Staying on top of banking regulatory compliance is more than a full-time job. The increased risk presented by cybercrime is one of many factors driving changes in financial services compliance and regulations. Meanwhile, attempts to mitigate COVID-19 fast-tracked the consumer and institutional move to online banking, a transition that potentially could expose vulnerabilities’ in financial service providers’ security measures. Blink, and you will miss a new banking regulation.
Consider these observations:
From banks limiting their branch access and hours, to the fear of coronavirus contaminating paper bills and coins, the Covid-19 pandemic has fast-tracked the changing relationship between consumers and their banks or credit unions. Trends that arose in 2020 are setting the stage for a digitally focused banking future that’s arriving somewhat earlier than imagined.
Cybersecurity remains a persistent challenge for the banking industry. Although much progress has been made, the threat volume, velocity, and variability continue to accelerate, as the attack surface expands through rapid digitization and externalization of digital infrastructure. And of course, the pandemic has tested the cyber resilience of banks, as the virtual/distributed work model became the norm. Insider risk is also increasing because of the psychological stress employees are likely to face as the pandemic continues.
— Deloitte, 2021 Banking and Capital Markets Outlook
Take a look at where the industry stands today, what new regulations are being established worldwide, what regulatory compliance for institutions will mean in the future and how Diligent can help your organization meet the new demands.
Financial Services Compliance and Regulations
United Kingdom: Post-Brexit Changes
With its formal departure from the European Union, the United Kingdom is no longer subject to the General Data Protection Regulation (GDPR). However, the provisions of the GDPR were folded into law with the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
California Privacy Rights
The 2018 California Consumer Privacy Act (CCPA) has made many ripples beyond state boundaries, carrying implications for compliance-focused financial institutions nationally as well as globally. One of the most consumer-friendly policy changes of banking privacy regulations was the CCPA law at the beginning of 2020. Still, ongoing court decisions and an additional state act continue to reshape how the law impacts both consumers and banks.
The CCPA was just the beginning. California Proposition 24, passed by voters in November 2020 and enacted as the California Privacy Rights Act (CPRA), created a California Privacy Protection Agency and pivoted the regulations on financial institutions and other businesses. As a result, institutions serving California residents now must “reasonably” minimize data collection, limit data retention and protect data security. Institutions also must conduct privacy and risk-related assessments and audits and regularly submit them to regulators.
California’s laws are not only regulatory requirements for banks, but financial institutions are affected. Like the CCPA, the California Privacy Rights Act applies to companies that meet these requirements:
- Have a gross annual revenue of over $25 million;
- Buy, receive or sell the personal information of 50,000 or more California residents, households or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
In its analysis of the “good” and “bad” news of the original CCPA for affected businesses, the IAPP, a global information privacy nonprofit, identified these factors among others:
- The CPRA will limit businesses’ liability for violations of the law by “third-party” businesses.
- It will clarify the definition of “sale” and differentiate and exempt from the “Do Not Sell” right and the CCPA “selling” notice requirements, the “sharing” of personal information for cross-context behavioral advertising in some instances.
- It will exempt businesses from needing to provide access to “specific pieces of personal information” from data generated to help ensure security or integrity or as prescribed by regulation.
- From the “bad” side, companies subject to the CPRA must update their California geolocated privacy programs to include new data. For instance, a category of personal information that is “defined (somewhat differently than under the General Data Protection Regulation) as government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email and text messages, genetic data and certain sexual orientation, health and biometric information.”
Court activity is further clarifying the laws’ scope in the practical world. For example, in early 2021, the US District Court for the Northern District of California found in Walmart’s favor in a suit alleging breach of the CCPA, specifically holding that data exposure due to breaches before the law went into effect could not be cited as a violation retroactively. (Walmart disputed the plaintiff’s allegation that its network had been breached.)
The CPRA will eventually take the place of the CCPA, with most of its provisions being adopted in 2023.
Virginia Consumer Data Protection Act
Look to the other US coastline for laws introducing new compliance for financial institutions. Virginia is the first to follow in the footsteps of California’s consumer privacy laws with the passage of the Consumer Data Protection Act in 2021. While the law, which goes into effect January 1, 2023, has similar elements to California’s with factors related to consumer data collection and retention, it has generally been viewed as more industry-friendly. Not based on an opt-out model, it requires consumers to bring lawsuits against companies for data violations. Unlike California, Virginia’s law will be enforced by the state attorney general, not a separate agency.
The bill applies to all those who conduct business in the state and either “control or process personal data of at least 100,000 consumers or derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.” However, financial institutions that comply with the Gramm-Leach-Bliley Act (GLBA) are exempt from the Virginia legislation, as are organizations that comply with the Health Information Portability and Accountability Act guidelines.
The moves of California, Virginia and others toward state-specific regulations are being seen as an increasing pressure point for the development of a federal act addressing consumer privacy issues. In a writeup of the Virginia law, the National Law Review concluded, “States across the country are contemplating ways to enhance their data privacy and security protections. Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs and investing in written information security programs.” In other words, the two US states’ actions are just the beginning of new regulations banks and other institutions will be facing.
United States: Gramm-Leach-Bliley Act Safeguards Rule
Another US-focused action imposing regulatory requirements for banks is the GLBA Safeguards Rule, which is seeing ongoing enforcement activity. The rule holds financial institutions responsible for taking steps to ensure their vendors and affiliates are securing customer information in their care. The focus on holding institutions responsible for vendor activities is similar to the revised Technology Risk Management Guidelines from Singapore.
The IAPP helped define the affected financial institutions as “companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission (FTC) has authority to enforce the law with respect to ‘financial institutions’ that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services and debt collectors. At the same time, the FTC’s regulation applies only to companies that are ‘significantly engaged’ in such financial activities.”
The FTC has announced settlements with various firms found to be meeting the standards of the rule. In one example, in late 2020, the FTC found against a mortgage data analytics company based in Texas for the actions of a vendor that provided text recognition scanning on mortgage documents and stored the information in a cloud environment without security factors such as encryption or password protection. The decision required the company to develop a data-security program, submit to biennial assessments and more.
White Paper: Reducing Risk in Financial Services
Australia: Cybersecurity Strategy 2020
In the summer of 2020, Prime Minister Scott Morrison illuminated the increased threat of malicious cyberattacks against Australia with his Statement On Malicious Cyber Activity Against Australian Networks. In it, he said, “This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers, and operators of other critical infrastructure. We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used. … Regrettably, this activity is not new—but the frequency has been increasing.”
It is against that backdrop that a revised Australian Cyber Security Strategy was released later in the year. An update to the 2016 strategy, the plan increased the funds dedicated to the effort from $260 million to $1.67 billion to “build new cybersecurity and law enforcement capabilities, protect the essential services upon which we all depend, assist businesses to protect themselves and raise the community’s understanding of how to be secure online.”
While much of the strategy focuses on protecting governmental and infrastructure targets from attack, it also commits funds to work with small and medium-sized businesses to increase their cyber resilience and secure IoT devices.
Saudi Arabia: National Data Management Office
As for financial services compliance and regulations in Saudi Arabia, it saw a flurry of data-protection activity in the latter part of the twenty-teens. The Saudi Data and Artificial Intelligence Authority were formed in 2019 as an umbrella for four entities: the National Information Center, the National Center for AI and the National Data Management Office (NDMO). Late the following year, the NDMO released Data Classification Interim Regulations followed by the Data Management and Personal Data Protection Standards. These new documents bring Saudi Arabia in line with the European Union’s GDPR.
The classification regulations identify data by category, public to top-secret, and appropriate measures to take to provide availability but also restrict as necessary. They “apply to all entities in the Kingdom that process personal data in whole or part, as well as all entities outside the Kingdom that process personal data related to individuals residing in the Kingdom using any means, including online personal data processing.”
European Union: Sixth Anti-Money Laundering Directive (AMLD 6)
The latter half of the 2010s saw a swath of European Union (EU) directives related to money laundering, intending to create uniformity across the region and with international entities. The need for banking cybersecurity standards is urgent. The UN Office on Drugs and Crime cites a figure that the estimated amount of money laundered globally in one year is 2%-5% of global gross domestic product or $800 billion to $2 trillion in current US dollars.
European Union member states were required to implement the sixth iteration of the Anti-Money Laundering Directive by early December 2020. In their paper “The Sixth EU Anti-Money Laundering Directive: What Will Change?,” authors Peter Burrell and Michael Thorne wrote, “It focuses on standardizing the approach of EU member states to the offence of money laundering, as well as expanding the scope for potential liability for money laundering and the range of sanctions that EU member states are required to impose under local law.”
Burrell and Thorne identified notable changes in AMLD 6, including:
- Identification of the types of criminal activity that “must give rise to potential money laundering offenses covering under national law.”
- EU member states must enforce “money laundering offences covering intentional conversion or transfer of property derived from criminal activity; concealment or disguise of the true nature of property derived from criminal activity; and acquisition or use of property derived from criminal activity.”
- EU member states must “penalize the above primary money laundering offences with maximum sentences of at least four years.”
Additionally, AMLD 6 further defines corporate liability for responsible positions.
United States: US Anti-Money Laundering Act and National Defense Authorization Act
The United States also took action in 2020 and 2021 to combat money laundering with two acts, the US Anti-Money Laundering Act (AMLA) and the National Defense Authorization Act. The AMLA encourages financial institutions to make advances in technological innovations in the fight against money laundering, while the NDAA both creates a statutory definition for whistleblowers and noticeably increases incentives.
A JD Supra piece, A “Clean” Start To 2021: Changes To Federal Anti-Money Laundering Laws, With Respect To the Whistleblower Provisions, stated, “…There is already concern that the new language would allow internal compliance officers or others in similar positions to serve as whistleblowers, thereby creating an apparent conflict of interest. (In essence, the same individuals tasked with protecting against the violation of anti-money laundering laws could be the same people who are incentivized to report such activity to the federal government and receive a significant financial windfall for doing so.)”
EU: Payment Services Directive 2
USD$4.4 trillion: “That staggering figure is the estimated value of all digital payments made worldwide in 2020. Some of the activity can be attributed to the increased use of contactless payments arising from the COVID-19 pandemic, but the trend has been steadily rising for years and shows no signs of slowing. By 2023, consumers are expected to drive the market to an astronomical USD$6.7 trillion, with more than 6.1 billion people transacting.” With these numbers, cited in a JD Supra piece, “Are Singapore Payment Services Providers Ready?,” it becomes easy to understand why electronic payments and financial services compliance regulations are a big focus as we continue into the 2020s.
After delays in implementation, including extended deadlines for compliance, the EU Payment Services Directive 2 (PSD 2) went into full effect in late 2020 after being initially passed in 2015. Another action directed at consumer data security, the PSD 2, built on the original directive, which established rules for payment services such as credit transfers, direct debits and card payments. It also included information requirements for payment services providers and rights and obligations linked to the use of payment services.
The PSD 2 built on the work of the first directive by incorporating payment services such as internet and mobile payments. Included in the PSD2 are rules around “strict security requirements for electronic payments and the protection of consumers’ financial data, guaranteeing safe authentication and reducing the risk of fraud; the transparency of conditions and information requirements for payment services and the rights and obligations of users and providers of payment services.”
In an analysis of the regulatory changes introduced by the PSD2, PWC said, “The new operations governed by PSD 2 can present an opportunity also for those service providers that are already operating under PSD and therefore have: i) a solid organizational and supervisory structure in line with the provisions currently in force; ii) a consolidated sales network and a broad portfolio of loyal customers; iii) a strong experience in dealing with regulatory authorities.”
Singapore: Payment Services Act and Technology Risk Management Guidelines
Like the EU’s Payment Services Directive, Singapore’s Payment Services Act (PSA), passed in 2019, introduces new financial regulations with a broader implication. The PSA addressed payment systems and service providers and aimed to keep up with significant changes in payment technology in the 21st century, including electronic payments and cryptocurrency dealing and exchange services while encouraging the use of modern payment methods.
The 2019 act empowered the Monetary Authority of Singapore (MAS) to regulate services to confront money-laundering and terrorism financing, loss of funds owed to consumers or merchants due to insolvency, fragmentation and limitations to interoperability and technology and cyber risks. Entities that provide payment services must receive one of three types of licenses from MAS to provide the service: a money‑changing license, a standard payment institution license or a major payment institution license.
The Payment Services Act was amended in late 2020 to include the international standards adopted by the Financial Action Task Force in June 2019. The changes in the amendment primarily affect virtual asset service providers and digital payment token service providers.
Singapore’s Technology Risk Management Guidelines are another set of financial services compliance and regulations whose somewhat rapid amendment reflects the need to respond nimbly to both advances in technology and the discoveries of gaps in new regulations. The amendments rolled out in early 2021 and were the result of a response to public feedback on the initial 2013 guidelines.
Significant changes include:
- The board of directors and senior management of an institution are responsible for appointing a chief information officer and chief information security officer with the requisite expertise to be accountable for managing technology and cyber risks. The leadership team also should include members with an understanding of technology and cyber risks. Last, the guidelines include a list of responsibilities the leadership team will have in technology risk management.
- Financial institutions should adopt standards on coding and application security testing to prevent the exploitation of vulnerabilities.
- Financial institutions are required to establish standards and procedures for evaluating vendors in the context of their software development, quality assurance and security practices.
In the Regulation Asia blog “Seven Takeaways from MAS’ Technology Risk Management Guidelines,” the authors wrote, “In preparation for compliance with the 2021 guidelines, (financial institutions) will now need to take steps to ensure that: the board and senior management are apprised of the expanded responsibilities that have been ascribed to them; there is an assessment procedure for potential tech vendors and API access; the monitoring, assessing, reporting of cyber threats are in line with the 2021 guidelines and that the relevant simulations and testing are adhered to routinely.”
Global: Payment Card Industry Data Security Standard
Version 4.0 of the Payment Card Industry Data Security Standard (PCI/DSS) is on the horizon and, according to the current timetable, will take effect in 2024 after an 18-month transition period. Last updated in 2013, the standard applies to any entity that accepts, stores or transmits customer card data, no matter the organization’s size or number of transactions.
The standard’s framework includes the following high-level categories:
- Build and maintain a secure network and systems.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
The PCI/DSS also requires entities that use third-party processors to comply with its financial data security standards. Penalties for noncompliance include fines and fees as well as the suspension of the ability to accept card payments.
The PCI/DSS governing body, the PCI Standards Security Council, was formed in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. The organization’s mission is to “enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.”
What Are the Costs To Banks from Cyberattacks?
New Bank Regulations in 2021
A key area to watch in 2021 will be ongoing activities in individual states in the US toward data privacy. The IAPP is tracking privacy bills in state legislatures and found common provisions, including these related to business obligations that could translate into new bank regulations:
- A strict opt-in for the sale of personal information of a consumer less than a certain age: A restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information
- Notice/transparency requirement: An obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs
- Data breach notification: An obligation placed on a business to notify consumers and/or enforcement authorities about a privacy or security breach
- Mandated risk assessment: An obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures
- A prohibition on discrimination against a consumer for exercising a right: A prohibition against a business treating a consumer who exercises a consumer right differently than a consumer who does not exercise a right.
- A purpose limitation: A GDPR–style restrictive structure that prohibits the collection of personal information except for a specific purpose.
- A processing limitation: A GDPR-style restrictive structure that prohibits the processing of personal information except for a specific purpose.
- Fiduciary duty: An obligation imposed on a business/controller to exercise the duties of care, loyalty and confidentiality (or similar) and act in the best interest of the consumer
Another focus of 2021 with banking compliance implications is a mandated shift from group to individual risk assessment outlined by the US Office of the Comptroller of the Currency (OCC). In a rule that takes effect April 1, 2021, the OCC codifies intentions outlined in Title III of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2021 to “to ensure fair access to banking services provided by large national banks, federal savings associations, and federal branches and agencies of foreign bank organizations.” The rule applies to the largest banks with more than $100 billion in assets that may exert significant pricing power or influence over sectors of the national economy.
Acting Comptroller of the Currency Brian P. Brooks stated, “As Comptrollers and staff in previous administrations have made clear in speeches, guidance and testimony, banks should not terminate services to entire categories of customers without conducting individual risk assessments. It is inconsistent with basic principles of prudent risk management to make decisions based solely on conclusory or categorical assertions of risk without actual analysis. ”
The changing climate that comes with a new White House administration promises further changes to laws and regulations in the United States, at least after COVID-19 recovery progresses. After all, predictions that state actions toward data privacy and security will prompt federal action are only getting more confident.
How To Keep Up-To-Date and Ensure Compliance With New Bank Regulations
The fractured activity related to financial services compliance and regulations makes developing and maintaining expertise all the more challenging, even for the most experienced compliance professional. Concerns about cybercrime, money laundering and consumer privacy have motivated both new and revised legislation and bank regulatory compliance actions across states, regions and the globe. In this global marketplace, compliance with one region’s or state’s laws is not enough.
To keep up with changes affecting financial institutions around the globe and develop a strategy that supports growth and security, leadership teams must have access to the most reliable, updated information that affects their organizations. Operational Governance by Diligent streamlines compliance and governance operations with built-in risk monitoring that anticipates regulatory issues that financial institutions may face. Diligent is available to assist financial institutions in realizing the potential of a pro-growth strategy while mitigating the complex and disparate risks that come from changing compliance and regulatory field.
Staying on top of changing banking regulatory requirements across the globe is more than a full-time job. With Operational Governance by Diligent, it is a job that no financial leader must take on alone.