Top 2020 Banking Regulations & Security Compliance Requirements
The rapid growth of technology and digitization in the financial industry is continuing to drive new regulations around the globe, and there is already a lot happening in 2020. A wave of data privacy regulations in North America seems likely after the California Consumer Privacy Act, but that is just one example. In every region, new regulations are going into effect.
Below, we’ve compiled the top regulations, laws, and standards that impact FIs this year:
Top Security Regulations for the Financial Industry
PSD2: Payment Services Directive 2
Although the open banking requirements went into effect on 14 September 2019, in October 2019, the European Banking Authority published a revised deadline for compliance with the Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure communication under PSD2. The new deadline is now 31 December 2020. While most component authorities have followed the lead of the EBA, the UK’s Financial Conduct Authority (FCA) will not enforce SCA until 14 March 2021. The Bank of France conformed to the EBA’s 31 December deadline, but it added a 3-month grace period on a case-by-case basis.
PSD2 criteria include:
- Strong Customer Authentication: Authentication must be based on two or more factors, including passwords or PIN, tokens or mobile devices, or biometrics.
- Transaction Risk Analysis: PSD2 mandates the use of transaction risk analysis to deter fraudulent payments.
- Dynamic Linking: The authentication code must be dynamically linked to both the payee and amountin payment transactions.
- Mobile App Security: Payment service providers must adopt security measures to mitigate the risk resulting from compromised mobile devices. PSD2 also mandates the use of dedicated mobile app cloning counter-measures in applications, also known as replication protection.
Canada – FINTRAC’s updated Know Your Customer guidance permitting digital onboarding
Digital onboarding has rapidly gained adoption in countries around the world, including Hong Kong, Singapore, and the United States. Financial institutions and customers alike have embraced digital onboarding as it balances security with user convenience while complying with regulatory requirements.
Canada continues to advance digital identity with the ongoing development of the Pan-Canadian Trust Framework (PCTF) led by the Government of Canada and the Digital Identity and Authentication Council of Canada (DIACC).
On November 14, 2019 Canada’s Financial Transactions and Reports Analysis Centre (FINTRAC) published an update to guidance on Know Your Customer (KYC) requirements, titled "Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation".
FINTRAC supports different technologies including a live video interview and what is becoming the path of choice where “an individual could be asked to take a ‘selfie’ photo using the camera on their mobile phone or electronic device, and an application would apply facial recognition technology to compare the features of that ‘selfie’ to the photo on the authentic government-issued photo identification document.”
FINTRAC stresses that “it is not enough to just view a person and their government-issued photo identification document online through a video conference or any other type of virtual application”. The financial institution “must use a software or some type of technology that would be able to authenticate the government-issued photo identification document. FIs must also verify that the name and image match that of the individual on the authentic government-issued photo identification document.”
Canada – Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)
Published by FINTRAC in July 2019, the amendments directly affect cryptocurrency exchanges, which have been outside of many regulations.
All cryptocurrency exchanges in Canada, beginning on June 1, 2020, must register with FINTRAC. Crypto exchanges will be classified as money service businesses (MSBs), which have traditionally provided foreign currency exchange and check cashing services along with money order sales.
Like financial institutions, crypto exchanges will be required to have a compliance officer, comply with Know Your Customer (KYC) policies, and report suspicious transactions to FINTRAC. Crypto exchanges will be able to leverage the digital onboarding provisions detailed above.
U.S. – Amendments to the Safeguards and Privacy Rules under the Gramm-Leach-Bliley Act
In 2020, the Federal Trade Commission is expected to announce changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act, which requires financial institutions (FIs) explain to their customers the organization’s information-sharing policies and practices and to safeguard sensitive data.
The revised regulations will likely incorporate feedback provided from the proposed changes the FTC announced in 2019.
Under the Safeguards Rule, U.S. banks and FIs must implement measures to keep customer information secure. What’s more, they must also take steps to ensure that their affiliates and service providers safeguard the customer information in their care as well. The Privacy Rule requires an FI to allow their customers to opt out of having their information shared with certain third parties after the customer has received an explanation of the organization’s information sharing practices. The proposal would require financial institutions to encrypt all customer data, to use multifactor authentication to access that data, and implement further access controls to prevent unauthorized users from accessing customer information.
These proposed changes are modeled after New York’s Department of Financial Services Cybersecurity Regulations that went into full effect in 2019. The reality is not every financial institution in the U.S is subject to the NYDFS’s regulations, so gaps remain in protecting customers privacy and security. However, every financial institution in the U.S. is governed by the FTC, meaning the FTC’s proposed regulations will eliminate any and all gaps.
European Union – Anti-Money Laundering Directive 5 (AMLD5)
In July 2018 EU directive 2018/843, the 5th version of the EU’s Anti-Money Laundering Directive (AMLD5) entered into force requiring EU member states transpose AMLD 5 into national law by January 10, 2020.
Like previous versions, AMLD5 applies to financial institutions, including banks and money service businesses (MSBs), with the significant change being that AMLD5 applies to virtual cryptocurrency exchanges (VCEPs) and custodian wallet providers (“CWPs”) as “obliged entities” subject to EU regulations.
VCEPs and CWPs previously unregulated by the directive must now follow the same rules as any other financial service organization, which includes mandatory identity checks on new customers.
As it relates to identity verification, AMLD5 recognizes digital identity technologies.
Item #22 includes, “Accurate identification and verification of data of natural and legal persons are essential for fighting money laundering or terrorist financing. The latest technical developments in the digitalization of transactions and payments enable a secure remote or electronic identification. Those means of identification…should be taken into account, in particular with regard to notified electronic identification schemes and ways of ensuring cross-border legal recognition, which offer high level secure tools and provide a benchmark against which the identification methods set up at national level may be checked. In addition, other secure remote or electronic identification processes, regulated, recognized, approved or accepted at national level by the national competent authority may be taken into account”.
Failure to comply can lead to severe penalties including fines of up to €5 million or 10% of annual turnover. For management, individuals could be banned from running a regulated business and the organization could be prevented from trading due to compliance violations.
Data Privacy and Protection Regulations
Government bodies around the globe are considering new data privacy regulations. Many of these regulations are modeled after the EU’s GDPR and signify heightened awareness regarding data privacy and data protection issues.
California Consumer Privacy Act (CCPA)
CCPA introduces new privacy rights for consumers and will force companies that conduct business in California to implement structural changes to their privacy programs. Modeled after the EU’s General Data Protection Regulation (GDPR), the CCPA took effect on January 1, 2020 with enforcement beginning in July 1, 2020.
The CCPA applies to businesses defined as “a for-profit entity that collects ‘consumer’ (in this case California residents’) personal data and meets at least one of the following:
- The business annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices.
- The business has an annual gross revenue of over $25 million.
- The business derives 50% or more of its annual revenue from selling consumer personal information.”
A couple of the key provisions include a consumer’s right to access, delete, and port personal information. Under the law, consumers may request to access, delete or port the personal information they have provided to a company, up to two times in a 12-month period.
When one thinks about their digital interactions with a company there is a tremendous amount of personal data. This includes the usual information such as name, mailing address, phone, email address, marital status, religion, and race, but it also includes digital information like your IP address, username, passwords, browsing data, shopping history, and authenticators. The list of authenticators further includes biometrics such as facial recognition data, voice prints, and fingerprints.
To protect consumers’ privacy and security, the law requires companies establish processes to verify consumers’ identity and authorization.
Fines for violating the CCPA can be steep. Unintentional violations are subject to a maximum fine of $2,500 while intentional violations carry a maximum fine of $7,500. To a multi-billion-dollar corporation, these amounts are a light slap on the wrist. Where the CCPA has teeth is in the right of consumers to bring lawsuits. Under the CCPA, consumers can collect between $100 and $750 for each event. In this era of large-scale breaches, if the damages are greater than $750, then the consumer may receive even more. Situations like these may arise from instances where A customer’s “non-encrypted or non-redacted personal information” is breached.
Brazil’s General Data Protection Law (LGPD)
In July 2019, the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) (Law No. 13,709/2018) ("LGPD") was signed and will take effect on August 15, 2020.
The LGPD is modeled after the EU’s GDPR and applies to any individual or legal entity (regardless of where they are located) that offers or supplies goods or services to Brazil, processes data in Brazil, or processes data collected in Brazil or belonging to Brazilian individuals.
The LGPD requires data controllers and data processors to adopt administrative, technical, and security measures aimed at protecting personal data from unauthorized access in addition to accidental or unlawful loss, destruction, alteration, and communication.
The National Data Protection Authority (Autoridade Nacional de Proteção de Dados) (ANPD) will oversee and enforce the data protection regulations. It is expected that the ANPD will publish minimum technical standards in 2020.
Although it remains to be seen what the minimum technical standards will include, the affected banks and other companies that currently protect customer data with static usernames and passwords should elevate their identity management and authentication technologies to include multi-factor authentication.
Thailand Personal Data Protection Act (PDPA)
In May 2019, the Personal Data Protection Act B.E. 2562 (2019) was published in the Thailand official gazette. The law includes a 1-year grace period with compliance beginning by May 27, 2020.
The PDPA includes a provision for the creation of the Personal Data Protection Committee (“PDPC”), tasked with enforcement and publishing guidance.
PDPA has been influenced by various concepts from GDPR, but it also draws upon concepts developed from the Thai perspective. Do not assume that compliance with GDPR will align with PDPA compliance. I recommend a thorough and careful review of the differences between these two legislations for all international banking organizations operating in both regions.
Like GDPR, consumer consent must be obtained in an easy-to understand and non-complex manner.
Companies will need to solidify their customer data management policies and practices as the PDPA categorizes customer data into three categories: personal data collection, data usage, and data disclosure. Companies need to obtain customer consent for each purpose.
The PDPA has extraterritorial applicability meaning data controllers and data processors both in and outside of Thailand could be subject, thereby affecting many global and regional banks and other financial institutions.
Like GDPR and other data protection laws, the PDPA includes stiff penalties for non-compliance. This includes fines of up to THB 5 million for administrative non-compliance, imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, Thailand now allows data subjects to file class action lawsuits, which means civil damages under the PDPA can be multiplied. The company’s director may also be subject to penalties.
- PSD2: Payment Services Directive 2
- Canada – FINTRAC’s updated Know Your Customer guidance permitting digital onboarding
- Canada – Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)
- U.S. – Amendments to the Safeguards and Privacy Rules under the Gramm-Leach-Bliley Act
- European Union – Anti-Money Laundering Directive 5 (AMLD5)
- California Consumer Privacy Act (CCPA)
- Brazil’s General Data Protection Law (LGPD)
- Thailand Personal Data Protection Act (PDPA)
Financial Action Task Force (FATF) Guidance on Digital Identity
The FATF sets standards and “promotes effective implementation of legal, regulatory, and operational measures for combating money laundering, terrorist financing, and other related threats to the integrity of the international financial system”. In March 2020, the Financial Action Task Force (“FATF”) released Guidance on Digital Identity. The Guidance seeks to aid FIs, governments, and other organizations apply a risk-based approach when using digital identity systems for customer due diligence (CDD).
The FATF Guidance focuses on end-to-end digital ID systems which encompass the processes of identity proofing, enrollment, and authentication.
Potential benefits of digital identity systems defined in the guidance include:
- Improve customer identification and verification at on boarding
- Support ongoing scrutiny and due diligence of transactions throughout the business relationship
- Facilitate other customer due diligence (CDD) measures
- Aid transaction monitoring for the purposes of detecting and reporting suspicious transactions as well as general risk management and anti-fraud efforts.
With 37 jurisdictions (countries) and 2 regional organizations (the Middle East’s Gulf Cooperation Council and the European Commission), when finalized we expect many of the jurisdictions to adopt the guidance into their respective regulations to combat fraud, identity theft, money laundering, and terrorist financing.
Bank Regulations and Opportunity
2020 marks a period of great regulatory change around the world. For that reason, it is imperative to stay abreast of the current regulatory changes, as well as new proposals being discussed in the jurisdictions in which you operate. They may have a crucial impact on your digital transformation initiatives.
Learn more about security solutions and regulatory compliance by visiting our page outlining the compliance challenge.