecurity for insurance companies. Included in the model law is the requirement to “utilize effective controls, including multi-factor authentication [MFA] procedures for any individual accessing non-public information.” Several states have enacted laws, and more states have bills before legislative committees for review.
Open banking in the U.S. has been on and off over the past two years. In October of this year, the Consumer Financial Protection Board (CFPB) issued an Advanced Notice of Proposed Rulemaking on consumer authorized access to financial data. This could be the catalyst for open banking.
On the payments front, the Federal Reserve published specifications for its Fed Now service, a new federal instant payment service expected to launch in the 2023-2024 timeframe. The Fed has also been conducting research into the development of a U.S. central bank digital currency (CBDC). No timeframe has been announced as to whether the Fed will move forward with a CBDC.
Canada, meanwhile, is seeing similar trends in digital transformation. The country is making rapid progress in its adoption of digital identity, open banking, and instant payments. Canada took further steps toward open banking in January 2020, when the Advisory Committee on Open Banking published a report entitled, Consumer-directed Finance: The Future of Financial Service. The committee recommends that the government move forward with Consumer-Directed Finance (CDF) with a targeted launch in the 2021-2022 timeframe. We anticipate the launch of CDF, if approved by the government, to coincide with the forthcoming launch of the Pan-Canadian Trust Framework spearheaded by the Digital Identification and Authentication Council of Canada (DIACC).
Although not included in this blog, on November 17, 2020, the Digital Charter Implementation Act 2020 (DCIA) was introduced in the Canadian Parliament. If enacted, The DCIA would repeal aspects of the current Personal Information Protection and Electronic Documents Act (PIPEDA). A key provision of DCIA pertains to data transfer enabling Canadians to instruct their banks to share their personal information with another financial institution. This will open Consumer Directed Finance, commonly referred to as open banking in Canada.
Digital identity is another key focus area that will impact the financial industry’s business decisions in 2021. One of the most significant publications of the year came from the international global money laundering and terrorist financing watchdog, the Financial Action Task Force (FATF). In March 2020, the FATF published its Guidance on Digital Identity. Although the timing of its release coincided with the onset of the pandemic, in truth the FATF’s guidance was developed over a span of two years. Included in the guidance are details on the best way to apply customer due diligence to digital ID systems for remote identity verification during onboarding as well as authentication for financial transactions. It also includes a description of how third-party reliance between regulated entities can be used by financial institutions to meet the requirements. With the onset of the pandemic, the FATF’s guidance is proving instrumental to regulators in North America and around the globe, as they seek secure, consumer-friendly solutions that enable financial institutions to continue operations, maintain financial stability, and adhere;[p76 to social distancing.
It’s also worth noting that in 2019, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) revised its guidance entitled, Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation. The changes permitted remote or non-face-to-face onboarding of new customers. Since that time and due to the pandemic, financial institutions ranging from large banks and credit unions to community banks have realized this is the preferred method for customers to open new accounts in a safe and secure way.
Canada’s federal and provincial governments, especially Quebec and Ontario, have been quick to adopt sweeping legislative reforms and new laws to facilitate greater financial inclusion for their citizens and promote financial innovation. Laws such as Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial Uniform Electronic Commerce Act, for example, further define terms related to e-signature and establish electronic signature legality under certain circumstances.
In Canada, one new development that had not been permitted until 2020 was the use of e-signatures to sign wills. Likely a pandemic-inspired measure, the passage of British Columbia’s Bill 21, amending the Wills, Estates and Succession Act, SBC 2009, c 13 (“WESA”) made British Columbia the first Canadian jurisdiction to formally recognize electronic wills signed with e-signature technology.
In the United States, the Consumer Financial Protection Bureau (CFPB), which was created following the 2008 financial crisis to promote transparency for consumer financial products, is considering amending Regulation Z. The amendment would include applying the Electronic Signatures in Global and National Commerce Act (ESIGN Act) to consumer financial services regulations, specifically the credit card provisions in Regulation Z. As of the publication of this report, the CFPB has not announced rulemaking or provided a timeline for rule development. This is a long-term initiative, and it is unclear how the E-SIGN Act will be applied to the existing legislature.
Remote Online Notarization (RON)
In the U.S., more than 30 states have enacted Remote Online Notarization (RON) laws. Though RON legislation and enactment was well under way before the pandemic, financial institutions are seeing increased pressure from consumers to provide electronic services, in particular for real estate transactions. Regulatory authorities have responded in kind, and more states have bills on the books.
In addition, on March 23, 2020, the SECURE Notarization Act of 2020 was referred to the House Committee on Energy and Commerce and the Committee on the Judiciary for review of certain provisions. The act establishes standards for remote electronic notarization conducted as part of interstate commerce, including recognition of these notarizations state-to-state. As of the publication of our report, the Committees have not finished their review, and a date for finalization of the bill has not been announced.
Across North America, financial regulators continue to develop regulations, legislation and policies that facilitate digital transformation at financial institutions while protecting consumer interests. Consumers continue to demand privacy safeguards as well as convenient but secure digital services. In response to this and the pandemic, financial services organizations are innovating, accelerating digitization, and prioritizing cybersecurity.
For further insights and updates, download our Global Financial Regulations Report. We welcome your feedback on how we can improve on this resource. Reach us at [email protected] with your comments on this report.
This blog is the first of a regional series covering financial regulations in North America, Asia-Pacific, the Middle East, Europe, Africa and Latin America. Subscribe to our blog for alerts as new blogs are published.
This article is for informational purposes only and does not constitute legal advice. It is recommended that independent professional advice is sought from your side. OneSpan does not accept liability for the contents of these materials.