Global Regulatory Update: Transformative Trends Driving Digital Financial Services
The year 2020 will be forever remembered for the coronavirus pandemic that affected millions of lives around the globe. The global health crisis has strained healthcare systems and medical professionals globally and its impact on just about every industry has forced organizations to alter their operations.
The pandemic has also driven governments around the world to enact laws, policies and regulations that enable business digitally and remotely. While the pandemic prioritized the move to digital services, the reality is the industry has been migrating to digital for some time. But the pandemic exposed shortcomings in security and technical infrastructure, particularly in jurisdictions and financial institutions (FIs) that have been lagging in their migration to digital.
The impact of COVID-19 on the digitization of financial services is one of the overarching themes of our inaugural OneSpan Global Financial Regulations Report. This new report is concentrated on regulatory developments and recently enacted laws that FIs must comply with to conduct business in the digital economy. It spans digital identity, fraud prevention, data protection, digital payments security, open banking, anti-money laundering (AML), electronic signatures, and remote online notarization.
Our goal here is to inform you of important regulatory changes impacting the financial services industry. Get the full update in our inaugural annual report or read on for the highlights.
Around the world, cybersecurity remains a top focus at a time where organized crime rings are looking to capitalize on the pandemic, the shift to remote work, and the general fear and economic uncertainty. We saw financial services regulation activity across all regions, among governments at all levels on the maturity scale. Some, such as in Bosnia and Herzegovina, took steps to establish a framework for responding to serious cybersecurity threats. But even among those with greater maturity in this area, cybersecurity risk management remains top of mind. At the fourth meeting of the Euro Cyber Resilience Board on 27 February 2020, for example, the ECB announced the launch of a new cybersecurity initiative to facilitate the sharing of cybersecurity threat information between government financial entities. The creation of the initiative will also increase cybersecurity threat awareness and help prevent cyberattacks.
Data Privacy and Data Protection
In 2020, data privacy and data protection surfaced as a top concern for financial regulators. Circling the globe from Nigeria to Singapore to the United States, there are more than 300 references to data privacy or data protection in our report. To cite just a few examples: Singapore issued a consultation to amend the 2012 Personal Data Protection Law; Japan’s National Diet passed an amendment to the Act on the Protection of Personal Information (APPI); and Brazil’s new data privacy law, the LGPD (Lei Geral de Proteção de Dados Pessoais) took effect September 16, 2020. That law is modelled after the European Union’s General Data Protection Regulation (GDPR).
African nations have also been heavily focused on data privacy and data protection. Nigeria published the Data Protection Regulation Implementation Framework in 2019 to help entities comply with the NDPR. Kenya passed the Data Protection Act in 2019, which regulates how and when personal data can be obtained, handled, and disposed. In May, the Moroccan Data Protection Authority Deliberation took effect. And South Africa’s Protection of Personal Information Act will go into full effect in June 2021.
In the United States, the National Institute of Standards and Technology (NIST) published its privacy framework. At the same time, the much-heralded California Consumer Privacy Act (CCPA) took effect, impacting virtually every FI in the state. Just two months later, the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) took effect. It includes breach notification provisions, requires reasonable data security, establishes standards, and more. As recently as November 3, 2020, voters overwhelmingly approved the California Privacy Rights Act of 2020 (CPRA), which will replace the CCPA and introduces stronger privacy provisions.
Open banking in Australia is making slow but steady progress in becoming reality for consumers. In February, the Australian Competition and Consumer Commission (ACCC) published the final rules for competition and consumer data rights and the open banking initiative applicable to consumers seeking financial services. A phased roll-out of the rules under a national open banking initiative began with the Big Four banks on July 1.
In March, Mexico’s central bank published the first set of rules for open banking in accordance with its Fintech Law. The initial rules integrate credit bureaus and clearing houses into the open banking framework. Rules applying to banks and other FIs are expected in Q1 2021. Brazil will roll out open banking over four phases, beginning in November.
Open banking in the US has been on and off over the past two years. In October 2020, the CFPB issued an Advanced Notice of Proposed Rulemaking on consumer authorized access to financial data. This could be the catalyst for open banking.
To ease digital business in light of the coronavirus lockdowns and stay-at-home mandates, several governments further enabled the use of e-signatures. For example, this technology has already seen widespread adoption in financial services, insurance, government, and other sectors across Canada. One new development this year, however, was the use of e-signatures to sign wills. The passage of British Columbia’s Bill 21, amending the Wills, Estates and Succession Act, SBC 2009, c 13, made BC the first Canadian jurisdiction to formally recognize electronic wills signed with esignature technology.
COVID-19 prompted a number of similar regulatory and legislative activities in Australia. Among them, the Australian government permitted corporate contracts to be executed using e-signatures. This ruling was extended through March 21, 2021. Australia also announced plans to amend The Corporations Act 2001 and other relevant legislation and regulations to allow for the use of e-signature when executing legal documents and to enable witnessing of official documents via videoconferencing or other secure means.
We saw measures encouraging the use of electronic and digital signatures in other areas of the world as well. For example, Kenya passed the Business Laws Amendment. This law introduced several significant changes to existing laws to improve the ease of doing business. The law highlights the use of e-signatures and advanced electronic signatures, which have been permitted for some time but with lackluster adoption. Similarly, amendments to South Korea’s Digital Signature Act become effective. Changes in the act remove certain requirements for certificates for digital signatures, to remove barriers to entry for consumers.
Digital Identity, e-KYC, and Remote Onboarding
Remote onboarding using digital identity verification as part of digital account opening was, without a doubt, one of the most visible impacts of the pandemic on the regulatory world this year. Remote onboarding and digital account opening had already been gaining traction in financial services over the past few years following legislation such as the MOBILE Act in the US, but 2020 marked a turning point.
One of the most significant publications of the year came from the international global money laundering and terrorist financing watchdog, the Financial Action Task Force (FATF). In March 2020, the FATF published its Guidance on Digital Identity. Although the timing of its release coincided with the onset of the pandemic, in truth the FATF’s guidance was developed over a span of two years, driven by the rapid growth in digital payments and the need to know who is really transacting. Included in the guidance are details on the best way to apply customer due diligence to digital ID systems for remote identity verification during onboarding as well as authentication for financial transactions.
While our report contains many references to regulatory activity around digital identities, e-KYC, and remote onboarding, we’ve pulled just a few examples here to highlight the global nature of this trend. For example, in Asia Pacific, the Hong Kong Monetary Authority (HKMA) published a circular outlining remote onboarding for individual customers based on feedback from banks and fintech firms. The circular sets out regulatory expectations and best practices for remote onboarding. Also noteworthy, Hong Kong’s Insurance Authority extended temporary Phase 2 measures “obviate the need to conduct face-to-face meetings in order to minimize the risk of infection” during the sale of insurance policies. The measures have been extended to December 31, 2020. And the Monetary Authority of Singapore (MAS) encouraged FIs to actively promote the use of [non-face-to-face] digital options and provide customers suitable guidance on how to use them, specifically for remote identity verification.
Similarly, as part of e-KYC and remote customer onboarding, the Reserve Bank of India approved remote video-based authentication through Aadhaar. The Video Customer Identification Process (V-CIP) is a video chat session option that lets the customer show identity documents that are checked against the issuing authority’s database. And following the FATF’s Digital Identity Guidance and an ensuing survey to regional stakeholders, in April the Arab Monetary Fund (AMF) issued new guidelines for Electronic Know Your Customer (e-KYC). This permits remote or non-face-to-face onboarding of new banking customers.
In July 2020, the European Commission released an impact assessment for public comment with plans to extend the regulation to the private sector and promote trusted identities for all Europeans. The impact assessment contains a roadmap with different options for the update. One option would introduce a European digital identity scheme for EU citizens to use for both public and private sector online services. In mid-September, the President of the European Commission proposed a new European e-identity during her State of the Union address. This will not happen overnight as member states will need to support the initiative and allocate funding and resources, but the European e-identity would affect all industries throughout the EU.
In the United Kingdom, the country’s Financial Conduct Authority issued guidance on digital identity verification permitting retail financial firms to accept scanned documentation and selfie match photos to verify identities. Over the summer, the UK government launched a document checking service pilot. Participating private sector firms can digitally check an individual’s passport data against the government database to verify their identity and help prevent crime. The pilot will run through July 31, 2021.
In the coming months and years, we will continue to see more changes. More data privacy and data protection laws will be enacted throughout the world and each will bring unique regulatory requirements for financial service providers, insurers, and other organizations. Additionally, we expect open banking will become the norm throughout the industrialized world, as will e-KYC and remote customer onboarding.
For further insights and updates, download our Global Financial Regulations Report. We welcome your feedback on how we can improve on this valuable resource. Reach us at [email protected] with your comments on this report.