The following article, authored by Michael Magrath, Director, Global Regulations & Standards at OneSpan, first appeared on Corporate Compliance Insights on August 28, 2018.
There is a lot happening in regards to regulation for financial institutions (FIs) around the globe. In many countries, there is a drive for further regulation; meanwhile in the U.S., we are seeing bank regulation reform and deregulation, as evidenced by the repeal of the Dodd-Frank Act.
Below, we’ve compiled the top regulations, laws, and standards that impact financial institutions this year:
In May 2018, President Trump signed into law the Economic Growth, Regulatory Relief, and Consumer Protection Act, commonly known as the Dodd-Frank Repeal. While this law removes many of the regulations imposed on banks in the wake of the Great Recession, it also bears particular relevance to mobile banking and e-signatures.
The new law includes a provision called the MOBILE Act (Making Online Banking Initiation Legal and Easy). This provision makes it easier for banks to onboard new customers remotely without the need for the customer to travel to a branch to complete the process. Banks can now create an entirely digital customer onboarding process by verifying a scan or digital copy of a new customer’s government-issued identification, such as a driver’s license. While some states already allowed banks to accept a scanned driver’s license as proof of identity, the Dodd-Frank repeal makes it legal at a national level. From there, the customer can complete the necessary forms and enter data online or via mobile, and even sign documents using an electronic signature to finalize the process.
In addition, e-signatures can also play a role in verifying key customer information. When a prospective client tries to open a new account, the client must provide their name, date of birth, and Social Security Number. The back office verifies this information with the Social Security Administration (SSA) through a program called the Consent Based Social Security Number Verification (CBSV). Before the Dodd-Frank repeal, neither banks nor customers were able to submit an e-signature to initiate this process. They would be forced to download, print, and sign a hard copy of the form; scan and upload the form to their computer; and finally email the form to a third-party provider or upload it to a third-party portal. The Dodd-Frank Repeal directs the CBSV Service to accept electronic signatures for this process. This process is extremely important for preventing identity and fraud attempts, and now with the Dodd-Frank Repeal, it will also provide convenience for the consumer and efficiency for the bank.
PSD2: Payment Services Directive 2
Banks and Third-Party Providers (TPP) have to comply with the Payment Services Directive 2 (PSD2) requirements on Strong Customer Authentication by September 14, 2019. Now that the final PSD2 Regulatory Technical Standards (RTS) has been published, financial institutions are actively preparing and implementing their PSD2 compliance strategy. In doing so, FIs should be aware of these PSD2 criteria:
- Strong Customer Authentication: Authentication must be based on two or more factors, including passwords or PIN, tokens or mobile devices, or biometrics.
- Transaction Risk Analysis: PSD2 mandates the use of transaction risk analysis to deter fraudulent payments.
- Dynamic Linking: For payment transactions, the authentication code must be dynamically linked to both the amount and payee.
- Mobile App Security: Payment service providers must adopt security measures to mitigate the risk resulting from compromised mobile devices. PSD2 also mandates the use of dedicated mobile app cloning counter-measures in applications, also known as replication protection.
GDPR: General Data Protection Regulation
On May 25, 2018, the GDPR became the main legal framework for data protection in the EU. The objective of the GDPR is to give control over personal data to EU citizens and residents. No matter where they are based, companies that handle data belonging to EU citizens must comply with the GDPR or face severe financial penalties.
To comply, the European Union Agency for Network and Information Security (ENISA) recommends implementing two-factor authentication, as well as mobile application security, to protect access to systems that process personal data.
In addition, for the GDPR consent requirement, e-signature technology is an appropriate means to comply. Electronic signature technology can be used to capture consent from customers. It can also be used to sign contracts between data controllers and data processors.
NYDFS: New York State Department of Financial Services
The NYDFS regulates approximately 1,500 banks and financial institutions. Many international institutions with operations in New York fall under the DFS regulation. The DFS published its Cybersecurity Requirements for Financial Services Companies, which includes 22 provisions requiring financial services organizations to better protect data. Through a risk assessment, financial institutions must implement effective controls to prevent unauthorized access to information systems or non-public information. These controls may include multi-factor authentication, biometric authentication, or risk-based authentication.
PCI DSS 3.2: Payment Card Industry Data Security Standard
PCI DSS 3.2 is an information security standard for organizations that handle branded credit cards from the major card brands that was put in place to address security threats to customer payment information. All entities involved in payment card processing are regulated by the PCI DSS, including acquirers, issuers, merchants, processors, and service providers. It also applies to all other entities that store, process, or transmit cardholder data.
Requirement 8.3, which became mandatory on February 1, 2018, requires organizations to incorporate multi-factor authentication for all non-console access to the cardholder data environment, as well as remote network access originating from outside the entity’s network.
Global Trends and Highlights
This article has focused mainly on North America and Europe, but we are also seeing PSD2-inspired Open Banking initiatives pop up in the U.S. and Canada. The influence of the legislation is quite clear, but it also speaks to a growing trend globally. Countries such as Australia, Hong Kong, Singapore, and Japan have all moved towards an Open Banking policy.
Beyond this trend, there are a number of legislative and regulatory highlights to mention in other areas of the globe.
Recent Latin American Regulation:
- Brazil: The House of Representatives Bill of Law No. 53/2018 was passed by the Senate in July 2018. The law regulates the processing of personal data in both the public and private sector.
- Chile: Chile passed significant amendments to Law No. 19,628 on the Protection of Private Life. The amendment was passed in August and regulates the protection and processing of personal data. Furthermore, the law creates a new agency responsible for data protection.
- Bermuda: The country passed an ICO Bill and Digital Asset Business Act as part of their strategy to attract cryptocurrency and blockchain companies. This law revises the Banks and Deposits Companies Act 1999 with provisions more agreeable to the growing tech industries. It also classifies these companies under a new category called Restricted Banks.
Recent Asia Pacific Regulation:
- Australia: Australia will be implementing a phased rollout of the Open Banking regime beginning July 1, 2019. Australia’s four major banks (with non-major banks to follow) must give consumers access to, and control over, their banking data. This includes data related to mortgages, credit and debit cards, deposits, personal loans, and more.
- Singapore: The Monetary Authority of Singapore (MAS) has directed all financial institutions to tighten their customer verification processes. Effective immediately, additional information beyond name, NRIC number, address, gender, race, and date of birth must be used for customer verification before undertaking transactions with the customer. This extra information could include a one-time password, PIN, biometrics, last transaction date, or other authentication information.
- Malaysia: As part of an Anti-Money Laundering and Counter Financing of Terrorism initiative, reporting institutions are now required to perform ongoing due diligence on their business relationships with their customers.
Legal Regulations and Opportunity
We’re in a period of flux in the regulatory stance of countries around the world. Whether heading towards greater restrictions or deregulation, change is coming in one form or another. For that reason, it is imperative to stay abreast of the current regulatory changes, as well as new proposals being discussed in the jurisdictions in which you operate. They may have a crucial impact on your digital transformation initiatives.
Learn more about security solutions and compliance by visiting our page outlining the compliance challenge.