Digital Bank Success Strategies: Security & Compliance Across Borders

Michael Magrath, Global Director of Regulations & Standards at OneSpan, Discusses Compliance Considerations for Digital Banks

Ícone de vídeo

Welcome to our expert interview series about how digital banks can scale without sacrificing the customer experience. In this video interview with Michael Magrath, Global Director of Regulations & Standards at OneSpan, we talk about how digital banks can deal with compliance as they scale across borders.

Sarah: What regulations will affect banks as they scale across borders?

Michael Magrath: Globally, there are lots of regulations that banks have to adhere to, and each jurisdiction or country has their own unique requirements. The first thing digital banks have to do is they have to be licensed. Different countries have different licensing requirements. In Saudi Arabia, for example, a digital bank has to be headquartered in the Kingdom. Singapore is also in the process of granting digital banking licenses and are planning to grant five digital banking licenses over the summer of 2020. They have received 21 applications and have unique requirements, such as the requirement to have over a billion dollars in reserves within five years, with a commitment to expand throughout Asia.

Another regulatory trend that will affect digital banks as they look to expand are new data protection and privacy laws, which are occurring all around the world. The European General Data Protection Regulation (EU) 2016/679 (GDPR) started this trend. In the US, the California Consumer Privacy Act took effect in January 2020. Additional US states are also starting to roll out their own data privacy laws and have legislation introduced. We expect to see more data protection and privacy laws at the state level, which will cause more concern for digital banks because they have to be licensed and adhere to each state in the United States.

Additionally, there are also anti-money-laundering and counter-terrorist financing regulations, such as Know Your Customer regulations, that every bank has to adhere to - whether they're traditional banks or digital banks. The Financial Action Task Force, which is a global body made up of about 37 jurisdictions (the G20 plus several others), published digital identity draft guidance in late 2019. This is expected to come into full effect in 2020. The guidance lays out digital identity guidelines, authentication requirements, and other things that digital banks would have to adhere to.

So, as digital banks are looking to go across borders, there's a lot of regulations that they really have to consider and abide by.

Sarah: What are the unique challenges that digital banks face when they are trying to comply with these regulations?

Michael: One of the unique challenges digital banks face when trying to comply with these regulations is just the myriad of regulations themselves. I think a lot of banks rely on strong partners. A lot of the traditional banks, the ones that many people are familiar with around the world, have very large compliance departments where people are extremely focused on new regulations. Some of the smaller banks don't have as large compliance departments, and they rely on partners that are aware of the regulations, and have the technologies to help them comply with the unique regulations in those jurisdictions they want to do business with.

Sarah: How can digital banks meet these requirements while still scaling efficiently and quickly?

Michael: The answer to how digital banks can meet these requirements while still scaling quickly and efficiently, concerns having technology partners that can assist them. Digital banks may not have to worry about physical security like a traditional bank would - they may not have to worry about vaults and cameras in a building. However, IT security is of the utmost importance.

Digital banks need to secure the digital customer journey from customer onboarding to customer transactions. They need to remain compliant with the regulations to onboard new customers, as well as the authentication requirements unique to a jurisdiction.

Most jurisdictions are starting to lean heavily towards requiring some sort of multi-factor authentication. That could be anything from a traditional one-time password token to the latest in biometrics, behavioral biometrics, AI, and machine learning technologies. They also need to think about securing transactions themselves and about managing risk and identifying riskier transactions. Most of the digital banks use a mobile platform, so securing mobile transactions and the mobile app itself is of key importance. Malicious actors are attacking mobile transactions and mobile apps, and without strong security, as well as knowledge of the regulations, digital banks put themselves in jeopardy.

Sarah: What are the other risks involved if digital banks don't adhere to these regulations?

Michael: The consequences of non-compliance, first and foremost, would be fines. Regulators around the world have established very severe penalties for non-compliance. When GDPR went into effect there were some very large-scale, publicized fines for non-adherence or non-compliance. The 5th anti-money laundering Directive in Europe (Directive (EU) 2018/843), for example, which each member state had to have in their national legislation by January 2020, imposes some very severe fines, as well as potential prison time, for directors for non-adherence.

So, fines are the first and foremost risk. The other consequence is if they don't have proper security measures in place, people aren't going to want to do business with them. If a bank or another financial institution is hacked, customers may think twice before they use that bank. So, having appropriate security measures, combined with user convenience, is most critical for digital banks going forward.

Sarah: If you could give one piece of advice to digital banks about how they can scale across borders, remain compliant, and avoid the fines that you talked about, what would that be?

Michael: I think digital banks don't necessarily have to go at this by themselves. It's very complicated out there, so identifying and relying on strong partners - partners that know the industry, know the regulations and have the appropriate technologies to help - would go a long way.