Compliance

The NYDFS regulates approximately 1,500 banks and financial institutions. These include U.S. institutions as well as many international institutions with operations in New York. 

The Cybersecurity Requirements for Financial Services Companies consists of 22 provisions that  require financial services organizations to better protect data. Financial institutions must implement effective controls to prevent unauthorized access to information systems or non-public information through risk assessment, but the means by which they do so can include multi-factor authentication, biometric authentication, or risk-based authentication.

Learn more in this blog: NYDFS Cybersecurity Requirements for Financial Services Companies

The EU Payments Services Directive (PSD2) contains requirements related to Strong Customer Authentication (SCA). Financial institutions must comply with these requirements by September 2019. However, specific Payment Service Providers (PSPs) could qualify for an exceptional extension in the context of card payments for e-commerce according to a recent EBA Opinion.

These requirements include five criteria of compliance:

• Strong Authentication: Authentication must be based on two or more factors, including passwords or PIN, tokens or mobile devices, or biometrics.

• Transaction Risk Analysis: Mandates the use of transaction risk analysis to deter fraudulent payments. 

• Replication Protection: PSD2 mandates the use of dedicated mobile app cloning counter-measures in applications.

• Dynamic Linking: For payment transactions, the authentication code must be dynamically linked to both the amount and payee.

• Independent Elements: Payment service providers must adopt security measures to mitigate the risk resulting from compromised mobile devices.

The new EU Cybersecurity Certification Framework, originally proposed in 2017, was developed to improve the cyber security of online services and consumer devices, including IoT devices. Once formally approved by the European Parliament, it will be published in the EU Official Journal and officially enter into force immediately. For more information, read the official press release.

To improve resilience against cyber threats, the Saudi Arabian Monetary Authority (SAMA) introduced the SAMA Cyber Security Framework in May 2017. This follows a global trend where government and banking industry regulators around the world are introducing cybersecurity standards and guidance. 

The four key aspects of the framework include:

• Identity & access management
• Secure communication channel for online and mobile banking
• Mobile application shielding
• Fraud detection and prevention

Learn more in this blog: SAMA Cyber Security Framework Compliance 

On 15 March 2020, Turkey’s Banking Regulation and Supervision Agency published the Regulation on Information Systems of Banks and Electronic Banking Services. 
The regulation entered into force on 1 July 2020 and significantly impacts banks, auditing firms, technology firms offering outsourced services to banks, and companies offering open banking solutions.

The regulation addresses:

• Establishment and management of information systems of banks
• Information security of banks
• Electronic banking services

Learn the impact on SMS-OTP, 2FA, mobile application security, transaction security, and more: https://www.onespan.com/blog/financial-regulatory-landscape-in-turkey
 

The Monetary Authority of Singapore (MAS) has issued Technology Risk Management (TRM) Guidelines and Business Continuity Management (BCM) Guidelines.

The TRM Guidelines provide direction for software development security, cyber surveillance, adversarial attack simulation, and how to manage the cyber risks posed by the Internet of Things. The TRM also includes a section on the “Security of Online Financial Services”, which covers the following:

• Sec.14.1.7 “Rooted or jailbroken mobile devices should be blocked from accessing the FI’s mobile applications to perform financial transactions as such devices are more susceptible to malware and security vulnerabilities.”

• Sec. 14.2.1 “Multi-factor authentication should be deployed at login for online financial services to secure the customer authentication process.”

• Sec. 14.2.4  “FI may apply a risk-based approach and implement appropriate risk-based or adaptive authentication that presents customers with authentication options that commensurate with the risk level of the transaction and sensitivity of the information.” 

• Sec. 14.2.8 “Where soft token is used for customer authentication, appropriate measures, such as verifying the identity of the customer, detecting and blocking rooted or jailbroken devices, and performing device binding, should be implemented for the soft token provisioning process.”

• Sec. 14.3.1 “The FI should implement real-time fraud monitoring or surveillance systems to identify and block suspicious or fraudulent online transactions.”

Payment Card Industry Data Security Standard

PCI DSS 3.2 is an information security standard for organizations that handle branded credit cards from the major card brands. It was put in place to address security threats to customer payment information. All entities involved in payment card processing must comply with PCI DSS, including acquirers, issuers, merchants, processors, and service providers. It also applies to all other entities that store, process, or transmit cardholder data.

Requirement 8.3, which became mandatory in 2018, requires organizations to incorporate multi-factor authentication for all non-console access to the cardholder data environment, as well as remote network access originating from outside the entity’s network.

To adapt to the changing threat environment and stay ahead of cybercriminals, SWIFT (the Society for Worldwide Interbank Financial Telecommunication) introduced the SWIFT Security Controls Framework and Customer Security Programme (CSP). For more information on how SWIFT helps to ensure the security and integrity of the systems that connect to the SWIFT network, see this blog. 

In the US, federal and state law gives electronic signatures the same legal status as handwritten signatures. The Federal Electronic Signatures in Global and National Commerce Act (ESIGN) gives legal recognition for electronic signatures and records to satisfy the “in writing” legal requirements for transactions, including disclosures, and permit organizations to satisfy statutory record retention requirements solely through the use of electronic records. ESIGN requires a person’s consent to conduct business electronically.

At the state level, forty-seven states, the District of Columbia, Puerto Rico, and the Virgin Islands have adopted the Uniform Electronic Transactions Act (UETA). Additionally, the federal ESIGN law provides that electronic signatures are legally enforceable for intrastate commerce and within those states that have not adopted UETA.

On December 20, 2018, The 21st Century Integrated Digital Experience Act (21st Century IDEA) was signed into law. It creates minimum functionality and security standards for federal agencies in the US with the goal of improving digital interactions between citizens and government. For example, it requires agencies to offer digital versions of all paper-based services and to accept electronic signatures from citizens.

Learn more in this blog.
 

The US FINRA Rule 4512(a)(3) (Customer Account Information) previously required brokerage firms to obtain the “wet” signature of each named, natural person authorized to exercise discretion in an account before opening the account. On April 16, 2019, the U.S. Security Exchange Commission (SEC) passed a proposed change to Rule 4512(a)(3) providing members with the option of obtaining an electronic signature in place of a wet signature.

Learn more in this blog.

Numerous states in the US have passed or are considering legislation that would empower their state notaries to perform remote online notarizations. This includes:  

• Indiana SB 372 (signed into law 3/13/18; effective 7/1/19)
• Louisiana HCR 31 (introduced 4/6/18; passed House and Senate)
• Michigan H 5811 (signed into law 6/28/18; effective 3/30/19)
• Minnesota SF 893 (signed into law 5/20/18; effective 1/1/19)
• Nevada A. 413 (signed into law 6/9/17; effective 7/1/18)
• Ohio SB 263 (signed into law 12/18; effective 9/19/19)
• North Dakota HB 1110 (signed into law 3/11/19)
• South Dakota HB 1272 (signed into law 3/18/19)
• Tennessee SB 1758 (signed into law 5/15/18; effective 7/1/19)
• Texas HB 1217 (signed into law 6/1/17; effective 7/1/18)
• Kentucky  SB 114 (signed into law, 3/25/19; effective 1/1/20)

Similar to US UETA laws, Canadian provincial e-signature laws give electronic signatures the same legal status as handwritten signatures. 

Substantially uniform electronic commerce and electronic signature laws have been enacted across Canada. All the provinces and territories have stand-alone electronic commerce statutes of general application based on model laws promulgated by the U.N. and the Uniform Law  Conference of Canada (ULCC). 

For example, in Ontario the Electronic Commerce Act, 2000 (ECA) addresses the use of electronic documents in commercial transactions. In a report entitled Electronic Signatures in Canadian Law, leading Canadian business law firm Stikeman Elliott LLP states, “While there are some variations, the provincial e-commerce statutes generally stipulate that signatures, documents and originals are not invalid or unenforceable by reason only of being in electronic form.”

To learn more, read the Stikeman Elliott legal guide to electronic signatures. 

The 2014 Regulation on Electronic Identification and Trust Services for Electronic Transaction in the Internal Market (eIDAS) went into effect throughout the European Union on 1 July 2016, replacing Directive 1999/93/EC on electronic signatures. Unlike the Directive, the eIDAS regulation applies equally to each EU Member State. 

eIDAS facilitates cross-border recognition of e-signatures and e-identities. It also identifies three levels of e-signature: the Simple, Advanced, and Qualified E-Signature.

Learn about the legal enforceability of the three levels of e-signature in this white paper: eIDAS and E-Signature: a Legal Perspective, written by Lorna Brazell of Osborne Clarke LLP.

On June 26, 2020, Law No. 7247 was published in the Official Gazette. The law amends several existing laws affecting electronic agreements. The changes now authorize that financial services companies accept electronic signatures to open bank accounts, apply for loans and leasing, and credit cards.
 

Learn more details in this blog: https://www.onespan.com/blog/financial-regulatory-landscape-in-turkey
 

In Brazil, the use of electronic signatures falls into two categories:

• Technology-neutral: Brazilian law allows for an electronic signature in use cases where the type of signature is not specified by the law. In this approach, the electronic signature must ensure the integrity of the signed document and the authenticity of the authorship of the signature, but the law does not specify the technology. Freedom of form in the Brazilian law infers this technology-neutral approach.
• Technology-specific: Certain types of documents and signers require the use of a digital certificate issued to the signer by the ICP-Brasil infrastructure. This is a technology-specific system where the ICP-Brasil certificates provide a trusted third-party verification of the electronic signature. ICP-Brasil establishes the public key infrastructure for the country, which provides the necessary time-stamping and policies to create the equivalent of a Qualified Electronic Signature (QES). 

Learn more in this Portuguese white paper on Electronic Signatures and the Law in Brazil, written in collaboration with Opice Blum LLP. 

Law 527 of 1999 established electronic signatures as the equivalent of handwritten signatures. It gives e-signatures the same validity and legal effect as a handwritten signature, provided that the e-signature complies with the reliability requirements stated in Decree 2364 of 2012.

Learn more in this Spanish white paper on Electronic Signatures and the Law in Colombia, written in collaboration with Erick Rincon Cardenas, a partner at Rincon Cardenas & Moreno.

In 2000, the Congress of the Republic of Peru approved Law No. 27269 on Digital Signatures and Certificates, which reads as follows: “The purpose of this law is to regulate the use of e-signatures, granting them the same legal validity and effectiveness as handwritten signatures or similar which imply a declaration of will.”

Learn more in this Spanish white paper on Electronic Signatures and the Law in Peru, written in collaboration with Erick Rincon Cardenas, a partner at Rincon Cardenas & Moreno.

In 1999, the Australian Parliament passed the Electronic Transactions Act, which was amended in 2011. The Electronic Transactions Act gives electronic signatures the same legal status as handwritten signatures. 

According to the Australian government, “If a Commonwealth law requires you to give information in writing, provide a handwritten signature, produce a document in material form, or record or retain information, the Electronic Transactions Act means you can do these things electronically.” 

In effect since 2001, Japan’s Electronic Signatures and Certification Business Act recognizes the legal enforceability of two types of electronic signatures used worldwide: Advanced E-Signatures and Qualified E-Signatures.

Put in place in 1998, this law provides the legal foundation for electronic signatures and gives predictability and certainty to electronic contracts. According to the Government of Singapore, “In the electronic world, hand-written signatures can be replaced by digital signatures. Like written signatures, digital signatures may be used to establish the identity of a party or to make legal commitments. The Electronic Transactions Act provides for the recognition of digital signatures under Singapore law.”