Top Banking Regulations & Security Compliance Requirements 
In 2021, government policy makers and regulators were quite busy with a clear focus on improving cybersecurity, strengthening digital identities and online authentication, and protecting consumers as the migration to digital continues with payments and digital currencies.
Below, we’ve compiled some of the key global regulations, policies and laws that will impact financial institutions, fintech companies, payment systems, commercial banks, lenders, borrowers, asset management firms, and the banking industry at large.
For a comprehensive list, please access OneSpan’s Global Financial Regulations Report 2022, available online and for download.
Table of Contents:
- 2022 Regulatory Updates
- 2022 Predictions
UNITED STATES OF AMERICA
In November, the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) published a final rule requiring “banking organizations” to notify their primary federal regulator within 36 hours in the event of certain types of computer-security incidents. The Rule separately requires “bank service providers” to “notify banking organization customers as soon as possible in the event of any incident that has or is reasonably likely to materially affect those customers for four or more hours”. Bank service providers include any bank service company or other person that provides services subject to the Bank Service Company Act. The regulation takes effect April 1, 2022 while banking organizations and their bank service providers must be in compliance by May 1, 2022.
In August, the Federal Financial Institutions Examination Council (FFIEC) updated its Authentication and Access to Financial Institution Services and Systems Guidance for the first time in a decade. The Guidance encourages FIs to identify their users and customers who warrant authentication and access management controls in addition to users and customers who may warrant more enhanced authentication controls, like multi-factor authentication (MFA). The FFIEC also notes that single factor authentication, typically something one knows such as a username and static password, is not sufficient. It states:
“Attacks against systems and users protected with single-factor authentication often lead to unauthorized access resulting in data theft or destruction, adverse impacts from ransomware, customer account fraud, and identity theft. Accordingly, use of single-factor authentication as the only control mechanism has shown to be inadequate against these threats.”
The FFIEC also focuses on identity verification, which is a critical component of Know Your Customer (KYC) regulations. The FFIEC stresses that “reliable verification methods generally do not depend solely on knowledge-based questions to verify identity.” We agree and recommend digital identity verification methods such as ID document verification and facial comparison.
In October 2021, the Federal Trade Commission published an update to the "Safeguards Rule" under Gramm-Leach-Bliley Act, that outlines how non-bank financial institutions under FTC jurisdiction should protect customers’ financial information. Banks, bank holding companies, and their subsidiaries are subject to separate guidance and standards issued by the federal banking regulators including the OCC, the Fed, and the FDIC. The update applies to institutions "engaging in financial activities," including auto-dealers, real estate appraisers, tax preparers, investment advisors and colleges and universities participating in federal financial aid programs. In addition to those subject to the existing rule, the amended Safeguards Rule may apply to internet service providers, the gig economy, and online marketplaces.
The updated rule now requires multi-factor authentication (MFA) whenever any individual — employee, customer or otherwise — accesses an information system.
The FTC has imposed significant penalties for non-compliance with fines of $43,792 per violation, per day.
FINANCIAL ACTION TASK FORCE
The FATF released new guidance in October on virtual assets and virtual assets service providers (VASPs), superseding those that it previously issued in 2019. Thirty-nine Member jurisdictions must license or register providers and subject them to supervision or monitoring by financial regulators. The Guidance applies to stablecoins and clarifies that a range of entities involved in stablecoin arrangements could qualify as VASPs under the FATF Standards. In 2022, we expect many jurisdictions to revise their regulations to comply with the FATF.
In December 2021, the government approved draft legislation to strengthen regulations for VASPs in accordance with the FATF’s new guidance. As noted on the Minister of Finance’s website:
“It brings regulation of VASPs more in line with e-money institutions and payment service providers but does not directly affect customers or individuals who use private wallets from owning crypto. However, Estonian VASPs are not allowed to provide anonymous services and must identify their clients… Identifying information must be retained in a way that would enable it to be linked to the transaction, similarly to bank transfers.”
It is expected to be passed by Parliament and enacted during the first half of 2022.
Proposed Markets in Crypto-Assets Regulation (MiCA) aims to establish a comprehensive crypto-assets regulatory framework and enhance legal certainty and harmonization across the EU. Main priorities include transparency, consumer protection, prevention of market abuse, authorization, and supervision. The definition of crypto-assets is classified into three categories: e-money tokens, asset-referenced tokens, and a third group covering all other types like utility tokens and algorithmic stablecoins. Issuers will be subject to regulatory requirements based on which crypto-assets are sold, with all issuers of e-money tokens and asset-referenced tokens obligated to be authorized and established within the EU. MiCA’s legislative process is expected to be completed in early 2022. Member states will likely be required to implement the new regulations in 2024.
In 2021, Japan’s Financial Services Agency (FSA) announced its intention to implement the Financial Action Task Force (FATF)’s “Travel Rule” according to its guidelines on virtual assets (VAs) and VASPs. The Travel Rule requires the exchange of identification data between senders (originators) and recipients (beneficiaries) of digital funds transfers. The rule therefore seeks to prevent ML/TF by reducing anonymity in wire and crypto transactions.
The required information aligns closely with customer due diligence information standards and includes the originator’s name, address, birth date, birthplace, account number, and identity number. In addition, the beneficiary’s name and account or virtual wallet number are also included. The rule will go into effect in 2022.
In December 2021, the “Cryptoasset Marketing Framework” was introduced in Congress.
This framework defines the requirements each VASP must follow to operate. The legislation includes the creation of a public registry for VASPs that Peruvians can access to determine if exchanges or platforms are registered.
It would also require VASPs to contractually inform users that Peru does not recognize cryptocurrencies as legal tender and that the supervision of these assets by the government constitutes no guarantee against the risks that operating with cryptocurrencies can bring to users. We expect this legislation to be enacted in 2022.
In late December, President Erdoğan confirmed the completion of a cryptocurrency law draft that will soon be shared with the Parliament for mainstream implementation in the country.
Turkey has been expediting regulations development for cryptocurrency after two cryptocurrency exchanges, Thodex and Vebitcoin, collapsed in April 2021, leaving Turkish cryptocurrency investors unable to access their accounts.
The law is expected to include the establishment of a central custodian bank to eliminate counterparty risk. We are expecting this legislation to swiftly pass through Parliament and be enacted in 2022.
Cryptocurrencies are clearly in the crosshairs of federal regulators. On November 23, 2021, the U.S. federal banking regulators issued a Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps, an inter-agency project focused on regulated bank and bank holding company participation in crypto-asset-related businesses. Per the joint statement:
“Throughout 2022, the agencies plan to provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible, and expectations for safety and soundness, consumer protection, and compliance with existing laws and regulations related to:
The agencies also will evaluate the application of bank capital and liquidity standards to cryptoassets for activities involving U.S. banking organizations and will continue to engage with the Basel Committee on Banking Supervision on its consultative process in this area.”
- Crypto-asset safekeeping and traditional custody services.
- Ancillary custody services.
- Facilitation of customer purchases and sales of crypto-assets.
- Loans collateralized by crypto-assets.
- Issuance and distribution of stablecoins.
- Activities involving the holding of crypto-assets on balance sheet
Separately, Michael Hsu, Acting Comptroller of Currency, has called for regulations of crypto banking and has raised concerns that “synthetic banking providers (SBPs), those who operate out of the reach of bank regulators and free of bank rules” are very active in the cryptocurrency space and has stressed the need for SBPs to be held to banking standards. Given this activity, we anticipate an advanced notice of proposed rulemaking (ANPRM) for comprehensive cryptocurrency to be released during the second half of 2022.
Central Bank Digital Currencies (CBDCs)
China’s digital yuan, “e-CNY”, is expected to launch during Q1 2022. Unlike some CBDCs in development that complement cash, e-CNY designed to replace the cash and coins already in circulation. In early January, the central bank launched a pilot version of a wallet app for e-CNY on the app stores to expand usage in 10 areas within China.
In October 2021 the Central Bank of Nigeria (CBN) launched the “eNaira”—a central bank digital currency (CBDC). Nigeria could serve as a “launching pad” for CBDC within the African continent. At this time, Ghana, South Africa, and Tunisia are conducting CBDC pilots. Zimbabwe, Namibia, Madagascar, Rwanda, Mauritius, Morocco, and Kenya are in the research phase.
The launch of the e-krona pilot phase has been driven in part by Sweden’s declining cash use and the desire to safeguard against possible future disruptions to the monetary system. However, some Swedish bankers worry that a CBDC could threaten financial stability by spurring bank runs. The Riksbank is expected to reach a conclusion on the possible e-krona in November 2022.
As part of the European strategy for data, the European Commission published a far-reaching 108-page proposal regulating the use of AI, the Artificial Intelligence Act, with particular regard to “high risk” systems and contexts. The regulation would apply to all providers and users located within the EU, as well as extra-territorial providers whose services are utilized within the EU. The proposal must still advance through the EU legislative procedure. This likely won’t impact 2022, but it is worth paying close attention to since it is expected to be a vanguard in global AI regulations in much the same way the GDPR has been with regard to data protection.
The federal government, including financial regulators, were very focused on AI in 2021.
In March 2021, U.S. Financial Regulators issued a RFI on FI’s use of AI including machine learning. The RFI sought:
“to understand respondents’ views on the use of AI by financial institutions in their provision of services to customers and for other business or operational purposes; appropriate governance, risk management, and controls over AI; and any challenges in developing, adopting, and managing AI.”
Also in March, the National Security Commission on Artificial Intelligence published a Final Report outlining a strategy to “win the broader technology competition” in the AI era.
Last April, the Federal Trade Commission (FTC) published a blog on “Aiming for truth, fairness, and equity in your company’s use of AI,” which delivers guidance on avoiding negative outcomes like racial bias.
In July, NIST published a RFI to solicit input as it drafts an Artificial Intelligence Risk Management Framework, a “guidance document for voluntary use intended to help technology developers, users, and evaluators improve the trustworthiness of AI systems.”
In October, the White House’s Office of Science and Technology Policy (OSTP) released a RFI focused on the use of biometric technologies for the purposes of identity verification, identification of individuals, and inference of attributes including individual mental and emotional states. Per the OSTP, the purpose of the RFI is:
“to understand the extent and variety of biometric technologies in past, current, or planned use; the domains in which these technologies are being used; the entities making use of them; current principles, practices, or policies governing their use; and the stakeholders that are, or may be, impacted by their use or regulation.”
Given the plethora of activity, we are anticipating regulatory activity as it pertains to AI in 2022.
MitID, the long-awaited digital identity infrastructure will replace NemID. MitID is to be more flexible and secure than its predecessor. An app, MitID can be used for approving logins and payments. Once MitID has been sufficiently tested, it will launch across Denmark, with a six-month transition period until NemID is completely phased out. Due to delays, the solution will most likely be ready in summer 2022.
Canada’s much anticipated Pan-Canadian Trust Framework (PCTF) spearheaded by the Digital Identity and Authentication Council of Canada (DIACC) will launch its Voila Verified Trustmark program in 2022. Trustmarks will be issued to organizations who demonstrate compliance to PCTF components.
Although the E.U.’s much publicized digital wallet initiative is still a couple years away, 2022 will be focused on the identification of specific architectures, standards, and references, as well as guidelines and best practices. Towards the end of the year, the European Commission will publish a toolbox for use by member states and other parties.
In December 2021, the European Banking Authority released draft Guidelines on Remote Customer Onboarding for public comment. Several member states have already adopted remote onboarding utilizing biometric identity verification and document verification solutions. Not surprisingly, the member state regulators have taken different approaches, such as permitting selfie photos or prohibiting them in favor of video. It remains to be seen what the EBA’s final guidance will include. The comment period is open until March 10, 2022 with final guidance likely during the second half of 2022.
The Swiss government’s Federal Council announced plans to develop a publicly owned E-ID infrastructure to be built upon principles of self-sovereign identity (SSI). Although owned by the government, the private sector is expected to play an important role as identity providers, agents, relying parties, or identity wallet providers. Swiss e-ID legislation is expected to be introduced in 2022.
In early 2022, the National Institute of Standards and Technology is expected to release a draft of its revised Digital Identity Guidelines for public comment. This will be its first update since 2017. Although only U.S. federal government agencies and contractors are obliged to adhere to NIST’s guidance, numerous private and public sector organizations worldwide, including the financial sector, have historically embraced them. A major revision is not expected, but given the Biden Administration’s focus on countering phishing attacks with phish-resistant authenticators, we are expecting a differentiation amongst authenticators categorized at Authenticator Assurance Level 2 (AAL).
Amendments to the Enforcement Rules for the Act on the Protection of Personal Information (APPI) were published in 2021 and take effect April 1, 2022.
The amended APPI strengthens the rights of data subjects and imposes new requirements on entities that process personal data. It obliges entities to report data breaches to the Personal Information Protection Commission (PPC), expands the PPC’s powers, such that it can request reports or investigate offshore companies, increases penalties in the case of non-compliance, and introduces the concept of pseudonymization.
Pseudonymization is a data management procedure by which data subjects’ personally identifiable information is replaced with a pseudonym, thus protecting their rights and enabling processors to more readily use their information. The amended APPI also expands data subjects’ rights to deletion and cessation of the use of personal data, and allows data subjects to select the method of receiving their data (writing or email), per the right of access.
Like the EU’s General Data Protection Regulation (GDPR), the APPI has extraterritorial scope, applying to all entities that process personal data of Japanese citizens, regardless of the entities’ physical location. The amended APPI enables the PPC to request that foreign obliged entities report on their processing activities, and the PPC will be able to impose fines on them in the case of non-compliance.
Passed in 2020, the revised Swiss Data Protection Act (revDPA) implements many GDPR provisions while allowing for significant differences. The revised Act will enter into force in the second half 2022.
Under the Act, companies will be obliged to immediately report serious data breaches to the Federal Data Protection and Information Commissioner (FDPIC); utilize data protection impact assessments in advance of potentially risky data processing; seek approval before using sub-processors; and issue a privacy notice each time data is collected. In contrast with the GDPR, controllers have the option—but not the obligation—to appoint a data protection officer. Should an intentional violation of the revDPA occur, individuals in lieu of the company could face criminal sanctions.
Due to the COVID-19 pandemic, the Thai Cabinet postponed the enforcement of the Personal Data Protection Act (PDPA) to June 1, 2022. The PDPA, which was published in May 2019, draws on the EU’s General Data Protection Regulation (GDPR) and outlines requirements for the processing of personal data and the responsibilities of data controllers and processors. The law has extraterritorial scope, so it applies to any entity that utilizes the personal data of a Thai citizen, even if the entity does not reside in Thailand. In the case of cross-border transfers of personal data, the recipient country must adhere to “adequate personal data protection standards.” The PDPA will also establish a national data protection agency to monitor compliance, called the Personal Data Protection Committee (PDPC).
Anti-Money Laundering and Counter-Terrorist Financing
Last spring, the European Banking Authority launched a public consultation on draft Regulatory Technical Standards (RTS) in the establishment of a central database on anti-money laundering and counter-terrorism financing. Following public comments, in December the EBA published a final report. The intent of the draft RTS lays out rules safeguarding the effectiveness and confidentiality of the database, which would help to coordinate and harmonize the EU approach to AML/CFT. This is especially important as EU AML directives are discretionary—allowing member states to transpose them onto national law and implement them in different ways—which has not necessarily allowed for a pan-European approach. As cybercrime becomes more sophisticated and international amidst increasing digitalization, a central database will streamline AML/CFT measures across the EU. The RTS will further ensure that the database adheres to data protection laws.
The EBA will submit these draft RTS to the European Commission for approval. Once approved, the RTS will be directly applicable in all Member States. Depending how fast this progresses, this could be approved by the Commission in 2022.
In December, the Department of Treasury’s Financial Crimes Enforcement Network (FinCen) published a Notice of Proposed Rule Making (NPRM) for Beneficial Ownership Information Reporting Requirements. The proposed regulations will implement Section 6403 of the Corporate Transparency Act, signed into law as part of the National Defense Authorization Act for fiscal year 2021. When finalized, it will require entities to submit beneficial ownership and company applicant information to FinCEN with the aim to help prevent and combat money laundering, terrorist financing, tax fraud, and other illicit activity. Per the announcement,
“The proposed regulations address: (1) Who must file; (2) when they must file; and (3) what information they must provide. Collecting this information and providing access to law enforcement, the intelligence community, and other key stakeholders will diminish the ability of malign actors to obfuscate their activities through the use of anonymous shell and front companies.”
The public comment period closes February 7, and we expect FinCen to publish a Final Rule sometime in 2022.
Also in December, FinCen published a request for information on the Modernization of AML/CFT Regulatory Regime. FinCEN is interested in ways to modernize risk-based AML/CFT regulations and guidance, issued pursuant to the Bank Secrecy Act (BSA). The formal review also will allow FinCEN to identify regulations and guidance that are outdated, redundant, or otherwise do not promote a risk-based AML/CFT compliance regime for financial institutions, or that do not conform with U.S. commitments to meet international AML/CFT standards. The public comment period ends February 14, 2022 and there could be a Notice of Proposed Rulemaking (NPRM) released in the latter part of 2022.
In January 2021, the central bank issued a circular outlining rules on ATM access through the use of fingerprint readers. Per the new rules, users shall access ATMs through “something you know”—a PIN or identity card (DNI)—alongside fingerprints. The rules will be implemented through a phased approach. By December 31, 2021, 35% of ATMs were required to include a biometric reader; that number increases to 60% by June 20, 2022, and by December 31, 2022, all ATMs will be required to include a biometric reader.
An October 2020 move by Prime Minister Suga will have banks and other financial institutions leverage electronic signature technology and digitize their forms by the end of 2022. Companies have traditionally filed paper documents with the Financial Services Agency, which has reduced efficiency and driven up costs.
UNITED ARAB EMIRATES
In September 2021, Federal Decree-Law No. 46/2021 on Electronic Transactions and Trust Services was enacted repealing the 15-year-old Federal Law No.1/2006 on E-commerce and Transactions. To support digital transformation efforts in the UAE, the new law encourages and facilitates all types of electronic transactions, while protecting the rights of customers who undertake electronic transactions.
According to the law, trust services include creating electronic signatures; issuing certificates of authentication for qualified electronic signatures; creating electronic stamps; issuing certificates of authentication for qualified electronic stamps; and issuing certificates of authentication for websites.
The new law took effect January 2, 2022. The law provides a one-year grace period for businesses to comply.
Remote Online Notarization (RON) continues to gain widespread adoption. To date 39 states have passed RON legislation with New York’s governor being the latest to sign legislation into law enacting permanent RON measures on December 22, 2021. New York’s law takes effect June 20, 2022.
New York joins Alaska, Arizona, Arkansas, Colorado, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New Jersey, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming.
States began to adopt RON measures as the COVID-19 pandemic led to social distancing rules and forced businesses to shift their operations online. Each state’s measures include the same basic elements, including the use of audio-visual communication methods, recording of the audio-visual communication and authentication by the notary of the signatory.
The fourth and final phase of Brazil’s roll-out of open banking commenced in mid-December. This was significant, because it marked the migration from open banking to open finance with the addition of investment products, insurance, and foreign exchange among the information to be shared with trusted third-party APIs upon consumer consent. These complement the already included mortgages, checking savings, pensions, and credit cards.
A key component of the fourth phase is the requirement for APIs related to financial products to be shared in order to undergo a certification process. This will assure compliance with the Central Bank’s technology requirements.
- March 4, 2022: insurance, open supplementary pension, and capitalization
- March 11, 2002: accreditation services in payment arrangements
- March 18, 2022: exchange operations
- March 25, 2022: term deposit accounts and other investment products
On May 31, 2022, the second stage of Phase 4 commences and consumers will be able to provide consent to data sharing starting May 31, 2022. At that point, open finance will be visible to consumers, as it will be possible to consent to data sharing across the services participant institutions made available through the model. The open finance roll-out is expected to be complete by September 30, 2022.
In August 2021, the federal government’s advisory committee on open banking published a report. Per the report, the initial phase should launch by January 2023 with the government and industry collaborating on the roadmap. 2022 will be spent in preparation for the 2023 launch.
The legislature is working on draft legislation to develop an open banking model. The law is expected to be introduced during 2022. As a result, a definitive timeline is not available yet.
The Hong Kong Money Authority’s (HKMA) phased rollout of the Open API Framework for the banking sector involves 28 participating banks. The banks began Phases III and IV in late 2021 with an initial focus on deposit account information and online merchant payments.
Per the HKMA’s website, under Phase III, 25 banks plan to launch the API functions for retail customers by June 30, 2022. Twenty-three banks will launch the API functions for corporate and SME customers by June 30, 2022.
Under Phase IV, 27 of the 28 participating banks will launch an app-to-app payments capability by June 30, 2022. The remain bank plans to roll out this same capability by September 30, 2022.
KINGDOM OF SAUDIA ARABIA
The central bank issued its brief Open Banking Policy, which aims to promote competition, innovation, financial inclusion, and efficiency in the banking system. The central bank is currently assessing the potential impacts of open banking and how best to adopt it in the Kingdom. The launch of open banking will occur over three phases: design, implementation, and go-live.
According to the central bank’s policy document, “The implementation phase will cover the development of the defined frameworks, technology building blocks, and rollout activities including testing with financial market participants, and enhancement of customer awareness.” The central bank plans to go live in the first half of 2022.
In May 2021, The Financial Conduct Authority (FCA) issued a statement extending the deadline for the implementation of strong customer authentication (SCA) requirements in e-commerce transactions to March 14, 2022. The six-month extension aims to “ensure minimal disruption to merchants and consumers, and recognizes ongoing challenges facing the industry to be ready by the previous 14 September 2021 deadline.”
Thus far, open banking in the U.S. has been market driven, but that may soon be changing. In July 2021, President Biden issued Executive Order, Promoting Competition in the American Economy, encompassing 72 initiatives by more than a dozen federal agencies to address the most pressing competition problems across the economy. One of the 72 tasks the Director of the Consumer Financial Protection Bureau should consider to commence or continue is a rulemaking under section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data. This would enable consumers to more easily switch financial institutions and use new, innovative financial products. It could also serve as a catalyst for open banking in the U.S.
Predictions for 2022
In light of this large collection of regulatory changes, consider some of these bold predictions for this year:
- Expect the U.S. to announce an Advanced Notice of Proposed Rulemaking for Regulation of Crypto Banking to be issued.
- U.S. financial regulators, the Office of the Comptroller of Currency (OCC), the Federal Reserve Board (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Securities Exchange Commission (SEC) will announce a Notice of Proposed Rulemaking for comprehensive regulations similar to the Federal Trade Commission’s revised Safeguards Rule.
- The U.S. Consumer Financial Protection Bureau will announce policies to drive open banking in the U.S.
- Central banks will also add strict security requirements, including multi-factor authentication leveraging face and fingerprint biometrics and mobile application shielding, for digital wallets storing and transacting with central bank digital currencies (CBDCs). Security is of utmost importance to central banks, and these requirements will become the norm as CBDCs are launched globally.
- France’s data privacy regulator, Commission nationale de l'informatique et des libertés (CNIL), will announce that passwords will no longer be permitted to gain access to sensitive personal data. Systems and databases accessed via single factor authentication (username and passwords) will no longer comply with GDPR.
Bank Regulations and Opportunity
2022 marks a period of great regulatory change around the world for community banks, national banks, bank holding companies, credit unions, and the financial system. For that reason, it is imperative to stay up to date on the current regulatory changes and banking laws, as well as new proposals being discussed in the jurisdictions in which you operate. They may have a crucial impact on your digital transformation initiatives.
Learn more about security solutions and regulatory compliance by visiting our page outlining the compliance challenge.