As C-level executives strive to protect shareholder value and keep their companies’ names out of the daily headlines about cybersecurity breaches, one would presume that these organizations would comply with the security requirements embedded into regulations.
Surprisingly, that’s not always the case. Verizon’s recently released Payment Security Report found only one in five organizations in America was fully compliant with the fundamental security requirements of the Payment Card Industry Data Security Standard (PCI DSS). Even within the financial services industry, fewer than 40 percent of organizations examined in the report were in full compliance.
Why are these numbers so low? One explanation may have to do with the number of regulations with which organizations must comply. A 2018 World Finance article noted that there are 750 global regulatory bodies, each with their own set of rules.
So are institutions simply suffering from “compliance fatigue”?
Perhaps. In Europe, just when organizations thought they could catch their breath after the General Data Protection Regulation (GDPR) took effect, they had to quickly turn their attention to complying with the Strong Customer Authentication (SCA) requirements in the revised Payment Services Directive (PSD2).
GDPR catalyzed a major push globally to strengthen data privacy and security protections for consumers. In the U.S., the final phase of the New York State Department of Financial Services (DFS) Cybersecurity Regulation went into effect last March – it required banks, insurers and other financial services institutions and licensees to implement risk management programs for third-party providers. Beginning in February 2020, entities will have to certify their compliance.
While many regional and smaller banks avoided the DFS rules because they do not operate in New York, the Federal Trade Commission has proposed changes to the Gramm-Leach-Bliley Act that are modeled on New York’s regulations. If enacted, they will require all financial services organizations to encrypt all customer data, implement access controls to prevent unauthorized users from accessing customer information, and use multi-factor authentication to access customer data.
And it doesn’t end there. The California Consumer Privacy Act (CCPA) that took effect on January 1, 2020, has paved the way for Massachusetts, Hawaii, Washington and other states to each introduce their own data privacy and data protection legislation.
There is considerable cause for concern that the potential for 50 versions of the CCPA will create a compliance tsunami for banks and other affected organizations. As a result, Congress is under pressure to enact an overarching federal data protection law, and just prior to Thanksgiving, the Consumer Online Privacy Rights Act was introduced in the Senate.
Technology to the rescue?
The good news is that financial services organizations can harness new technologies to achieve full compliance with many aspects of the regulations mentioned above, while at the same time delivering an exceptional and secure digital journey for their customers.
The Financial Action Task Force has published a draft Guidance on Digital Identity, which will likely be referenced by almost every country looking to craft digital identity regulations for financial services. The FATF advises financial institutions to apply a risk-based approach to the use of digital identities for customer due diligence and provides details on how to use these systems for customer verification, onboarding and authentication for transactions.
Banks in several countries – including the U.S., U.K., France and Hong Kong – have embraced digital account opening processes that not only meet compliance but also provide fast and user-friendly approaches to digitally onboarding customers.
The process typically requires a valid photo ID to be digitally captured via the user’s mobile device camera which is then verified using document verification and facial recognition technology. The data captured from the individual can be matched against authoritative databases to provide an additional layer of assurance that the person is who they claim to be. Once verified, the account opening and onboarding process can continue via electronic signing of all required forms. E-signatures help banks maintain compliance by providing a visual audit trail.
User credentials are then created – these should not be reliant upon static passwords but instead leverage biometrics, such as fingerprints or facial recognition with liveness detection. They can even leverage the latest in intelligent adaptive authentication, which combines behavioral biometrics (the way a customer holds their mobile device, swipe patterns, finger pressure and more) with machine learning to continuously authenticate the user throughout their digital banking session.
Because these technologies are largely invisible to the user, they provide strong data security and authentication measures to help banks meet regulatory compliance, while providing a near-frictionless customer experience for most transactions.
To comply with the many data security and privacy protections around the globe, it is imperative that financial services organizations stay current on the latest regulatory changes and new proposals being discussed, as these will have a crucial impact on their digital transformation initiatives not only in 2020, but throughout the next decade.
We will all have to stay tuned to see what’s next on the regulatory front, but we should start implementing more advanced processes and technologies for data security, identity verification, user authentication and fraud detection now, to not only meet compliance but also better protect our customers.
Michael Magrath is director of global regulations and standards for OneSpan, a cybersecurity technology firm based in Chicago.
BAI gives financial services leaders confidence in managing compliance and a passion for professional development by providing powerful tools and subject matter expertise you can rely on. Learn more.