Financial Regulations In The United States of America

Country Overview

Although the United States has faced the COVID-19 pandemic, economic uncertainty, political upheaval and social unrest during 2020-2021, the country remains a global leader in financial stability and digital transformation. The American economy contracted by 3.5% in 2020, its worst performance since World War II,¹ but a spectacular recovery has experts predicting the strongest economic growth since 1984, or even 1951.² The economy is forecasted to expand in 2021 and 2022 by 6.7% and 3.7%,³ respectively, due in part to a swift vaccination rollout, USD $2.8 trillion in stimulus money, surging demand and a growing jobs market.

Meanwhile, the COVID-19 pandemic has accelerated digitalization in the US, including the adoption of artificial intelligence solutions⁴ and digital banking.⁵ The digitalization of business operations has driven a rise in productivity,⁶ and President Joe Biden’s proposed American Jobs Plan includes a USD$65 billion budget toward revitalizing digital infrastructure over the next eight years.⁷ Although the US has progress to make in bridging the digital divide and strengthening digital skills, it still ranked #2 on the 2020 Digital Evolution Scorecard, developed by Tufts University’s Fletcher School and Mastercard.

Digitalization has not come without hurdles, however. High-profile cyberattacks like the 2016 election hacking, December 2020 SolarWinds cybersecurity attack and May 2021 Colonial Pipeline ransomware attack have increasingly targeted American government agencies and businesses and exposed vulnerabilities in national cyber resilience. Despite this worrisome landscape, the US remains strong overall, and the Biden administration is spearheading multiple efforts to further bolster cybersecurity.

Alongside cybersecurity, the United States’ 2021 digital agenda seeks to heighten digital inclusion, invigorate the digital economy and counter the rising influence of China. Key federal legislative initiatives address digital identity, data privacy and the regulation of virtual currencies. The Federal Reserve is planning to release a report in September 2021 addressing the opportunities and risks in digital payments, including cryptoassets, stablecoins and a possible central bank digital currency (CBDC).⁸ Although the Federal Reserve has been clear that it has no immediate plans to issue a CBDC, Federal Reserve Chair Jerome Powell noted in July 2021 that a CBDC could help to undermine the popularity of privately-issued digital currencies like cryptocurrencies and stablecoins.⁹

State legislatures have similarly been eager to address data protection, as well as enable the digitalization of services like notarization. Colorado and Virginia have joined California in enacting comprehensive data privacy laws, and Massachusetts, New York, North Carolina and Pennsylvania have active bills.¹⁰

Financial Regulatory Authorities

The Federal Reserve System is the central banking system in the US.

The Consumer Financial Protection Bureau (CFPB) is an agency of the United States government responsible for consumer protection in the financial sector. Regarding rulemaking and legislation, the CFPB “implements and enforces federal consumer financial laws to ensure that all consumers have access to markets for consumer financial products and services that are fair, transparent, and competitive.”

The Federal Deposit Insurance Corporation (FDIC) “insures deposits; examines and supervises financial institutions for safety, soundness, and consumer protection; makes large and complex financial institutions resolvable; and manages receiverships.”

The Federal Trade Commission (FTC) protects consumers and businesses by preventing anticompetitive, deceptive, and unfair business practices. The FTC enforces laws and provides advocacy and education.

The Financial Crimes Enforcement Network (FinCEN) is a bureau of the US Department of the Treasury. Its mission is to “safeguard the financial system from illicit use, combat money laundering and its related crimes including terrorism, and promote national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence.”

The Financial Industry Regulatory Authority (FINRA) is a government-authorized, not-for-profit organization that acts as a self-regulatory organization overseeing US broker-dealers.

The National Credit Union Association (NCUA) is an independent organization that issues charters and serves as regulator for all federal credit unions. In addition, it insures deposits at federally insured credit unions.

The Office of the Comptroller of Currency (OCC) is an independent branch of the US Department of the Treasury. The OCC issues charters and serves as regulator for all national banks and federal savings associations. In addition, it supervises federal branches and agencies of foreign banks.

The Securities and Exchange Commission (SEC) is an independent federal agency that seeks to prevent market manipulation.

Policy, Laws and Regulations

36-Hour Rule for Reporting Computer Security Incidents, November 2021

In November 2021, the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) published a final rule requiring “banking organizations” under their respective jurisdiction to notify their primary federal regulator within 36 hours in the event of certain types of computer-security incidents. The Rule separately requires “bank service providers” to “notify banking organization customers as soon as possible in the event of any incident that has or is reasonably likely to materially affect those customers for four or more hours”. Bank service providers include any bank service company or other person that provides services subject to the Bank Service Company Act. The regulation takes effect April 1, 2022, while banking organizations and their bank service providers must be in compliance by May 1, 2022.

Federal Trade Commission’s Update to Safeguards Rule, October 2021

In October 2021, the Federal Trade Commission published an update to the "Safeguards Rule" under the Gramm-Leach-Bliley Act. It outlines how non-bank financial institutions under FTC jurisdiction should protect customers’ financial information. Banks, bank holding companies, and their subsidiaries are subject to separate guidance and standards issued by the federal banking regulators, including the OCC, the Fed, and the FDIC. The update applies to institutions "engaging in financial activities," including auto-dealers, real estate appraisers, tax preparers, investment advisors, and colleges and universities participating in federal financial aid programs. In addition to those subject to the existing rule, the amended Safeguards Rule may apply to internet service providers, the gig economy, and online marketplaces.

The updated rule now requires multi-factor authentication (MFA) whenever any individual -- employee, customer, or otherwise -- accesses an information system. The FTC has imposed significant penalties for non-compliance with fines of $43,792 per violation, per day.

This revised rule took effect January 10, 2022. However, key provisions, including the MFA requirement will be effective and enforced beginning December 9, 2022.

RFI on Public and Private Sector Uses of Biometric Technologies, 08 October 2021

The Office of Science and Technology Policy (OSTP) issued a Request for Information (RFI) on Public and Private Sector Uses of Biometric Technologies. According to the notice, “The purpose of this RFI is to understand the extent and variety of biometric technologies in past, current, or planned use; the domains in which these technologies are being used; the entities making use of them; current principles, practices, or policies governing their use; and the stakeholders that are, or may be, impacted by their use or regulation.”¹¹ The comment period will end 15 January 2022.

Authentication and Access to Financial Institution Services and Systems, 11 August 2021

The Federal Financial Institutions Examination Council (FFIEC) issued its guidance on Authentication and Access to Financial Institution Services and Systems, which details authentication and access risk management principles and practices for digital banking services and information systems. The guidance addresses the following principles and practices:

• "Conducting a risk assessment for access and authentication to digital banking and information systems
• Identifying all users and customers for which authentication and access controls are needed, and identifying those users and customers who may warrant enhanced authentication controls, such as MFA
• Periodically evaluating the effectiveness of user and customer authentication controls
• Implementing layered security to protect against unauthorized access
• Monitoring, logging, and reporting of activities to identify and track unauthorized access
• Identifying risks from, and implementing mitigating controls for, email systems, Internet access, customer call centers, and internal IT help desks
• Identifying risks from, and implementing mitigating controls for, a customer-permissioned entity’s access to a financial institution’s information systems
• Maintaining awareness and education programs on authentication risks for users and customers
• Verifying the identity of users and customers"¹²

Fraud Types and Authentication for Remote Payment Use Cases, 03 August 2021

The Federal Reserve issued Brief #2: Fraud Types and Authentication for Remote Payment Use Cases as part of its Fraud Landscape Series. The brief outlines various fraud types, including new account fraud (NAF), NAF based on stolen legitimate identities, NAF based on synthetic identity fraud (SID) and account takeover (ATO). ATO is an increasingly prevalent type of fraud in online payments. According to the brief, “ATO fraud attempts to steal from consumers and e-commerce merchants grew 282% between Q2 2019 to Q2 2020.”¹³ Fraudsters employ numerous tactics to enable fraud during remote authentication, including data breaches, phishing, malware, Man-in-the-Middle (MitM) and Man-in-the-Browser (MitB) attacks, and SIM swap attacks. To prevent fraud, authentication methods can be conducted at numerous points in the authentication and verification process. The brief then overviews vulnerabilities and fraud prevention methods pertaining to new account opening and onboarding, person-to-person (P2P) payment authentication for enrollment and transaction, enrollment in contactless mobile and digital wallets, enrollment in payment service provider (PSP) or proprietary merchant wallet and transaction authentication across remote wallets. 

National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, 28 July 2021

President Joe Biden issued the “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” which outlines the newly-established Industrial Control Systems Cybersecurity Initiative. The Initiative is a voluntary collaboration between the federal government and the critical infrastructure community aimed at “encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.  The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.” Although the initiative is voluntary, the Biden administration could seek to make compliance mandatory by entreating Congress to incorporate the standards into federal law.

Social Security Administration’s Electronic Consent Based Social Security Number Verification (eCBSV) Service, 19 July 2021

The Social Security Administration (SSA) began its Expanded Rollout of the electronic Consent Based Social Security Number Verification (eCBSV) Service after the Clearance Package was approved by the Office of Management and Budget on 24 June 2021.The eCBSV service enables permitted entities to verify whether an individual’s name, birth date and Social Security Number match Social Security records. The service yields a “yes” or “no” match verification. Financial institutions can utilize the eCBSV service during account opening to prevent synthetic identity fraud. 

First National Anti-Money Laundering Priorities, 30 June 2021

The Financial Crimes Enforcement Network (FinCEN) issued the first Anti-Money Laundering and Countering the Financing of Terrorism National Priorities per a requirement under the Anti-Money Laundering Act of 2020 (AMLA). The priorities—developed in consultation with federal and state banking regulators, law enforcement and national security agencies, the Department of Treasury and the Attorney General—include: 

• Corruption
• Cybercrime, including relevant cybersecurity and virtual currency considerations
• Foreign and domestic terrorist financing
• Fraud
• Transnational criminal organization activity
• Drug trafficking organization activity
• Human trafficking and human smuggling
• Proliferation financing

Regarding cybercrime, FinCEN notes that, “Treasury is particularly concerned about cyber-enabled financial crime, ransomware attacks, and the misuse of virtual assets that exploits and undermines their innovative potential, including through laundering of illicit proceeds.” The internet is also increasingly facilitating fraud like romance scams and identity theft. FinCEN will update the priorities every four years to take into account the evolving threat landscape, and the agency will issue regulations detailing how financial institutions should integrate the priorities into their AML programs. Per AMLA, the regulations must be promulgated by 27 December 2021.

Second Circuit Court Ruling on Fintech Charters, 03 June 2021

The Second Circuit Court overturned a 2019 decision to rule that the Office of the Comptroller of the Currency (OCC) could grant special purpose, federal bank charters—“fintech charters”—to non-depository institutions. This will allow for a streamlined and standardized approach to the licensing and regulation of fintech companies across the US. Fintech companies offering certain financial services and products were previously required to obtain a license by each state in which they conducted business.¹⁴

Executive Order on Improving the Nation’s Cybersecurity, 12 May 2021

President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity calls for the implementation of several strategies toward bolstering national cybersecurity in the wake of the Colonial Pipeline ransomware attack. The federal government shall partner with the private sector, remove barriers to sharing threat information, modernize its cybersecurity framework, enhance software supply chain security, establish a cyber safety review board, standardize its incident response processes, improve detection of vulnerabilities and incidents on its networks, improve its investigation and remediation capabilities and adopt National Security Systems requirements. Each goal is underpinned by target actions, often to be completed on a rigorous timeline. President Biden states, “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” The US ranked #1 on the 2020 Global Cybersecurity Index, developed by the United Nations’ International Telecommunication Union. 

Financial Industry Regulatory Authority on Protections from Account Takeover Attempts, 12 May 2021

The Financial Industry Regulatory Authority (FINRA) issued Regulatory Notice 21-18 on practices firms use to protect customers from online account takeover (ATO) attempts. FINRA notes that the prevalence and sophistication of ATOs have risen. The guidance was developed in roundtable discussions with representatives from twenty firms. Practices include:

• Verifying customers’ identities when they establish online accounts
• Authenticating customers’ identities during login attempts
  • Multifactor authentication
  • Adaptive authentication
  • Supplemental authentication factors such as SMS text message codes, third-party authenticator apps and biometrics
• Back-end monitoring and controls
• Procedures for potential or reported customer ATOs
• Automated threat detection
• Restoring customer account access
• Investor education

Federal Reserve Board’s Proposed Guidelines ​for Evaluating Account and Services Requests, 05 May 2021

The Federal Reserve Board’s Proposed Guidelines for Evaluating Account and Services Requests are intended for use by Federal Reserve Banks “in evaluating requests for master accounts and/or access to Federal Reserve Bank financial services (accounts and services).” Technological change has driven a shifting payments landscape and the advent of new financial products and services, and banks are increasingly receiving “requests for access to accounts and services from novel institutions” such as fintech companies. The Federal Reserve Board thus seeks to promote a transparent and standardized response to the requests, outlined in the proposed guidelines. The five guidelines are founded on risk management and mitigation. In evaluating requests, banks must ensure that:

• Institutions are eligible to “maintain an account at a Federal Reserve Bank (Reserve Bank) and receive Federal Reserve services” 
• The provision of an account and services will not pose undue risks related to operations, credit, settlement and cybersecurity 
• The provision of an account and services will not pose undue risks related to operations, credit, liquidity and cybersecurity to the overall payment system
• The provision of an account and services will not pose undue risk to the stability of the financial system
• The provision of an account and services will not pose “undue risk to the overall economy by facilitating activities such as money laundering, terrorism financing, fraud, cybercrimes, or other illicit activity”

The Board called for public feedback on its proposed guidelines. 

Synthetic Identity Fraud Definition, 06 April 2021

The Federal Reserve announced that an industry-recommended definition of synthetic identity fraud had been developed by a focus group of twelve fraud experts. “Synthetic identity fraud (SIF) is the use of a combination of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.” Primary elements of PII include name, date of birth and Social Security number, as well as other government-issued identifiers, and secondary elements of PII include address, phone number, email address and digital footprint. Synthetic identities can be used for credit repairs, fraud for living, payment default schemes and other illegal activities.

FinCEN Regulatory Process for Beneficial Ownership Reporting Requirement, 01 April 2021

FinCEN issued an Advance Notice of Public Rulemaking (ANPRM) inviting public feedback on procedures and standards pertaining to a requirement that reporting companies submit information on their beneficial owners, per the implementation of the Corporate Transparency Act (CTA). Reporting companies must submit to FinCEN information on each identified beneficial owner and applicant, including

1. “(i) Full legal name;
2. (ii) date of birth;
3. (iii) current residential or business street address; and
4. (iv) a unique identifying number from an acceptable identification document or the individual's FinCEN identifier.”

Per the CTA, FinCEN must keep the reported information in a secure, non-public database for five years upon termination of the reporting company, and the unauthorized disclosure of the information is prohibited. FinCEN must also provide a “FinCEN identifier” to entities or individuals who have submitted their beneficial ownership information, upon request. According to the notice, “A FinCEN identifier is to be a unique identifier for each individual or entity that may be used for subsequent reporting to FinCEN in lieu of providing certain other information.”

Request for Information on Artificial Intelligence, 31 March 2021

The Board of Governors of the Federal Reserve System, Bureau of Consumer Financial Protection, Federal Deposit Insurance Corporation, National Credit Union Administration and Office of the Comptroller of the Currency issued a request for information (RFI) on financial institutions’ use of artificial intelligence, including machine learning. The RFI seeks “to understand respondents’ views on the use of AI by financial institutions in their provision of services to customers and for other business or operational purposes; appropriate governance, risk management, and controls over AI; and any challenges in developing, adopting, and managing AI.” The deadline for comments was 01 July 2021. 

American regulators have demonstrated increasing interest in the adoption of AI, alongside the mitigation of its risks. On 19 March 2021, the National Security Commission on Artificial Intelligence published a Final Report outlining a strategy to “win the broader technology competition” in the “AI era.” On 19 April 2021, the Federal Trade Commission (FTC) published a blog on “Aiming for truth, fairness, and equity in your company’s use of AI,” which delivers guidance on avoiding negative outcomes like racial bias.

 

Office of the Comptroller of the Currency Approves Banks’ Use of Blockchain and Stablecoins in Payments, 04 January 2021

The Office of the Comptroller of the Currency (OCC) issued an interpretive letter approving banks’ use of independent node verification networks (INVN) and stablecoins in payment activities. The letter notes that, “Industry participants recognize that using stablecoins to facilitate payments may combine the efficiency and speed of digital currencies with the stability of existing currencies…stablecoins can provide a means of transmitting value denominated in an existing currency using INVN technology. Stablecoins thus provide a means by which participants in the payment system may avail themselves of the potential advantages associated with INVNs. Billions of dollars’ worth of stablecoin trade globally, and demand for stablecoin continues to grow. INVNs and related stablecoins represent new technological means of carrying out bank-permissible payment activities. We therefore conclude that a bank may validate, store, and record payments transactions by serving as a node on an INVN. Likewise, a
bank may use INVNs and related stablecoins to carry out other permissible payment activities. A bank must conduct these activities consistent with applicable law and safe and sound banking practices.”

FinCEN’s Proposed Rule on Virtual Currency and Digital Asset Transactions, 18 December 2020

FinCEN issued a notice of proposed rulemaking to solicit public feedback on “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets.” The proposed rule seeks to address anti-money laundering regulatory gaps, and would “require banks and money service businesses (‘MSBs’) to submit reports, keep records, and verify the identity of customers in relation to transactions involving convertible virtual currency (‘CVC’) or digital assets with legal tender status (‘legal tender digital assets’ or ‘LTDA’) held in unhosted wallets…or held in wallets hosted in a jurisdiction identified by FinCEN.” An unhosted wallet is one that is controlled by an individual in lieu of an intermediary. Banks and MSBs must file a report with FinCEN in the case of a transaction exceeding USD$10,000 (or a series of transactions amounting to the same within a 24-hour period), and banks and MSBs must maintain records in the case of a transaction exceeding USD $3,000.

On 06 July 2021, FinCEN appointed its first-ever Chief Digital Currency Advisor, Michele Korver.

Legislation

Sanction and Stop Ransomware Act of 2021, 05 August 2021

Introduced by Senators Diane Feinstein (D-CA) and Marco Rubio (R-FL), the Sanction and Stop Ransomware Act of 2021 aims to strengthen national cybersecurity through the development of mandatory cybersecurity standards, the regulation of cryptocurrency exchanges, sanctions and reporting requirements. If passed, the Act would require the Department of Homeland Security (DHS) Secretary—in consultation with the Director of the Cybersecurity and Infrastructure Security Agency (CISA)—to issue mandatory cybersecurity standards, applicable to critical infrastructure entities. Within 180 days, the Secretary of Treasury shall issue regulations for cryptocurrency exchanges “in order to reduce anonymity of accounts and users suspected of ransomware activity and make records available to the US government in connection with ransomware incidents.”¹⁵ Ransomware threats to critical infrastructure would be classified as a national intelligence priority, and states found to have provided support to ransomware demand schemes would be classified as a “state sponsor of ransomware.” Such states would face sanctions and penalties, to be issued by the President. Lastly, the Act directs CISA to establish a ransomware operation reporting system within 180 days.

SAFE DATA Act, 28 July 2021

Introduced by Senators Roger Wicker (R-MI) and Marsha Blackburn (R-TN), the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act aims to give Americans more control over their data and bolster businesses’ transparency and accountability. Consumers would be granted the rights to access, correct, delete and port their data. Businesses would have to obtain consent for the processing or transferring of sensitive data, and would be limited in undertaking secondary uses of data without consent. Businesses would also have to “disclose a privacy policy to consumers detailing their data collection, processing, and transfer activities, and notify consumers of any material changes to those activities;”¹⁶ conduct privacy impact assessments; and secure data through the maintenance of internal controls and reporting structures. The Federal Trade Commission (FTC) would be required to maintain a data broker registry and share information with the relevant agency “if it obtains information that a business has processed or transferred consumer data in a way that violates Federal anti-discrimination laws.”¹⁷ The FTC would also be authorized “to develop new rules to expand categories of sensitive data”¹⁸ and its authority in overseeing data use practices of nonprofits and common carriers would be expanded.

Digital Asset Market Structure and Investor Protection Act, 28 July 2021

Introduced by Representative Don Beyer (D-VA), the Digital Asset Market Structure and Investor Protection Act seeks to “protect consumers and promote innovation by incorporating digital assets into existing financial regulatory structures.” The bill would:

• Establish statutory definitions for digital assets and digital asset securities
• Grant the Federal Reserve the authority to issue a CBDC
• Include digital assets and digital asset securities under the statutory definition of “monetary instruments”
• Direct regulators to issue consumer advisories to ensure that consumers are aware their digital assets and digital asset securities are not “insured or protected in the same way as bank deposits or securities”
• “Require digital asset transactions that are not recorded on the publicly distributed ledger to be reported to a registered Digital Asset Trade Repository within 24 hours to minimize the potential for fraud and promote transparency”

Cyber Incident Notification Act, 21 July 2021

The bipartisan Cyber Incident Notification Act—introduced by Senators Susan Collins (R-ME), Marco Rubio (R-FL) and Mark Warner (D-VA)—would require federal government agencies, federal contractors and critical infrastructure operators to report “cybersecurity intrusions” and “potential cybersecurity intrusions” to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within twenty-four hours of discovery. A cybersecurity intrusion is defined as an incident that involves or is assessed to involve a nation-state, an advanced persistent threat actor or a transnational organized crime group, as well as one that may result in “demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of people in the United States; is or is likely to be of significant national consequence; or is identified by covered entities but affects, or has the potential to affect, agency systems.” Reports must include a description of the incident; a description of tactics employed by the actor in conducting the attack; vulnerabilities leveraged; information that could help in identifying the cyber actor; and contact information of the reporting entity. 

Improving Digital Identity Act of 2021, 30 June 2021

Representatives Bill Foster (D-IL), John Katko (R-NY), Jim Langevin (D-RI) and Barry Loudermilk (R-GA) reintroduced the Improving Digital Identity Act of 2021, which seeks to establish a government framework for a nationwide digital identity. The bill notes the rise of identity theft and identity fraud in the US, which is in part facilitated by the lack of an affordable and reliable identity verification method for online activities. If enacted into law, the bill would establish an Improving Digital Identity Task Force under the Executive Office of the President. The task force would be charged with creating a “governmentwide effort to develop secure methods for Federal, State and local agencies to validate identity attributes to protect the privacy and security of individuals and support reliable, interoperable digital identity verification in the public and private sectors.” Toward this end, the task force would evaluate restrictions in an agency’s ability to verify identity information; evaluate necessary regulatory changes in relation to such restrictions; recommend a standards-based architecture allowing for agencies to provide digital identity verification services; identify funding and additional resources required by agencies in the provision of digital identity verification; and evaluate potential risks associated with criminal exploitation of digital identity verification. Additionally, the Director of the National Institute of Standards and Technology (NIST) would be tasked with developing a digital identity standards framework, and the Secretary of Homeland Security would award grants to states to upgrade systems providing identity credentials.

In a 27 May speech, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger briefly addressed security in devising digital identity standards, saying, “…are there commercial ways for digital identity so that we can ensure both devices and people have [security,] particularly when they want to have authenticated identity online.”

Data Protection Act of 2021, 17 June 2021

Senator Kirsten Gillibrand (D-NY) reintroduced the Data Protection Act of 2021, which would establish a federal Data Protection Agency (DPA). The DPA would establish and enforce data protection rules, ensure “fair competition within the digital marketplace”, advise Congress on the privacy and technology landscapes, coordinate with federal and state regulators in supporting a consistent regulatory approach to privacy issues and ensure that “high-risk data privacy practices” do not discriminate against a protected class. The bill has a heavy focus on justice and would establish an Office of Civil Rights as part of the DPA. Senator Gillibrand has been particularly adamant in bolstering privacy protections against big tech companies, and the bill allows for the DPA to review company mergers that involve the transfer of data of 50,000 or more individuals.

The reintroduction of the Data Protection Act of 2021 follows the 29 April 2021 reintroduction of the Consumer Data Privacy and Security Act by Senator Jerry Moran (R-KS). The Act would strengthen consumer data protections and impose new requirements on entities that handle consumer data. Entities handling consumer data would be required to develop and implement security programs safeguarding personal data, consumer consent would be required for the collection of data and consumers would have the rights to access, correct and erase their personal data. 

Securing and Enabling Commerce Using Remote and Electronic Notarization Act, 13 May 2021

The bipartisan Securing and Enabling Commerce Using Remote and Electronic (SECURE) Notarization Act, reintroduced by Senator Kevin Cramer (R-ND), would authorize all notaries in the US to perform remote online notarizations (RONs) through the use of audio-visual communication and recording. The bill outlines definitions, requirements and standards for conducting RONs, such as the retention of the audio-visual recording of the performance of a RON for a period of at least five years, or ten in some cases. The notary must utilize at least two types of processes or services “through which a third party provides a means to verify the identity of the remotely located individual through a review of public or private data sources”, and the electronic signature must be affixed to the electronic record in such a way that tampering is “evident.” Notaries may perform notarizations that affect interstate commerce. Due to business operations shifting online as a result of the COVID-19 pandemic, states have increasingly passed laws enabling RONs, both temporarily and permanently.

Token Taxonomy Act of 2021, 08 May 2021

Representative Warren Davidson (R-OH) introduced the Token Taxonomy Act, which aims to “exclude digital tokens from the definition of a security” in an effort to strengthen regulatory clarity. Cryptoassets would need to meet several requirements to qualify as a digital token, which is defined per the Act as a “digital unit (A) that is created (i) in response to the verification or collection of proposed transactions; (ii) pursuant to rules for the digital unit’s creation and supply that cannot be altered by any single person or persons under common control; or (iii) as an initial allocation of digital units that will otherwise be created in accordance with clause (i) or (ii).” The digital unit must also have a transaction history recorded in a distributed digital ledger or digital data structure, the consensus of which cannot be modified or tampered with by a single person or group; it must be transferable without the means of an intermediary; and it cannot be a “representation of a financial interest in a company or partnership.” The bill also introduces small taxation adjustments, including the creation of a tax exemption for the exchange of a virtual currency into another; “a de minimus exemption from taxation for gains realized from the sale or exchange of virtual currency for other than cash;” and an adjustment to the “taxation of virtual currencies held in individual retirement accounts.”

Eliminate Barriers to Innovation Act of 2021, 20 April 2021

The House of Representatives passed the Eliminate Barriers to Innovation Act of 2021, first introduced by Representative Patrick T. McHenry (R-NC) on 08 March 2021. The Act would establish a digital assets working group between the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) in an effort to create an integrated approach to the regulation of digital assets. The working group would be composed of employees from both agencies as well as at least one representative from six categories, including:

• "Financial technology companies providing digital assets
• Financial firms under the jurisdiction of the SEC or CFTC
• Institutions or organizations engaged in academic research or advocacy on digital assets
• Small businesses engaged in financial technology
• Investor protection organizations
• Institutions and organizations that support investment in historically-underserved businesses"

Within a year of its establishment, the working group would have to supply a report addressing the legal and regulatory frameworks pertaining to digital assets, with an analysis of how a lack in clarity has affected primary and secondary markets in digital assets, how the frameworks affect US competitiveness and how developments in other countries related to digital assets affect US competitiveness. The report must then deliver recommendations on the creation, maintenance and improvement of primary and secondary markets in digital assets with regard to strengthening fairness, transparency and integrity; standards on cybersecurity, custody and private key management; best practices on reducing fraud and market manipulation; and best practices on bolstering investor protections and assisting in AML/CFT compliance measures. The bill will now pass to the Senate. 

Bank Service Company Examination Coordination Act, 26 March 2021

Introduced by Representative Roger Williams (R-TX), the Act was introduced and referred to the Committee on Financial Services and the Committee on the Budget. The Act seeks to amend the Bank Service Company Act and would enable the coordination of state and federal banking agencies—with particular regard to information sharing—in overseeing and regulating activities of third-party service providers, referred to as bank service companies. Enhanced cooperation would help to more efficiently detect vulnerabilities in the financial system and promote a more consistent approach to oversight and regulation.

Stablecoin Tethering and Bank Licensing Enforcement Act, 02 December 2020

The Stablecoin Tethering and Bank Licensing Enforcement (STABLE) Act, introduced by Representative Rashida Tlaib (D-MI), seeks to protect consumers against financial threats related to cryptocurrency. The Act would require stablecoin issuers to notify and acquire a written approval from the Federal Reserve, Federal Deposit Insurance Corporation and the relevant state or federal banking agency. These agencies would be required to conduct an ongoing risk analysis with regard to monetary policy. Stablecoin issuers would have to ensure that they could “immediately redeem all outstanding stablecoins at their nominal redemption value, upon demand, in United States dollars.” 

Although the bill was introduced shortly before the close of the previous congressional session, it is expected to be reintroduced in 2021.¹⁹

Notable State Laws and Bills

Remote Online Notarization (RON), December 22, 2021

39 States have passed RON legislation with New York’s governor being the latest to sign legislation into law enacting permanent RON measures on December 22, 2021.  New York’s law takes effect June 20, 2022.

New York joins Alaska, Arizona, Arkansas, Colorado, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico ,North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming. 

States began to adopt RON measures as the COVID-19 pandemic led to social distancing rules and forced businesses to shift their operations online. Each state’s measures include the same basic elements, including the use of audio-visual communication methods, recording of the audio-visual communication and authentication by the notary of the signatory.
²⁰

The following states enacted RON measures in 2021:

On 22 July 2021, New Jersey Governor Phil Murphy signed A 4250, which adopts RON effective 21 October 2021.

On 23 June 2021, Maine enacted HP 1033, which temporarily extends an executive order enabling RONs until 01 January 2023. HP 1033 also tasks the Secretary of State with conducting a study on RONs, developing recommendations on permanent RON measures and submitting a report to the state legislature by 01 February 2022.

On 15 June 2021, Oregon Governor Kate Brown signed SB 765, which makes temporary RON measures permanent. The law went into immediate effect.

On 29 April 2021, Arkansas Governor Asa Hutchinson signed SB 340 (Act 1047) into law. The law went into immediate effect, retroactive to 30 March 2020.

On 21 April 2021, Kansas Governor Laura Kelly SB 106 into law. The law will go into effect 01 January 2022.

On 05 April 2021, New Mexico Governor Lujan Grisham signed SB 12 into law. The law will go into effect 01 January 2022.

On 30 March 2021, West Virginia Governor Jim Justice signed SB 469 into law. The law went into effect 17 June 2021.

On 26 February 2021, Wyoming Governor Mark Gordon signed SF 0029 into law. The law went into effect 01 July 2021.

On 23 January 2021, Illinois Governor J.B. Pritzker signed SB 2664 into law. The law will go into effect 01 January 2022.

Source: As of 24 August 2021. Mortgage Bankers Association. 
Please visit the Mortgage Bankers Association’s remote online notarization (RON) resource page (www.mba.org/RON) for the most current legislative tracking map and other information on the status of RON legislation in the states.

State Insurance Cybersecurity Laws

In October 2017, the National Association of Insurance Commissioners (NAIC) adopted the NAIC Insurance Data Security Model Law. According to the NAIC, the Model Law “seeks to establish data security standards for regulators and insurers to mitigate the potential damage of a data breach.
The law applies to insurers, insurance agents and other entities licensed by the state department of insurance.”

Moreover, the U.S. Treasury Department has advised states to adopt the Model Law within the next 5 years or the department will ask Congress to preempt the states. While each state can modify the Model Law to accommodate its unique requirements, key components of the Model Law
include requiring insurance licensees to implement a written information security program and for insurance licensees to consider whether certain safeguards are appropriate, including access controls such as multi-factor authentication, penetration testing, encryption, audit trails and other security
methods.

At the time of this writing, 18 states have adopted the NAIC Model Law: Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Wisconsin and Virginia.

Laws passed in 2021 include:

• The Wisconsin Insurance Cybersecurity Law, signed by Governor Tony Evers on 16 July 2021. It will go into effect 01 November 2022. 
• Hawaii’s Insurance Data Security Law, signed by Governor David Ige on 28 June 2021. It went into effect 01 July 2021. Licensees must be in compliance with the majority of information security program requirements by 01 July 2022, and be in compliance with third-party service provider oversight requirements by 01 July 2023.²¹
• Minnesota’s commerce and energy omnibus bill, signed by Governor Tim Walz on 26 June 2021, includes provisions based on the NAIC Model Law. It went into effect 01 August 2021. Licensees must be in compliance with the majority of information security program requirements by 01 August 2022, and be in compliance with third-party service provider oversight requirements by 01 August 2023.²²
• The Tennessee Insurance Data Security Law, signed by Governor Bill Lee on 06 May 2021. It went into effect 01 July 2021.
• The Iowa Insurance Data Security Act, signed by Governor Kim Reynolds on 30 April 2021. It will go into effect 01 January 2022.
• The North Dakota Insurance Data Security Act, signed by Governor Doug Burgum on 24 March 2021. It will go into effect 01 August 2022. The requirement to report and document cybersecurity incidents and responses will go into effect 01 August 2023. 
• The Maine Insurance Data Security Act, signed by Governor Janet Mills on 17 March 2021. It will go into effect 01 January 2022. Requirements on the use of third-party service providers will go into effect 01 January 2023.

Biometric Privacy in New York City Administrative Code, 09 July 2021

Although New York’s Biometric Privacy Act was not passed, New York City incorporated rules on biometric identity identification into the New York City Administrative Code. Per the code, “Any commercial establishment that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such collection, retention, conversion, storage or sharing, as applicable, by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language, in a form and manner prescribed by the commissioner of consumer and worker protection by rule, that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” The code deems it illegal to profit from the transaction of biometric identifier information. In the case that a person faces a violation of the rules, they may send written notice to the establishment, which will have thirty days to remedy the violation and provide an “express written statement” to the aggrieved person. If the establishment continues to violate the rules, the aggrieved person may initiate an action against the establishment. The new rules went into effect 09 July 2021.  

NYDFS Ransomware Guidance, 30 June 2021

In light of the increasing prevalence of ransomware attacks, the New York State Department of Financial Services (NYDFS) issued a Ransomware Guidance to New York State regulated entities. Regulated entities should institute email filtering and anti-phishing training, a “documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure,” multi-factor authentication (MFA) and a method to monitor systems for intruders. Regulated entities should also disable RDP access, ensure that strong passwords are used and develop an incident response plan. In the case that a ransomware attack is successful, regulated entities must report it to the NYDFS within 72 hours.

Colorado Privacy Act, 07 June 2021

The Colorado Privacy Act (CPA), signed into law by Governor Jared Polis, makes Colorado the third state to enact a comprehensive privacy regime, after California and Virginia. Once in effect, Colorado residents will be granted greater control over their personal data, including the rights to access, correct and delete personal data, as well as the right to opt out of the processing of personal data in the cases of targeted advertising, sale of personal data and profiling. The law will go into effect 01 July 2023.

Virginia’s Consumer Data Protection Act

was signed into law 02 March 2021. The law will apply to all entities that conduct business in the state and either control or process the personal data of at least 100,000 people, or garner over 50% of gross revenue from the sale of personal data while controlling or processing the personal data of at least 25,000 people. Consumers will be granted the rights to access, correct, delete and obtain a copy of their personal data. The law will go into effect 01 January 2023. 

The California Privacy Rights Act of 2020 (CPRA)

passed 03 November 2020 by a majority of California voters in the general election, echoes the EU’s General Data Protection Regulation (GDPR) and significantly expands consumer rights. Consumers will have the rights to correct inaccurate personal data, opt out of the sale and sharing of personal data and request limits on the use and disclosure of sensitive personal information (SPI). The newly made SPI category includes such data as genetic data, biometric information, social security, financial information, race, ethnicity, religion, personal communications and more.²³ The law also creates a new enforcement agency. The California Privacy Protection Agency (CPPA) will be tasked with rule-making and guidance, with a budget of USD$10 million. On 19 March 2021, California announced the appointment of five board members to the CPPA. The law will go into effect 01 January 2023.

Meanwhile, legislatures in Massachusetts, New York, North Carolina, Ohio and Pennsylvania are contemplating their own privacy frameworks. The Ohio Personal Privacy Act (OPPA), introduced 13 July 2021, would grant consumers the rights to access, delete, obtain a copy and opt out of the sale of their personal data. The Act would apply to businesses that generate at least USD$25 million in gross annual revenue in Ohio; control or process the personal data of at least 100,000 Ohio consumers; and that control or process the personal data of at least 25,000 Ohio consumers while garnering at least 50% of its gross annual revenue from the sale of personal data.²⁴

The New York Privacy Act (NYPA)

reintroduced by Senator Kevin Thomas on 13 May 2021, would strengthen consumer protections and impose requirements on certain data controllers. Obliged entities would include legal persons that conduct business in New York or sell services and products marketed towards New York residents, and meet one of a number of criteria. The criteria include entities that generate an annual gross revenue of USD$25 million or greater; control or process the personal data of 100,000 or more New York residents; control or process the personal data of 500,000 or more individuals in the US, of whom at least 10,000 are New York residents; and garner over half of gross revenue from the sale of personal data, while controlling and processing the personal data of at least 25,000 New York residents. Consumers would be granted the rights to be given notice of how their personal data is processed; to give or not give consent to the processing of their personal data; and to delete, correct and access their personal data. Data controllers would have to provide a notice to consumers detailing how their personal data is to be processed, utilizing language at or below an 8th-grade reading level.;

On 07 April 2021, Pennsylvania’s Consumer Data Privacy Act (CDPA) was introduced in the State House of Representatives. The Act would grant consumers the rights to access and delete their personal information; know whether their personal data is being collected, sold or disclosed; and decline or opt out of the sale of their personal information. Data collectors would be required to disclose information to the consumer regarding the category of personal data collected, the purpose of collection or sale and categories of third parties with which the data is shared.

On 06 April 2021, the Consumer Privacy Act of North Carolina (CPA) was introduced in the State Senate. The CPA would grant consumers the rights to access, correct and delete their personal data, as well as confirm whether it is being processed and opt out of the processing of personal data for the purposes of targeted advertising, sales and profiling. Data controllers would be required to comply with consumer requests in the exercise of their rights, disclose to the consumer the purpose of personal data collection, issue a privacy notice to consumers regarding their rights and the purpose of the personal data processing, conduct an annual data protection assessment and collect only the personal data that is “adequate, relevant and reasonably necessary” for the prescribed purpose.²⁵ Data controllers may not process sensitive personal data without consent. Data controllers who violate the CPA could face fines up to USD$5,000.

On 29 March 2021, The Massachusetts Information Privacy Act (MIPA) passed to the State Senate. MIPA would protect people from the unauthorized collection, use and sale of their personal data, especially biometric information; establish the Massachusetts Information Privacy Commission; protect employees from “unwarranted electronic monitoring” while working; and prohibit digital discrimination. The MIPA Fact Sheet states that the Act aims to “Blend the best approaches from other states and jurisdictions, including parts of similar laws passed in California, Illinois, and the European Union.”

Sixteen other states have introduced data protection legislation but have failed to pass them. On 19 July 2021, the Uniform Law Commission (ULC) issued the Uniform Personal Data Protection Act in an effort to standardize data protection legislation across the states.

Nebraska Financial Innovation Act, 25 May 2021

The Nebraska Financial Innovation Act, introduced 20 January 2021, was passed and signed into law. The law establishes a charter for companies holding cryptocurrencies and creates a new class of financial institution and bank, called a “digital asset depository institution.” Banks that already have a charter can offer cryptocurrency services. The law notes that institutions are expected to comply with national and state laws on know-your-customer (KYC), anti-money laundering and other requirements. 

Oklahoma Electronic Title (e-Title) Law, 07 May 2021

Governor Kevin Stitt signed Senate Bill 998 into law, making Oklahoma the 25th state to enact legislation enabling the use of electronic titles and liens for vehicles.²⁶ The law will go into effect 01 November 2021. The Oklahoma Tax Commission (OTC) has been tasked with developing a program for the electronic storage and filing of motor vehicle titles, as well as the electronic assignment and release of liens. The program will be operational by 01 July 2022.

On 16 March 2021, Michigan’s Electronic Lien and Title (ELT) program went into effect, “allowing for the electronic exchange of lien and title information with lienholders in lieu of a paper certificate of title.” In the case that a customer finances a vehicle with a participating financial institution, the title will be kept electronically. If the ownership of a vehicle changes, a paper title shall be required.  On 12 May 2021, a bill was introduced to the New Jersey legislature that would allow for the electronic processing of salvage titles.

Washington Uniform Electronic Wills Act, 26 April 2021

On 17 July 2019, the US passed the national Electronic Wills Act, which enables the electronic execution of wills. Washington’s Uniform Electronic Wills Act was signed into law 26 April 2021, making Washington the fourth state to have transposed the Act onto state law. North Dakota’s Uniform Electronic Wills Act was signed into law 09 March 2021 by Governor Doug Burgum, the Colorado Uniform Electronic Wills Act was signed into law 21 January 2021 by Governor Jared Polis and Utah’s Uniform Electronic Wills Act became law 31 August 2021. Virginia’s Uniform Electronic Wills Act, introduced 07 January 2021, passed the State House of Representatives and was referred to the State Senate in early February 2021. The spate of laws comes amidst the COVID-19 pandemic, which made the in-person signing and witnessing of wills difficult due to social distancing restrictions. 

Arizona Recognizes Mexico’s Consular Registration Card as Valid ID, 05 March 2021

Governor Doug Ducey signed Senate Bill 1420, which recognizes Mexican consular registration cards as a valid form of ID in Arizona. The law notes that Arizona shall accept IDs issued by foreign governments that have employed biometric identity verification techniques, including fingerprints and retina scans. In his signing letter, Governor Ducey said, “This legislation will ensure that law enforcement is able to quickly and accurately identify more of the individuals with whom they interact. This is critical to ensure safety for both law enforcement and the public… This bill does not authorize any new rights or responsibilities for non-citizens. It simply recognizes that governments in Arizona will accept cards issued by countries who use strict biometric identity verification techniques as lawful identification.”

---

References:

^{1. Rushe, Dominic. “US economy shrank by 3.5% in 2020, the worst year since second world war.” The Guardian, 28 January 2021. https://www.theguardian.com/business/2021/jan/28/us-economy-shrank-2020-worst-year-since-second-world-war}

^{2. Crutsinger, Martin. “US economy grows 6.4% in Q1, and it’s likely just the start.” AP News, 24 June 2021. https://apnews.com/article/consumer-spending-gross-domestic-product-economy-business-ea9f24b146848b0821b549abb6cf78c8}

^{3. Bovino, Beth Ann and Satyam Panday. “Economic Outlook U.S. Q3 2021: Sun, Sun, Sun, Here It Comes.” S&P Global Ratings, 24 June 2021. https://www.spglobal.com/ratings/en/research/articles/210624-economic-outlook-u-s-q3-2021-sun-sun-sun-here-it-comes-12014595}

^{4. Popkin, Helen et al. “Covid-19 Devastated Some Industries But Accelerated AI Use By Companies Across The Country.” Forbes, 26 April 2021. https://www.forbes.com/sites/alanohnsman/2021/04/26/ai-50-americas-most-promising-artificial-intelligence-companies/?sh=3188ff5177cf}

^{5. “Coronavirus Accelerates US Bank Digital Banking, Branch Optimization.” Fitch Ratings, 31 March 2021. https://www.fitchratings.com/research/banks/coronavirus-accelerates-us-bank-digital-banking-branch-optimization-31-03-2021}

^{6. “U.S. output surging amid pandemic due to digitization – Goldman.” Reuters, 13 July 2021. https://www.reuters.com/world/us/us-output-surging-amid-pandemic-due-digitization-goldman-2021-07-13/}

^{7. Chakravorti, Bhaskar. “How to Close the Digital Divide in the U.S.” Harvard Business Review, 20 July 2021. https://hbr.org/2021/07/how-to-close-the-digital-divide-in-the-u-s}

^{8. Tellez, Anthony. “Fed Chairman Suggests That Bitcoin Could Become Obsolete If U.S. Digital Currency Existed.” Forbes, 14 July 2021. https://www.forbes.com/sites/anthonytellez/2021/07/14/fed-chairman-suggests-that-stablecoins-and-cryptocurrencies-could-become-obsolete-if-us-digital-currency-existed/?sh=3c2e3b52357a}

^{9. Marte, Jonnelle. “Powell says a Fed digital currency could undercut need for cryptocurrencies.” Reuters, 14 July 2021. https://www.reuters.com/business/feds-powell-says-stablecoins-need-appropriate-regulatory-framework-2021-07-14/}

^{10. Rippy, Sarah. “US State Privacy Legislation Tracker.” The International Association of Privacy Professionals, 08 July 2021. https://iapp.org/resources/article/us-state-privacy-legislation-tracker/}

^{11. “Notice of Request for Information (RFI) on Public and Private Sector Uses of Biometric Technologies.” The Daily Journal of the United States Government, 08 October 2021. https://www.federalregister.gov/documents/2021/10/08/2021-21975/notice-of-request-for-information-rfi-on-public-and-private-sector-uses-of-biometric-technologies}

^{12. “Authentication and Access to Financial Institution Services and Systems.” Federal Financial Institutions Examination Council, 11 August 2021. https://www.ffiec.gov/press/PDF/Authentication-and-Access-to-Financial-Institution-Services-and-Systems.pdf}

^{13. “Brief #2: Fraud Types and Authentication for Remote Payment Use.” The Federal Reserve, 03 August 2021. https://fedpaymentsimprovement.org/wp-content/uploads/brief-2-fraud-types-and-authentication-for-remote-payment-use-cases.pdf}

^{14. Aschettino, Stephen A. “2nd Circuit Clears the Way for OCC's ‘FinTech Charter.’” Lexology, 04 June 2021. https://www.lexology.com/library/detail.aspx?g=0deecf73-5209-42e0-a69a-4441113b63c3}

^{15. “Rubio-Feinstein Sanction and Stop Ransomware Act of 2021.” rubio.senate.gov, 05 August 2021. https://www.rubio.senate.gov/public/_cache/files/671937f9-f463-45ef-8995-44bfb08c5c6b/A4CE60BFC099E755B82927640E0B6308.sanction-and-stop-ransomware-act-section-by-section-final-8.5.21-.pdf}

^{16. “Wicker, Blackburn Introduce Federal Data Privacy Legislation.” U.S. Senate Committee on Commerce, Science & Transportation, 28 July 2021. https://www.commerce.senate.gov/2021/7/wicker-blackburn-introduce-federal-data-privacy-legislation}

^{17. “Wicker, Blackburn Introduce Federal Data Privacy Legislation.” U.S. Senate Committee on Commerce, Science & Transportation, 28 July 2021. https://www.commerce.senate.gov/2021/7/wicker-blackburn-introduce-federal-data-privacy-legislation}

^{18. “Wicker, Blackburn Introduce Federal Data Privacy Legislation.” U.S. Senate Committee on Commerce, Science & Transportation, 28 July 2021. https://www.commerce.senate.gov/2021/7/wicker-blackburn-introduce-federal-data-privacy-legislation.}

^{19. De, Nikhilesh. “US Lawmakers Introduce Bill That Would Require Stablecoin Issuers to Obtain Bank Charters.” Coindesk, 02 December 2020. https://www.coindesk.com/us-lawmakers-introduce-bill-that-would-require-stablecoin-issuers-to-obtain-bank-charters.}

^{20. Tank, Margo H. K. “[UPDATED] Coronavirus: Federal and state governments work quickly to enable remote online notarization to meet global crisis.” DLA Piper, 15 August 2021. https://www.dlapiper.com/en/us/insights/publications/2020/03/coronavirus-federal-and-state-governments-work-quickly-to-enable-remote-online-notarization/}

^{21. “Hawaii and Minnesota Enact Insurance Data Security Laws.” Thomson Reuters Practical Law, 01 July 2021. https://content.next.westlaw.com/}

^{22. “Hawaii and Minnesota Enact Insurance Data Security Laws.” Thomson Reuters Practical Law, 01 July 2021. https://content.next.westlaw.com/}

^{23. “California Consumer Privacy Act 2.0 – What You Need to Know.” JD Supra, 27 November 2020. https://www.jdsupra.com/legalnews/california-consumer-privacy-act-2-0-93257/}

^{24. “BREAKING: Ohio’s Legislature Considering Passing the Ohio Personal Privacy Act with Support of Governor DeWine and Lt. Governor Husted.” The National Law Review, 14 July 2021. https://www.natlawreview.com/article/breaking-ohio-s-legislature-considering-passing-ohio-personal-privacy-act-support}

^{25. “North Carolina Proposes Expansive Consumer Privacy Protections.” JD Supra, 21 April 2021. https://www.jdsupra.com/legalnews/north-carolina-proposes-expansive-7005596/}

^{26. Seals, Mike. “New Law enables Electronic Titles, saving time and money.” Ponca City Now, 11 May 2021. https://www.poncacitynow.com/new-law-enables-electronic-titles-saving-time-and-money/}

---

^{*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.}

Last updated: November 2021