Top banking regulations & security compliance requirements 2024

From adversarial AI to quantum computing, the pace of tech development continues to raise new cybersecurity risks and threats. At the same time, banks, insurance companies, federal government agencies, and businesses in all sectors are advancing their digitization efforts and expanding digital transformation into new areas like notarization.

Greater digitization brings greater efficiencies and customer opportunities – as long as security is woven in end-to-end. Policymakers and regulators are doing their part to emphasize how critical cybersecurity is. So much so, that we expect cybersecurity to drive a significant amount of regulatory activity for the foreseeable future.

To keep you informed on the latest regulatory changes affecting authentication, digital identity, and digital agreements, we've compiled an update on key regulations, policies, and laws that will impact financial institutions, the banking industry, insurance companies, and others in 2024.

• Authentication and cybersecurity
  • European Union
  • Australia
  • United States
• Digital identity
  • Denmark
  • Canada
  • European Union
  • Switzerland
  • United States
• Electronic signature, digital notarization, and electronic wills
  • United States
  • Canada
  • UK
  • Ireland

Authentication and cybersecurity

EUROPEAN UNION

For years, the European Union (EU) has demonstrated regulatory leadership with regards to enhancing cybersecurity in its governments and businesses. As of publication of this blog, the three most newsworthy updates are:

• The Digital Operational Resilience Act (DORA), which explicitly addresses cybersecurity concerns in the financial services sector. This regulation aims to increase the digital operational resilience of the financial industry. It defines rules on information and communication technology (ICT) risk management, incident management and reporting, operational resilience testing, and the management of ICT third-party risks. It applies directly in all EU member states without the need for transposition into domestic legislation.

  DORA requires financial institutions and their tech providers to authenticate employees with strong authentication by 17 January 2025. The legislation’s strong authentication requirements are crucial to fortify cybersecurity in the financial sector. By embracing multi-factor authentication and phishing-resistant methods, financial organizations can enhance their resilience against cyber threats and achieve compliance.

• NIS2, the Second Network and Information Security Directive, is legislation adopted by the European Union to strengthen cybersecurity in critical sectors. It expands the scope of the original directive, NIS1, to cover industries such as banking, energy, transportation, chemicals, and digital infrastructure providers.

  NIS2 focuses on management liability, supply chain security, cybersecurity controls, and incident reporting. Enterprises must enhance cybersecurity governance, define security responsibilities, and audit their supply chains. Non-compliance can result in penalties of up to 10 million euros. NIS2 also considers multi-factor authentication as a key security control for in-scope entities.

• PSD3, or the proposed Payment Services Directive 3, is the anticipated update to the existing PSD2 regulation that seeks to further strengthen authentication and payment security. While PSD2 successfully curbed account takeover fraud through strong customer authentication, new threats like authorized push payment (APP) fraud have surfaced. PSD3 requires financial institutions to adopt security controls to counter APP fraud, such as Confirmation of Payee and transaction monitoring. In addition PSD3 pays a lot of attention to the usability aspects of strong customer authentication, requiring financial institutions to provide authentication mechanisms that all of their customers can use. “Mobile-only” approaches to authentication, in particular, are not allowed under PSD3.

The legislative process is ongoing and payment service providers should prepare for PSD3 by assessing proposed regulatory requirements and developing a strategic plan.

AUSTRALIA

The Australian Signals Directorate (ASD) has developed the Essential Eight, a recommended strategy to enhance cybersecurity resilience. These measures, established by the Australian Cyber Security Centre (ACSC), aim to mitigate cyberattacks by implementing practical controls.

The ASD updated the Essential Eight Maturity Model in 2023, focusing on multi-factor authentication. Changes include standardizing authentication factors, enforcing MFA for web portals storing sensitive data (e.g., customer data), adopting phishing-resistant MFA, and requiring workstation authentication with phishing-resistant methods. These updates emphasize the importance of strong authentication and highlight its role in strengthening cybersecurity against various threats.

UNITED STATES

In October 2021, the Federal Trade Commission published an update to the "Safeguards Rule" under the Gramm-Leach-Bliley Act. It outlines how non-bank financial institutions under FTC jurisdiction should protect customers' financial information. The updated rule now requires multi-factor authentication whenever any individual — employee, customer, or otherwise — accesses an information system.  

Institutions that engage in financial system activities, such as auto dealers, real estate appraisers, tax preparers, investment advisors, and colleges and universities participating in federal financial aid programs, are subject to the regulations.

Another update is from the Federal Financial Institutions Examination Council (FFIEC). The FFIEC made significant updates in 2019 to its Authentication and Access to Financial Institutions Services and Systems Guidance. The revised guidance highlights the necessity of implementing enhanced authentication controls, such as multi-factor authentication, for specific users and customers.

The FFIEC also focuses on identity verification, a critical component of Know Your Customer (KYC) regulations. The FFIEC stresses that "reliable verification methods generally do not depend solely on knowledge-based questions to verify identity." We recommend digital identity verification methods like ID document verification and facial comparison.

Webcast

How to comply with NIS2 and DORA

Listen to expert guidance on the impact of EU cybersecurity regulations, key requirements, and how organizations can prepare.

Watch now

Digital identity

DENMARK

MitID, Denmark's advanced digital identity system, has officially replaced NemID, offering enhanced flexibility and security features. Designed as a comprehensive app for authenticating logins and payments, MitID aims to streamline digital interactions for users across Denmark.

Following extensive testing to ensure robust security and user-friendly functionality, MitID's deployment included a six-month transition phase, culminating in NemID's discontinuation. The rollout, finalized in November 2023, achieved widespread adoption, with 98% of Danish citizens over 15 switching to MitID. This transition marks a significant milestone in Denmark's digital infrastructure, promoting a more secure online banking sector.

CANADA

The Pan-Canadian Trust Framework (PCTF) and the Voilà Verified Trustmark Program, orchestrated by the Digital Identity and Authentication Council of Canada (DIACC), represent critical steps towards a unified and secure digital identity ecosystem in Canada. The PCTF, which has evolved since 2022, aims to verify the trustworthiness of digital services, emphasizing user-centric design, privacy, and security across both public and private sectors.

The introduction of the Voilà Verified Trustmark Program is a significant advancement, offering certification to organizations that comply with the PCTF's standards, thereby promoting a secure, reliable, and efficient digital identity infrastructure. This program builds trust among users and fosters a robust digital economy by managing digital identities in a secure, user-friendly, and privacy-preserving manner.

EUROPEAN UNION

EU member states have to provide a digital identity wallet to any citizen who requests one. They will likely need to do so 24 months after the adoption of the eIDAS 2.0 Implementing Acts, which is expected to happen later in 2024. This wallet aims to simplify digital identification and transaction processes across the EU, allowing for seamless cross-border authentication and secure storage and exchange of personal data.

It's a significant step towards enhancing digital convenience and security, enabling EU citizens to access a wide range of services online and offline with complete control over their personal information. This initiative is part of a broader effort to harmonize digital identity verification across the EU, ensuring a unified digital market and equal rights for all citizens. Large-scale pilot projects and an online consultation platform are underway to refine and implement digital identity wallets effectively.

SWITZERLAND

Switzerland is gearing up for the 2026 launch of its E-ID, a government-managed digital identity system, following voters' rejection of a private-sector-led model. The Federal Council has adopted the E-ID Act, ensuring the digital ID will be state-run, prioritizing privacy and data protection with features like self-sovereign identity and decentralized data storage. Aimed at Swiss citizens and foreign residents, the E-ID will be free and voluntary, supporting online and offline identification needs.

UNITED STATES

The National Institute of Standards and Technology (NIST) has been updating its Digital Identity Guidelines, NIST SP 800-63-4. This revision addresses the changing digital landscape and enhances digital identity solutions' security, privacy, and usability. The guidelines cover various topics, including identity proofing, authentication, federation, and privacy considerations. The public comment period for the draft was closed on April 14, 2023. These guidelines will supersede the previous publication, SP 800-63-3.

Blog

Digital account opening

Clarien Bank transformed their account opening processes with eSignature and digital ID verification. The bank was subsequently named Mobile App of the Year.

Learn more

Electronic signature, digital notarization, and electronic wills

Digital transformation is accelerating for documents and agreements requiring notarization – not only for financial transactions such as mortgages, but also in real estate, insurance, and all levels of government. Electronic and remote online notarization methods are gradually replacing traditional paper-based notarization, while electronic wills are also gaining traction across the US. This section explores these emerging trends from a regulatory standpoint across four key jurisdictions: the United States, Canada, the United Kingdom, and Ireland.

UNITED STATES

Two landmark eSignature laws, the ESIGN Act and Uniform Electronic Transactions Act (UETA), have facilitated digital transformation initiatives by US business and government organizations for more than 20 years.

They also underpin the modernization of notary practices and related guidelines across the different US states. Across all forms of electronic notarization, the digital transformation of the notarial process has resulted in higher efficiency, better accessibility, and cost savings for businesses and individuals.

In-person electronic notarization (IPEN)

For in-person electronic notarization (IPEN), the notary and signer still physically meet face-to-face. Instead of wet ink signatures and paper documents, the notary and signer use electronic signatures to sign and notarize an electronic document.

A conventional notarization method, used by most notaries, involves:

• Meeting face-to-face with the signer
• Notarizing the paper document with pen and paper
• Applying a traditional notary seal

Approximately 48 states in the US, including the District of Columbia, permit IPEN. The IPEN option – meeting face-to-face while using electronic documents and signatures—is widely accepted and allowed under the Uniform Electronic Transactions Act (UETA).

Not all states, however, have explicitly enacted legislation to regulate electronic notarization. New York State still needs to adopt UETA. However, it has a similar NY Electronic Signature and Records Act (ESRA) that permits using electronic signatures and records for digital transactions.

This means that IPEN is legally allowed throughout the United States.

Remote online notarization (RON)

The COVID-19 pandemic triggered a significant shift in the way notary businesses function. Thus, remote online notarization gained traction in various US states. For remote online notarization, the notary and signer meet via audio-video communication technology to perform the notarization. There is no need to meet in person. Electronic signatures and records enable remote notarization, eliminating the requirement for physical presence.

As of January 2024, approximately 42 states have passed laws for remote online notarization (RON), which are also in effect.

In 2023, after passing the much-awaited Bill SB 696, California joined the list of states that embraced remote online notarization. However, the implementation date for these statutes still needs to be determined. California is planning to allow out-of-state vendors starting in January 2025. However, California notaries may still have to wait six years to perform remote online notarization (RON), as the bill's implementation could be as far off as 2030. The explanation provided by California's Secretary of State is that the state is working on a big technology project first, which is necessary to make the new law work.

Additional noteworthy clarifications:

• North Carolina and California have passed RON laws, but they have yet to be in effect
• North Carolina plans to finalize a rule for remote online notarization by July 2024
• Georgia, Connecticut, South Dakota, Mississippi, Alabama, and South Carolina are among the states that do not have RON laws yet

Future of RON

The US House of Representatives passed a nationwide remote online notarization act known as the Securing and Enabling Commerce Using Remote Electronic Notarization (SECURE) Act, which would allow the use of RON in all 50 US states. HR 1059 passed the House in February 2023, but it still needs the Senate's approval and the President's signature to become law.

The House of Representatives recently passed the Securing and Enabling Commerce Using Remote Electronic Notarization (SECURE) Act 2022, a nationwide remote online notarization act that could revolutionize notarization processes. If passed by the Senate and signed by the President, this act would allow remote online notarization (RON) in all 50 states. If enacted, this federal law would streamline and standardize the notarization process across different states, requiring states to recognize out-of-state notarizations. This would facilitate fast and efficient remote online notary technology and allow the notary public to use RON with signers outside the US.

Overall, this is a promising advancement for remote online notarization, making it easier and more consistent for individuals and businesses to notarize documents regardless of location.

eWills

In 2019, the Uniform Law Commission unveiled the final draft of the Uniform Electronic Wills Act (UEWA). This act defines an "Electronic Will" as a will executed electronically in accordance with state laws.

The Uniform Electronic Wills Act (UEWA) would allow wills to be legally valid and accepted in all states. UEWA permits the execution of wills electronically and allows a probate court to give legal effect to electronic wills.

It also provides a provision allowing an electronic will to be "acknowledged by the testator before and in the physical [or electronic] presence of a notary public or other individual authorized by law to notarize records electronically."

As remote online notarization legislation gains traction, the acceptance of eWills is also on the rise. RON plays an essential role in creating end-to-end electronic wills as electronic notarization is an integral component in the electronic will process. It is unlikely for a state to allow eWills without also permitting remote online notarization.

Currently, 12 states, including Nevada, Indiana, Arizona, Florida, Utah, Colorado, Illinois, Maryland, North Dakota, Washington, Idaho, Minnesota, and Washington, DC, have passed legislation for eWills.

CANADA

Each province and territory in Canada regulates online notarization through their respective legislation. All provinces and territories have adopted the Uniform Law Conference of Canada's Online Notarization Model Act, which outlines the methods and guidance for remote electronic signature authentication and document certification.

Generally, this law requires that documents be signed electronically before a commissioner or other authorized individual. The commissioner or authorized individual also verifies the identity of all parties involved in the electronic transaction and remotely witnesses the signing ceremony using audio-visual technology such as video conferencing.

The exact rules governing Canadian notaries vary slightly between provinces and territories. For example:

• In Ontario, the Notaries Act was amended in May 2020 under Bill 190, Response and Reform to Modernize Ontario Act. This amendment allows notaries to exercise their powers without being physically present, a process known as remote commissioning, using audio-visual technology.
• In British Columbia, the Notaries Society set guidelines in August 2020 for remote notarization under temporary validity. Remote notarization is only valid for certain eligible documents, such as affidavits, statutory declarations, and land title documents. Since 2021, authorities have extended this temporary order multiple times.
• Alberta has temporarily allowed remote notarization during the pandemic times. This process requires the commissioner and the deponent to have a paper copy of the affidavit, including all exhibits, while connected via video technology.
• In Quebec, a temporary provision was made during the pandemic to allow for the remote signing of notarial acts using technology. In October 2023, Bill 34 was introduced, which became Law 23 once adopted. This law modernizes notarial practices and allows notarial deeds to be signed remotely under certain circumstances. Law 23 now formalizes this process permanently and defines rules for greater security for users. While the law favors in-person meetings between a notary and their client, remote signing remains possible in exceptional circumstances, provided all parties' rights and interests are respected.

eWills

British Columbia has become Canada's first province to pass legislation recognizing electronic wills. Since December 2021, electronic wills in BC have had the same legal standing as physical wills. The recent technological progress allows for electronic signing and storage of wills, a notable advancement. The other provinces should follow British Columbia's path in embracing electronic wills.

Ontario also made considerable progress in this area by passing Bill 245: Accelerating Access to Justice Act, 2021. On April 19, 2021, this bill received Royal Assent, thus permanently allowing remote execution and witnessing of wills. This bill also highlights situations where the remote execution of wills and power of attorney may not be appropriate. The professional must carefully consider such circumstances while conducting remote signing and witnessing of eWills.

In Saskatchewan, Bill No. 110, The Wills Amendment Act, 2022, was granted royal assent in May 2023. This new legislation permits the creation of wills in electronic format, signed with the testator's or will maker's electronic signature.

Quebec has also adapted by allowing "virtual presence" and remote execution in notarial wills. The province boasts a unique mandatory will registry exclusively for notarial wills, managed by the Chambre des notaires. During the pandemic, the Chambre des notaires temporarily allowed the digital executions of notarial wills.

In Alberta, the Wills and Succession Act does not address digital or electronic wills. The Alberta Law Reform Institute (ALRI) has recommended to the Alberta government that electronic wills be explicitly permitted in Alberta, as the benefits of doing so outweigh the drawbacks.

UNITED KINGDOM

In the UK, the electronic notarization process is much like notarization in other countries, where people can notarize documents remotely anywhere in the world, eliminating the need to meet in person with a notary physically. The notary public can verify the authenticity of the electronic transaction and documents during electronic notarization.

eIDAS regulates electronic notarization, making it legally binding and recognized across all EU member states. Unlike the US electronic signature regulations, eIDAS establishes three types of electronic signatures: simple, advanced, and qualified.

The Faculty Office of the Archbishop of Canterbury oversees the regulation of the notarial profession in the UK. They first issued “Guidance on remote notarization” in May 2020 and revised it in January 2023. These guidelines include the requirement for the physical presence of a notary for notarizing certain types of documents and the circumstances under which remote technology can be used for notarizing documents remotely. The qualified notary has electronically signed it using their signature.

Remote notarization excludes documents like wills, deeds, and affidavits, which require physical signature and notarization. It is important to consult with a notary public to determine whether your documents can be notarized remotely.

eWills

Currently, electronic wills are not recognized or valid in the UK. The UK faces challenges regarding electronic signatures in estate planning, particularly concerning wills. There are two main reasons for this:

1. 1. The current rules require the testator (the person who made the will) to sign it in the presence of a witness physically.
2. 2. The requirements vary between Scotland and England/Wales: In Scotland, the testator must sign every page of their will in the physical presence of a witness. In England and Wales, the signature must be witnessed by two people. While there have been discussions about adopting electronic signatures in Ireland, new legislation might be necessary to facilitate this.

Even with these legal restrictions, concerns are raised about the potential abuse with the adoption of electronic wills. These concerns, particularly related to undue influence, need to be addressed before adopting any changes in the rules pertaining to electronic wills.

IRELAND

In Ireland, certain transactions require individuals to use a Qualified Electronic Signature (QES). An approved certification body must independently accredit these signatures. While QES is only mandatory for specific transactions, Ireland adheres to European Telecommunications Standards Institute (ETSI) standards, set by the European Telecommunications Standards Institute, for defining the technical requirements of a QES.

In accordance with the eIDAS Regulation, Ireland is obligated to maintain a publicly available list of supervisory bodies for qualified certificate providers, similar to other EU countries. Currently, only one certification service provider has notified the Minister for Communications, Energy, and Natural Resources that their qualified certificates, related to a timestamp service, meet the Electronic Commerce Act 2000 requirements.

Given the limitations, eSigning is not accepted for documents like wills and codicils. Therefore, electronic signatures are not widely used in Ireland for documents under seal or those requiring witnessing. In Ireland, the adoption of the eNotarial concept has enjoyed minimal application as of early 2024.

Product overview

OneSpan Notary

Transform how your notaries and customers get agreements completed –  easily and securely, in a trusted environment

Learn more

Regulatory compliance and opportunity

Regulatory changes present an opportunity to take bold steps forward with your organization’s digital transformation and cybersecurity initiatives.

We can help you achieve compliance through authentication, digital identity, and electronic signature technology. For best practices and expertise on how to concurrently improve the customer experience as you strengthen security and digitize, speak with a OneSpan expert.