Top Banking Regulations & Security Compliance Requirements 
In 2020, the coronavirus pandemic drove regulators and policymakers around the world to rapidly enact new or modify existing laws, policies, and regulations to enable commerce to continue securely amid social distancing measures. Although the pandemic greatly impacted the regulatory landscape and many of the new regulations for this year stem from that event, legislation unrelated to the pandemic was also enacted.
Below, we’ve compiled some of the key global regulations, laws, and standards that will impact FIs and the banking industry.
Table of Contents:
- 2021 Regulatory Updates
- 2020 Regulatory Updates
Top 2021 Security Regulations for the Financial Industry
In December 2019, the financial regulator, Superintendencia Financiera de Colombia (SFC) issued a circular to strengthen the use of digital channels for the provision of financial services while promoting the adoption of technologies to better provide financial services to consumers. Those technologies include biometric authentication, blockchain, artificial intelligence, augmented reality, and more. The SFC provided an 18-month grace period for compliance and financial institutions have until June 2021 to fully comply with the new security standards.
The SFC is mandating the use of strong authentication for remote, non-face-to-face transactions and payments.
Two or more authentication factors will be required when using one time passcodes (OTP), biometrics, digital certificates, and EMV card payments.
FIs will need to leverage strong authentication mechanisms based on a risk analysis of each customer, which may generate greater exposure to the risk of fraud or impersonation. The analysis must be documented and factor in account aspects, such as the client's transactional profile, number of transactions, peso amount, type of product, channel, etc.
Additionally, strong authentication will be required when:
- Updating customer data for the notification of monetary operations or generation of email or cell phone alerts
- When credit and debit transactions are made outside of Colombia
The circular also covers:
- The type of cloud services available, the type of information collected for processing, and the security controls for data protection in “virtualized environments” or cloud applications
- Data portability: standards for the exchange of information when carrying out monetary operations, such as electronic transactions
On February 18, the Reserve Bank of India (RBI) published a circular, Digital Payment Security Controls, requiring regulated entities (REs) to establish a governance structure for digital payment products and services while implementing minimum IT security standards. Regulated entities include depository institutions and other financial organizations:
- Scheduled commercial banks (excluding regional rural banks)
- Small finance banks
- Payments banks
- Credit card issuing non-bank financial companies (NBFCs)
It includes governance and management of security risks, security controls, authentication, fraud risk management, customer protection, internet banking, mobile payments application security controls, and card payments security standards and reconciliation.
A key section is the Authentication Framework. RBI notes that, “In view of the proliferation of cyber-attacks and their potential consequences, REs should implement, except where explicitly permitted / relaxed, multi-factor authentication (MFA) for payments through electronic modes and fund transfers, including cash withdrawals from ATMs / micro-ATMs / business correspondents, through digital payment applications. At least one of the authentication methodologies should be generally dynamic or non-replicable, e.g., use of one time password, mobile devices (device binding and SIM), biometric / PKI / hardware tokens, EMV chip card (for Card Present Transactions) with server-side verification could be termed either in dynamic or non-replicable methodologies.”
Depending on the risk profile and user behavior, REs may also deploy adaptive authentication after completing a risk assessment.
The security control requirements will go into force in August.
Peru’s financial regulator, the Superintendencia de Banca, Seguros y AFP (SBS Perú) published Resolución SBS Nº 504-2021 in February defining cybersecurity rules for the financial services sector.
FIs are required to implement a cybersecurity program, which includes procedures and operations. There is also heavy focus on strengthening authentication across digital channels, including those that “involve payments or transfer of funds to third parties, registration of a trusted beneficiary, modifications to contracted savings / investment insurance products, the contracting of a product or service, modification of limits and condition.”
Similar to other jurisdictions, SBS is also tasking FIs to shore up security practices of third-party providers. The provisions will enter into force on July 1, 2021, except for the authentication requirements, which grant a term until July 1, 2022. Companies must present an adaptation plan within 60 calendar days of April 19, 2021.
On January 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a Notice of Proposed Rulemaking. The notice is titled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.
The rule proposed in the notice stipulates that banks must notify the OCC as soon as possible and no later than 36 hours after the bank believes in good faith that a cyber “notification incident” has occurred.
Banks may notify the OCC in any form, either written or oral, including through technological means, to a designated point of contact at the OCC.
After the bank experiences a security incident that could, in good faith, disrupt, degrade, or impair services for four or more hours, this change would require a third-party bank service provider to notify a minimum of two individuals at each affected bank. This rule is still subject to the Bank Service Company Act.
At the time of this writing, the proposed rule is open for public comments. The deadline for comments is April 12, 2021.
Anti-Money Laundering and Counter-Terrorism Financing Regulations
With Bitcoin’s value having passed the US$60,000 threshold globally, regulators have been tightening the crypto asset landscape. At its February 2021 plenary meeting, the Financial Action Task Force (FATF) announced that it will release an update to the FATF guidance for virtual assets and virtual asset service providers (VASPs) for public consultation.
The FATF defines a VASP as a business that conducts one or more of the following actions on behalf of its clients:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets;
- safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
- participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
Examples of VASPs include cryptocurrency exchanges, wallet custodians, hedge funds, and applicable ATM operators.
FATF published its initial guidance in 2019, which recommended that VASPs to implement the same anti-money laundering and counterterrorism financing (AML / CTF) requirements as traditional financial institutions in that they are regulated, licensed, and registered, and subject to effective systems for monitoring and supervision.
According the FATF, it will “publish the public consultation draft in March. The FATF expects to approve the guidance in June 2021, and the feedback from the consultation will inform the final approved guidance. Included in the draft will be how to apply FATF’s guidance to stablecoins, addressing risks of peer-to-peer transactions, and the implementation of data sharing requirements, known as the ‘Travel Rule’.”
Following the release of the final guidance, expect several global regulators to revise their regulations to conform to the FATF by the end of 2021.
European Union’s Sixth Anti-Money Laundering Directive (6AMLD)
The sixth directive and its predecessors are intended to combat money laundering and terrorist financing while creating a regulatory environment across the EU.
The European Parliament issued 6AMLD in October 2018 with a deadline of December 3, 2020 for EU member states to transpose the directive into national law. Member states must implement the new regulations by June 3, 2021.
The 6AMLD includes numerous provisions, such as developing a harmonized definition of 22 money laundering offenses to be used throughout the bloc. It also expands criminal liability beyond the individuals who commit crimes to those who attempt and incite money laundering and/or aid and abet money laundering. It also expands criminal liability to “legal persons” which includes not only individuals, but also partnerships and corporations.
Although punishments are still viewed as far too light, the 6AMLD extends the maximum from one year to four years of imprisonment.
A law on “digital financial assets” was signed into law on July 30, 2020 and took effect January 1, 2021. It introduces a legal definition for digital currencies, which covers cryptocurrencies and sets out procedures for issuing, circulating, and recording their transfers. These changes to digital assets follow amendments to the law “on the national payment system.” Russians must now provide identification or simplified identification, which includes a person’s whole name, to deposit funds with an electronic money operator and can only do so using a bank account.
The US National Defense Authorization Act (NDAA) for Fiscal Year 2021 was enacted on January 1, 2021. Although the NDAA’s primary purpose is to authorize a pay increase for service members and provide funding to the military infrastructure, tucked into the legislation is the Anti-Money Laundering Act of 2020 and the Corporate Transparency Act (CTA). These two regulations impose sweeping changes to federal anti-money laundering (AML) laws.
The CTA is intended to combat the use of shell companies established for illegal activities, often including money laundering, tax avoidance, or tax evasion, while providing anonymity to the true owners.
US-based FIs are required to collect beneficial owner information from legal entities, typically business customers. The law adds new beneficial ownership reporting requirements for FIs on a wide range of business entity classes, such as corporations and limited liability companies (LLCs). A beneficial owner is defined as an individual who owns or controls 25% or more of an entity or exercises substantial control over an entity. Substantial control is expected to be defined in the forthcoming regulations.
The law also adds new enforcement tools and resources, and requires FinCEN to publish regulations on beneficial ownership disclosures within one year of its enactment.
FinCEN is also tasked to create a non-public registry designed to track the beneficial owners of reporting companies. The registry may be shared with law enforcement and FIs conducting due diligence under certain circumstances.
Countries are modernizing their instant payments system. In Brazil, PIX was launched in October 2020, and the US is scheduled to launch its FedNow Service in 2023.
In its 2019 annual report published May 28, 2020, the Bank of Canada announced plans to replace its two instant payment systems, the Large Value Transfer System (LVTS) and the Automated Clearing and Settlement System (ACSS). The LVTS will be replaced in the second quarter of 2021 by a new high-value payment system called Lynx, and a new instant payments system will be launched in 2022 called Real-Time Rail (RTR).
Payments Canada, the instant payments operator for Canada, detailed plans for all three systems in its Corporate Plan for 2020-2024. The ACSS will be replaced by a new instant payment infrastructure for retail payments between individuals and businesses, but system planning and design will not begin until sometime this year.
The strong customer authentication (SCA) requirements in the second Payment Services Directive (PSD2), originally slated to take effect in September 2019, were granted an extension by the Financial Conduct Authority (FCA) to allow additional time for merchants to prepare. The FCA will begin to enforce SCA on September 14, 2021.
Electronic Signature Regulations
In May 2020, the Australian government permitted the use of electronic documents and e-signatures to execute corporate contracts. This ruling has since been extended through March 21, 2021. In addition, Australia announced plans to amend The Corporations Act 2001 as well as other related legislation and regulations to expand acceptable uses of e-signatures. The amendments would allow for the use of electronic signature when executing legal documents and enable witnessing of official documents via videoconferencing or other secure technological means.
A benefit to all industries and not limited to financial services, in December 2020, the US Securities and Exchange Commission (SEC) amended Regulation S-T and the Electronic Data Gathering, Analysis, and Retrieval system (EDGAR) Filer Manual. The amendment permits electronic signatures to be used for filings on EDGAR that must be signed and has also made related revisions to various rules and forms under the Securities Act of 1933, the Securities Exchange Act of 1934, and the Investment Company Act of 1940.
Before the change, Title 17, section 232.302(b) (Rule 302(b)) required that each signatory to an electronic filing manually sign a signature page or other document before or at the time of the electronic filing to authenticate, acknowledge, or otherwise adopt the signature that appears in typed form within the electronic filing.
According to the change, the signing process must incorporate a security procedure that requires the authentication of a signatory's individual identity through a physical, logical, or digital credential, and the signing process must reasonably provide for the non-repudiation of the electronic signature.
Visit OneSpan’s eSignature Legality Guide for detailed overviews of laws, regulations and noted exceptions for several countries.
Data Privacy and Data Protection Regulations
Draft legislation called the Digital Charter Implementation Act (Bill C-11) was introduced in 2020. The bill is designed to modernize Canada’s data privacy laws. The comprehensive bill amends includes two parts:
- Part 1 amends the Personal Information Protection and Electronic Documents Act (PIPEDA) and will rename it the Consumer Privacy Protection Act.
- Part 2 establishes a specialized privacy and data protection tribunal through the Personal Information and Data Protection Tribunal Act. The tribunal would hear recommendations and appeals from decisions of the Privacy Commissioner of Canada.
Although the government tabled the bill on November 17, 2020, this legislation is well worth watching. If passed, the likelihood of any of the provisions taking effect in 2021 is minimal; however, all organizations in Canada should begin to prepare to comply.
Amendments to the Privacy Act 1993 were passed in June 2020 and took effect on December 1, 2020. Unlike other jurisdictions that are modeling their laws after the EU’s General Protection Data Regulation (GDPR), the new law is lightweight by comparison. The amended law applies to all companies that do business in New Zealand, no matter where based.
The law includes new breach notification requirements, cross-border data requirements, and fines. It also expands the regulatory and enforcement powers of the Privacy Office.
Breaches subject to notification are those that present a likely risk of harm, such as the release of sensitive personal information. It also impacts cross border data in that unless an individual has authorized disclosure outside of New Zealand, the company will need to ensure that the person’s information will be protected before transferring it offshore.
In November 2020, Personal Data Protection Amendments (PDPA) was passed by Parliament and began to take effect in phases beginning February 1, 2021. The amendments enhance consumer protection and strengthen accountability of organizations.
Key changes include:
- New mandatory data breach notification
- Penalties for new offenses should personal data be mishandled
- Increased financial penalty cap for breaches
- Additional rules on telemarketing and spam control
Amendments that took effect February 1, 2021 include:
- Mandatory breach notification – for breaches that could cause significant harm or affect 500 or more people
- Unsolicited messages and spamming – this applies to phone calls, texts, and instant messaging
- Third-party providers contracted for public sector agencies – they are no longer excluded should personal data be mishandled during the collection, use, and disclosure of personal data enforcement
- Rules – for data use and innovation
- Accountability – organizations are accountable for personal data in their possession or under their control
Amendments to take effect in future phases include data portability and increased financial penalties, which are currently capped at S$1 million (approximately US$742,500). For organizations with annual revenues in Singapore of more than S$10 million, the new maximum financial penalty will be increased to either 10% of annual revenues (S$1 million minimum). Maximum penalties for organizations with less than S$10 million have been changed. The new maximum financial penalty will be S$1 million.
The Protection of Personal Information Act 2013 (POPIA) took effect in July 2020 with the South African Reserve Bank (SARB) having encouraged FIs to proactively comply with the POPIA regulations. SARB will begin full enforcement of Sections 110 and 114(4) on June 30, 2021. These sections deal with the amendment of laws and the transfer of functions from the South African Human Rights Commission to the Information Regulator regarding the Promotion of Access to Information Act (PAIA).
Modeled after the European Union’s General Data Protection Regulation (GDPR), California has two laws, the California Consumer Privacy Act (CCPA) and its replacement, the California Privacy Rights Act (CPRA), which will go into effect on January 1, 2023 with full enforcement beginning on July 1, 2023.
The CPRA becomes enforceable on Jan. 1, 2023. However, it includes a 12-month lookback for access requests. This means that a company should spend 2021 defining and implementing retention protocols to meet the CPRA’s access request provisions by Jan. 1, 2022.
Virginia became the second state to pass comprehensive data protection legislation by enacting the Consumer Data Protection Act (CDPA) on March 2, 2021. The CDPA will take effect on January 1, 2023. The CDPA will establish a legal framework for collecting, controlling, and processing personal data. The good news for FIs is that those subject to compliance with the Gramm-Leach-Bliley Act (GLBA) are exempt.
The Australian Competition and Consumer Commission (ACCC) began a phased rollout of the rules under a national Open Banking initiative in 2020.
The rules officially went into force on August 5, 2020, and data standards under the law go into force in November 2020. All banks in the country have until July 2021 to comply with mandatory consumer data-sharing obligations under the new rules.
In May 2020, the Central Bank of Brazil (BCB) published regulations for Open Banking in the country by allowing sharing of personal data between financial institutions and by integrating existing financial institutions’ API systems. Brazil is in the process of rolling out Open Banking over four phases to enable access across channels, products, and services.
- November 2020: enable access channels, products, and services
- May 2021: customer data-sharing
- August 2021: payment transaction initiation sharing
- October 2021: sharing of all other services and information
- The Advisory Committee on Open Banking, assembled by the Minister of Finance in 2018, was tasked with delivering a report “assessing the potential merits of Open Banking for Canada, with the highest regard for consumer privacy, security and financial stability.”
- One thing that came out of the January 2020 report was to coin the name, “consumer-directed finance” (CDF) instead of Open Banking. Canada launched the second phase of its consumer-directed finance consultation last year with a focus on data security. The Advisory Committee kicked-off Phase 2 by holding a series of virtual stakeholder meetings last fall. Phase 2 is focused on how Canadian financial regulators and FIs can enhance data protection and mitigate privacy risks. It is unlikely that CDF will launch in 2021, but FIs are closely watching this space.
In March 2020, Mexico’s central bank published the first set of rules for Open Banking in accordance with its Fintech Law. The initial rules integrate credit bureaus and clearing houses into the Open Banking framework. In June 2020, the central bank published rules on open data APIs and during the first quarter of 2021 secondary regulations on transactional data are expected.
In February, the Central Bank of Nigeria released the Regulatory Framework for Open Banking. The Framework applies to banking and other related services. Those services include:
- Payments and remittance services
- Collection and disbursement services
- Personal finance advisory and management
- Credit ratings/scoring
- Leasing/hire purchase
The US Consumer Financial Protection Bureau plans to issue an advance notice of proposed rulemaking (ANPR) later in 2021 regarding consumer-authorized access to financial records. This rulemaking is expected to impact both traditional financial service firms in addition to FinTechs. Furthermore, the rulemaking falls along the lines of the concept of Open Banking. The ANPR will seek a range of information, including the scope of data that could potentially be subject to protected access. In addition, it could include information that might impact other terms of access, like information related to security, privacy, effective consumer control over access and accessed data, and accountability for data errors and unauthorized access.
Top 2020 Security Regulations for the Financial Industry
PSD2: Payment Services Directive 2
Although the open banking requirements went into effect on 14 September 2019, in October 2019, the European Banking Authority published a revised deadline for compliance with the Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure communication under PSD2. The new deadline is now 31 December 2020. While most component authorities have followed the lead of the EBA, the UK’s Financial Conduct Authority (FCA) will not enforce SCA until 14 March 2021. The Bank of France conformed to the EBA’s 31 December deadline, but it added a 3-month grace period on a case-by-case basis.
PSD2 criteria include:
- Strong Customer Authentication: Authentication must be based on two or more factors, including passwords or PIN, tokens or mobile devices, or biometrics.
- Transaction Risk Analysis: PSD2 mandates the use of transaction risk analysis to deter fraudulent payments.
- Dynamic Linking: The authentication code must be dynamically linked to both the payee and amount in payment transactions.
- Mobile App Security: Payment service providers must adopt security measures to mitigate the risk resulting from compromised mobile devices. PSD2 also mandates the use of dedicated mobile app cloning counter-measures in applications, also known as replication protection.
Canada – FINTRAC’s updated Know Your Customer guidance permitting digital onboarding
Digital onboarding has rapidly gained adoption in countries around the world, including Hong Kong, Singapore, and the United States. Financial institutions and customers alike have embraced digital onboarding as it balances security with user convenience while complying with regulatory requirements.
Canada continues to advance digital identity with the ongoing development of the Pan-Canadian Trust Framework (PCTF) led by the Government of Canada and the Digital Identity and Authentication Council of Canada (DIACC).
On November 14, 2019 Canada’s Financial Transactions and Reports Analysis Centre (FINTRAC) published an update to guidance on Know Your Customer (KYC) requirements, titled "Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation".
FINTRAC supports different technologies including a live video interview and what is becoming the path of choice where “an individual could be asked to take a ‘selfie’ photo using the camera on their mobile phone or electronic device, and an application would apply facial recognition technology to compare the features of that ‘selfie’ to the photo on the authentic government-issued photo identification document.”
FINTRAC stresses that “it is not enough to just view a person and their government-issued photo identification document online through a video conference or any other type of virtual application”. The financial institution “must use a software or some type of technology that would be able to authenticate the government-issued photo identification document. FIs must also verify that the name and image match that of the individual on the authentic government-issued photo identification document.”
Canada – Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)
Published by FINTRAC in July 2019, the amendments directly affect cryptocurrency exchanges, which have been outside of many regulations.
All cryptocurrency exchanges in Canada, beginning on June 1, 2020, must register with FINTRAC. Crypto exchanges will be classified as money service businesses (MSBs), which have traditionally provided foreign currency exchange and check cashing services along with money order sales.
Like financial institutions, crypto exchanges will be required to have a compliance officer, comply with Know Your Customer (KYC) policies, and report suspicious transactions to FINTRAC. Crypto exchanges will be able to leverage the digital onboarding provisions detailed above.
U.S. – Amendments to the Safeguards and Privacy Rules under the Gramm-Leach-Bliley Act
In 2020, the Federal Trade Commission is expected to announce changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act, which requires financial institutions (FIs) explain to their customers the organization’s information-sharing policies and practices and to safeguard sensitive data.
The revised regulations will likely incorporate feedback provided from the proposed changes the FTC announced in 2019.
Under the Safeguards Rule, U.S. banks and FIs must implement measures to keep customer information secure. What’s more, they must also take steps to ensure that their affiliates and service providers safeguard the customer information in their care as well. The Privacy Rule requires an FI to allow their customers to opt out of having their information shared with certain third parties after the customer has received an explanation of the organization’s information sharing practices. The proposal would require financial institutions to encrypt all customer data, to use multifactor authentication to access that data, and implement further access controls to prevent unauthorized users from accessing customer information.
These proposed changes are modeled after New York’s Department of Financial Services Cybersecurity Regulations that went into full effect in 2019. The reality is not every financial institution in the U.S is subject to the NYDFS’s regulations, so gaps remain in protecting customers privacy and security. However, every financial institution in the U.S. is governed by the FTC, meaning the FTC’s proposed regulations will eliminate any and all gaps.
European Union – Anti-Money Laundering Directive 5 (AMLD5)
In July 2018 EU directive 2018/843, the 5th version of the EU’s Anti-Money Laundering Directive (AMLD5) entered into force requiring EU member states transpose AMLD 5 into national law by January 10, 2020.
Like previous versions, AMLD5 applies to financial institutions, including banks and money service businesses (MSBs), with the significant change being that AMLD5 applies to virtual cryptocurrency exchanges (VCEPs) and custodian wallet providers (“CWPs”) as “obliged entities” subject to EU regulations.
VCEPs and CWPs previously unregulated by the directive must now follow the same rules as any other financial service organization, which includes mandatory identity checks on new customers.
As it relates to identity verification, AMLD5 recognizes digital identity technologies.
Item #22 includes, “Accurate identification and verification of data of natural and legal persons are essential for fighting money laundering or terrorist financing. The latest technical developments in the digitalization of transactions and payments enable a secure remote or electronic identification. Those means of identification…should be taken into account, in particular with regard to notified electronic identification schemes and ways of ensuring cross-border legal recognition, which offer high level secure tools and provide a benchmark against which the identification methods set up at national level may be checked. In addition, other secure remote or electronic identification processes, regulated, recognized, approved or accepted at national level by the national competent authority may be taken into account”.
Failure to comply can lead to severe penalties including fines of up to €5 million or 10% of annual turnover. For management, individuals could be banned from running a regulated business and the organization could be prevented from trading due to compliance violations.
Data Privacy and Protection Regulations
Government bodies around the globe are considering new data privacy regulations. Many of these regulations are modeled after the EU’s GDPR and signify heightened awareness regarding data privacy and data protection issues.
United States – California Consumer Privacy Act (CCPA)
CCPA introduces new privacy rights for consumers and will force companies that conduct business in California to implement structural changes to their privacy programs. Modeled after the EU’s General Data Protection Regulation (GDPR), the CCPA took effect on January 1, 2020 with enforcement beginning in July 1, 2020.
The CCPA applies to businesses defined as “a for-profit entity that collects ‘consumer’ (in this case California residents’) personal data and meets at least one of the following:
- The business annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices.
- The business has an annual gross revenue of over $25 million.
- The business derives 50% or more of its annual revenue from selling consumer personal information.”
A couple of the key provisions include a consumer’s right to access, delete, and port personal information. Under the law, consumers may request to access, delete or port the personal information they have provided to a company, up to two times in a 12-month period.
When one thinks about their digital interactions with a company there is a tremendous amount of personal data. This includes the usual information such as name, mailing address, phone, email address, marital status, religion, and race, but it also includes digital information like your IP address, username, passwords, browsing data, shopping history, and authenticators. The list of authenticators further includes biometrics such as facial recognition data, voice prints, and fingerprints.
To protect consumers’ privacy and security, the law requires companies establish processes to verify consumers’ identity and authorization.
Fines for violating the CCPA can be steep. Unintentional violations are subject to a maximum fine of $2,500 while intentional violations carry a maximum fine of $7,500. To a multi-billion-dollar corporation, these amounts are a light slap on the wrist. Where the CCPA has teeth is in the right of consumers to bring lawsuits. Under the CCPA, consumers can collect between $100 and $750 for each event. In this era of large-scale breaches, if the damages are greater than $750, then the consumer may receive even more. Situations like these may arise from instances where A customer’s “non-encrypted or non-redacted personal information” is breached.
Brazil – General Data Protection Law (LGPD)
In July 2019, the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) (Law No. 13,709/2018) ("LGPD") was signed and will take effect on August 15, 2020.
The LGPD is modeled after the EU’s GDPR and applies to any individual or legal entity (regardless of where they are located) that offers or supplies goods or services to Brazil, processes data in Brazil, or processes data collected in Brazil or belonging to Brazilian individuals.
The LGPD requires data controllers and data processors to adopt administrative, technical, and security measures aimed at protecting personal data from unauthorized access in addition to accidental or unlawful loss, destruction, alteration, and communication.
The National Data Protection Authority (Autoridade Nacional de Proteção de Dados) (ANPD) will oversee and enforce the data protection regulations. It is expected that the ANPD will publish minimum technical standards in 2020.
Although it remains to be seen what the minimum technical standards will include, the affected banks and other companies that currently protect customer data with static usernames and passwords should elevate their identity management and authentication technologies to include multi-factor authentication.
Thailand – Personal Data Protection Act (PDPA)
In May 2019, the Personal Data Protection Act B.E. 2562 (2019) was published in the Thailand official gazette. The law includes a 1-year grace period with compliance beginning by May 27, 2020.
The PDPA includes a provision for the creation of the Personal Data Protection Committee (“PDPC”), tasked with enforcement and publishing guidance.
PDPA has been influenced by various concepts from GDPR, but it also draws upon concepts developed from the Thai perspective. Do not assume that compliance with GDPR will align with PDPA compliance. I recommend a thorough and careful review of the differences between these two legislations for all international banking organizations operating in both regions.
Like GDPR, consumer consent must be obtained in an easy-to understand and non-complex manner.
Companies will need to solidify their customer data management policies and practices as the PDPA categorizes customer data into three categories: personal data collection, data usage, and data disclosure. Companies need to obtain customer consent for each purpose.
The PDPA has extraterritorial applicability meaning data controllers and data processors both in and outside of Thailand could be subject, thereby affecting many global and regional banks and other financial institutions.
Like GDPR and other data protection laws, the PDPA includes stiff penalties for non-compliance. This includes fines of up to THB 5 million for administrative non-compliance, imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, Thailand now allows data subjects to file class action lawsuits, which means civil damages under the PDPA can be multiplied. The company’s director may also be subject to penalties.
Bank Regulations and Opportunity
2021 marks a period of great regulatory change around the world for community banks, national banks, bank holding companies, credit unions, and the financial system. For that reason, it is imperative to stay up to date on the current regulatory changes and banking lawsa, as well as new proposals being discussed in the jurisdictions in which you operate. They may have a crucial impact on your digital transformation initiatives.
Learn more about security solutions and regulatory compliance by visiting our page outlining the compliance challenge.