Fraud Spurs Wave of New Financial Regulations – What Security Leaders Need to Know
As the COVID-19 pandemic first swept across the nation last spring and communities went into lockdown, businesses in all industries rushed to digitally transform themselves in order to continue serving their customers through digital channels and support remote workforces. Even heavily regulated industries – such as financial services – acted quickly. Banks rushed to adopt new technologies such as biometrics, digital identity verification, remote online notarization and more to modernize their processes and ensure that Americans could continue accessing their money during this critical time.
However, this rush to digitize processes and services exposed vulnerabilities in our financial system and its underlying technology infrastructure. Cybercriminals and fraudsters saw the trillions of dollars in economic stimulus, expanded unemployment benefits and pandemic relief funds being poured into the financial system as a boon. They swooped in to get their piece of the pie and as a result, fraud surged. Cybersecurity attacks aimed at the financial sector increased 238% during the pandemic, account takeover fraud has grown 72% and banks have reported a seven-fold increase in suspicious business loan activity. In September 2020, in a presentation at the Fed ID Forum, the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCen) outlined how criminals exploit weaknesses in identity to commit more than $1 billion in cybercrimes each month. Numerous state governments were hit by massive fraudulent unemployment claims to the tune of $36 billion in 2020, according to USA Today.
This surge in fraud rightfully drew scrutiny from legislators and federal regulators pushing through a tsunami of new regulations aimed to better protect consumer data online and enable safer digital commerce. Security and IT professionals working in the financial sector – and even those in other sectors – should be aware of the upcoming regulations and policies that may go into effect this coming year. Here are some of the most significant regulations likely to impact your cybersecurity and IT strategies, and what you should do now to prepare.
Stringent Requirements for Digital Identity Verification
The widespread fraud that resulted from the early relief act shined a spotlight on the fact that the U.S. lacks a federal framework surrounding digital identities. A comprehensive, nationwide strategy for digital identities and how to verify them would help protect Americans from identity theft and online fraud. Instead, years of widescale data breaches have ensured that most Americans already have their personally identifiable information (PII) being sold or exchanged on the Dark Web. This means that traditional methods banks and other institutions, known as knowledge‑based verification (KBV) used to verify a person’s identity when opening a new account are useless. Synthetic identity fraud – the process of piecing together stolen PII like a social security number along with fictitious data to create a new identity – has become the fastest-growing type of financial crime in the U.S. The problem has never been more urgent than it has been during the pandemic. As the federal government pumped money into the financial system, banks and state governments were forced to freeze accounts and access to funds for weeks – as they struggled to verify consumer identities in digital channels and discern legitimate claims from fraudulent ones.
Going forward, financial institutions and government agencies alike will be expected to strengthen their digital identity verification processes through new technologies and techniques. Under the new Biden Administration, I expect we’ll see the reincarnation of some Obama-era initiatives, beginning with a plan for improving digital identity verification. The Obama administration had worked to develop the National Strategy for Trusted Identities in Cyberspace (NSTIC), but it never gained traction that was envisioned. Now, after the effects of the pandemic, we are witnessing much more bipartisan interest in this topic. Last year, Congress introduced the bipartisan Improving Digital Identity Act. Although the bill died at the end of the last congressional session, Co-sponsors, Congressman Bill Foster (D-IL) and John Katko (R-NY) announced earlier this month that it will be re-introduced in Q1 this year. If passed into law, the bill will create a task force within the executive office of the president. The mission of this task force is to create a unified strategy spanning the federal, state and local levels for secure and interoperable methods that can be used by both the public and private sectors for digital identity verification.
The bill leverages The Better Identity Coalition’s 2018 report, Better Identity in America: A Blueprint for Policymakers, which among other things, recommends that government agencies are best-positioned both at the state level via the Departments of Motor Vehicles and at the federal level through the Social Security Administration (SSA) to offer new identity services to consumers.
Some progress is already being made in this area. The SSA recently launched its electronic Consent Based Social Security Number Verification (eCBSV) service to help financial institutions reduce the risk of synthetic identity fraud during the new account opening process.
Security and IT professionals at financial institutions should begin strengthening their digital identity verification processes now. Start by integrating the eCBSV service into your new account application process. Also, refer to the most recent Guidance on Digital Identity released by the Financial Action Task Force (FATF), which details best practices banks should follow and describes how financial institutions can leverage third parties to meet identity verification requirements in digital channels.
New Protections for Biometric Identifiers
As cities went into lockdown and consumers stayed home, the popularity of mobile banking skyrocketed during the pandemic. To provide a more convenient mobile experience, many banks have started using biometrics such as fingerprint scans and facial recognition for user authentication when customers log into their mobile banking apps. The dramatically increased use of biometrics has drawn attention to the need for a national law that would govern how businesses collect, store and protect consumers’ biometric data.
Late last year, the U.S. Senate introduced several data privacy-related bills including the National Biometric Information Privacy Act, which if enacted, will create new obligations for businesses using consumers’ biometric identifiers. Among other things, it would prohibit businesses from collecting biometric data such as faceprints, fingerprints, retina scans and voiceprints, without first obtaining explicit consent. Businesses would also be required to safeguard biometric identifiers in the same way they protect other sensitive PII, such as Social Security numbers. It also introduces monetary penalties for breaches of compliance.
Security teams working for any business that uses biometrics for user authentication should ensure they are following best practices for protecting and storing that data. Look to the frameworks being developed by the FIDO Alliance and the National Institute of Standards and Technology (NIST). These could soon be adopted at the national level, so ensuring you follow their recommendations now will put you a step ahead when regulations are introduced. Also, watch for updated guidance on Internet Banking Authentication from the Federal Financial Institutions Examination Council (FFIEC), which will come later this year and likely include new guidance surrounding biometric authentication.
Security professionals in the financial sector, especially, should plan to modernize their approach to multifactor authentication in order to combat the ongoing fraud surge. By integrating advanced technologies like real-time risk analytics powered by artificial intelligence (AI) and machine learning, banks can identify fraud as it is occurring, thanks to continuous monitoring. They can create a multi-layered approach to multifactor authentication that triggers additional authentication steps when risk is detected.
A Federal Law for Consumer Data Protection
Much like how the U.S. has lacked a nationwide framework for digital identities, we have also lacked any type of comprehensive law at the federal level governing the protection of consumer data. Whereas the European Union has had the General Data Protection Regulation (GDPR) since 2016, and several other countries around the world have enacted similar laws in recent years, the U.S. continues to rely on a patchwork of state laws and industry-specific standards. Inconsistent standards around consumer data privacy and protection leads to holes and poor security practices that leave consumers vulnerable to data breaches and identity theft. This may finally change in 2021. Last year the U.S. Senate introduced several data privacy bills including the Data Protection Act of 2020, which would establish a federal data protection agency and levy fines for businesses that do not adequately protect their customers’ data. The bill languished under the previous administration, but I expect that we will see it along with other privacy and data protection-related bills revisited this year, packaged and passed.
Some security professionals may be working at organizations that are already complying with the GDPR and or California’s Consumer Privacy Act (CCPA). If this is the case, you will likely be well-positioned for any new consumer privacy and data protection laws that could be coming, as they will likely be similarly structured. However, those that do not currently need to comply with GDPR or the CCPA should begin looking to establish the same processes and frameworks in their organizations. You can also look to the recent California Privacy Rights Act (CPRA) and New York’s Stop HACKS and Improve Electronic Data Security (SHIELD) Act as examples of what to expect as you plan your data protection strategies.
These are just a few of the many new and updated regulations, standards and proposed pieces of legislation that will be sweeping over the financial services industry and other sectors. Rather than be caught off-guard and left to play catch-up, security and IT professionals should begin planning now. Evaluate and implement new technologies that strengthen security surrounding digital identities, consumer data, user authentication and fraud detection. Look to established best practices and frameworks as you develop new processes or digitize services for the first time. And finally, invest in employee training surrounding data security, risk and compliance. Taking these steps now will not only put you a step ahead when it comes to compliance with the coming regulations, but it will also help you better protect your organization, customers and sensitive information in this new, digital economy.
This article, written by Michael Magrath, Director of Global Regulations and Standards at OneSpan, was first published in Security Magazine on March 30, 2021.