How Regulatory Changes Will Affect Financial Services in 2020

Michael Magrath, February 11, 2020
How Regulatory Changes Will Affect Financial Services in 2020

What’s next for corporate compliance officers as they navigate balancing regulatory changes, technological advancement, digital fraud and higher customer experience expectations? OneSpan’s Michael Magrath shares his top corporate compliance predictions for the financial services industry in 2020.

The regulatory landscape is always changing. In perhaps no industry is that more evident than in financial services. Every new year brings a new set of regulations, challenges and changes.

In 2019 we saw the first examples of organizations receiving large fines for data privacy and security breaches under the European Union’s General Data Protection Regulation (GDPR). Last year also brought the concept of open banking to Europe, with the Payment Services Directive (PSD2) taking effect.

With these regulatory changes, coupled with the rapid pace of technological advancement happening in the industry, the growing challenge of fighting fraud in digital channels and ever-higher customer experience expectations, it becomes clear that financial institutions have their work cut out for them.

Organizations are continually being challenged with keeping up, and corporate compliance officers are left asking “What’s next?” With that in mind, I’d like to share three of my top corporate compliance predictions for the financial services industry in 2020:

1. The CCPA will spark a federal consumer privacy policy and data protection law in the U.S.

The CCPA took effect January 1 and has caught the attention of policymakers in the other 49 states and the U.S. Congress; as a result, it has been the catalyst for additional data privacy and security bills at the state level. For example, Washington State reintroduced its Washington Privacy Act on January 13. If signed into law, it would go into effect July 31, 2021. Additionally, New Hampshire and Illinois introduced their own consumer privacy bills in January. It’s only a matter of time before additional states follow in the footsteps of California and pass their own consumer privacy policy and data protection laws.

As one can imagine, however, if one-off, state-level bills continue to be introduced, having 50 state consumer privacy laws on the books will create a compliance nightmare for financial services organizations of all sizes. There needs to be a comprehensive consumer privacy and data protection law at the federal level in the U.S. to address the compliance issues. The legislation should also incorporate minimum security requirements for organizations to deploy to protect consumer data.

There have already been several data privacy-related bills introduced in Congress including the “Consumer Online Privacy Rights Act,” introduced in November 2019. It would be surprising if the Act becomes federal law in 2020, but it should generate some interesting debates, and lawmakers can expect pressure from the business community, especially after the CCPA’s enforcement begins in July.

2. Continued moves toward open banking in the U.S. will also spur new regulatory requirements for stronger security.

As it stands now, Open Banking is “on hold” in the U.S. due to an October 2019 federal court ruling in favor of the New York State Department of Financial Services (NYDFS) against the U.S. Office of the Comptroller of the Currency (OCC).

In 2018, the OCC announced that fintech providers could apply for special banking charters, which caught the ire of the banking industry concerned with an unequal regulatory playing field. Under the proposed charter, licensed fintech providers would have been able to perform certain banking activities, such as issuing loans. However, the judge ruled that the OCC may not accept applications for its “fintech bank charter.”

Still, there is a strong push by interested parties in the U.S. to move toward open banking, much like we’ve seen in Europe.

On December 19, 2019, the OCC filed an appeal in the 2nd Circuit Court of Appeals. Should the OCC appeal and win, open banking may yet be realized in the U.S., and fintech companies will quickly move in to provide banking services, much to the dismay of traditional financial institutions. If that happens, the U.S. Department of Treasury should follow the lead of the European Banking Authority to define regulatory technical standards and require strong customer authentication.
Security and trust are paramount for the financial system and a steadfast requirement for maintaining consumer confidence. In order to uphold confidence, regulatory requirements will need to include multi-factor authentication and dynamic linking, which counters man-in-the-middle attacks, to prevent alteration of a transaction after the payer authenticated the transaction-to-transaction risk analysis.

3. FTC changes will drive banks to adopt stronger identity verification, authentication and transaction risk analysis technologies.

In 2011, the Federal Trade Commission (FTC) began enforcing its Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Red Flags Rule. The Red Flags Rule requires that financial institutions take appropriate measures to “detect, prevent and mitigate” signs of identity theft affecting their customers. This year, the FTC is expected to recommend some potential changes which still remain to be seen, but I predict that these changes will include requirements for strong identity verification, authentication and transaction risk analysis.

With so many large-scale breaches spanning multiple vertical markets, millions of consumers have been victimized in one or more of them, leaving their personally identifiable information (PII) exposed and for sale on the dark web. In February 2019, state attorneys general from 31 states signed a letter to the FTC noting that “with information gleaned from data breaches or publicly available on social media sites, identity thieves can be better than consumers at answering knowledge-based authentication questions, because they have the data in front of them, whereas consumers need to try to recollect events that happened years prior. Thus, even if a person can provide some authenticating information, identity thieves may not be sufficiently screened from opening or accessing an account.” The letter calls for financial institutions to adopt more modern forms of authentication, such as multi-factor authentication.

Separately, in March 2019, the FTC issued proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act that require financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Under the Safeguards Rule, financial institutions (FIs) must have measures in place to keep customer information secure and take steps to ensure that their affiliates and service providers safeguard customer information in their care. The Privacy Rule requires an FI to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.

The proposed changes to the Safeguards Rule and the Privacy Rule generally would require all financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information and to use multi-factor authentication to access customer data. As the proposed rules are modelled after New York’s Department of Financial Services (NYDFS) Cybersecurity Regulations, however, the reality is that not every financial institution in the U.S. would be subject to the regulations. But every financial institution in the U.S. is governed by the FTC, meaning that the FTC’s proposed regulations and changes to the Identity Theft Red Flags Rule will eliminate, by my prediction, any and all gaps.

Additionally, the Financial Action Task Force is working to publish its Guidance on Digital Identity this year, which will further drive banks to adopt stronger identity verification and authentication. The guidance explains how digital identity systems can be used for customer due diligence (CDD), a key component that nations around the world require to combat anti-money laundering and counter-terrorist financing. The guidance also includes electronic document verification to ensure that the document is valid and also promotes the use of two-factor authentication.

2020: The Year of Change

The regulatory landscape is always evolving, particularly in heavily regulated industries like financial services. While federal legislation likely won’t be implemented this year, we will see more legislation on states, which will ultimately bring us closer to a federal consumer data privacy law.

Fortunately, the regulatory changes that I believe we’ll see happen in 2020 will benefit us all by encouraging financial institutions to strengthen data security and privacy and adopt stronger, more secure methods for identity verification, authentication and risk analysis. These changes will ultimately help protect consumers and the financial institutions themselves from unwanted fraud and data breaches.

Regulatory Compliance

Regulatory Compliance

Learn why the world’s leading banks trust OneSpan to meet complex compliance requirements.

Learn More

This article was originally published on CorporateComplianceInsights.com on February 10, 2020.

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).