By Michael Magrath, Director, Global Standards & Regulations at OneSpan 

How Will Regulatory Changes Affect Business in the New Year?

Regulations are always changing and adapting to their market landscape, especially in the financial services industry.

Last year saw the first repercussions for breaching the European Union’s General Data Privacy Regulation (GDPR), as well as the introduction of the second Payment Services Directive (PSD2) and Open Banking.

These new regulations, combined with rapid technological advances, and the constant pressure to fight fraud without compromising customer experience, means financial institutions have their work cut out. must keep pace with these demands while compliance officers are continuing to ask, “what’s next?”

With that in mind, here are some corporate compliance predictions for the financial services industry in 2020:

The California Consumer Privacy Act will trigger a federal consumer privacy policy and data protection law in the U.S.

The CCPA has been the catalyst for numerous other data privacy and security laws at a state level, such as the Consumer Online Privacy Rights Act which was introduced into Congress in November 2019.

In 2020 we’re likely to see other stats follow California and pass their own consumer privacy policy and data protection laws. Several states have introduced consumer privacy legislation including New York, Washington, and New Hampshire to name a few. For example, Washington State re-introduced is Washington Privacy Act earlier this year, which, if signed into law, would go into effect July 31, 2021.

As written, the New York Privacy Bill (Senate Bill S5642) would “require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared; creates a special account to fund a new office of privacy and data protection.”  The CCPA limits its reach to companies doing business in California or applies to businesses that have gross annual revenues of at least $25 million or handle the personal information of 50,000 or more consumers. The New York Privacy Bill would apply to all companies operating in New York State, regardless of size.

One of the provisions contained in the bill is the “private right of action”.  This provision grants individual consumers the right to sue companies over violations of the proposed law. The state’s Attorney General Office could also bring litigation under the law.  Opponents of the bill raise real world concerns that the private right of action could lead to frivolous lawsuits that could bankrupt many small businesses.

Washington State introduced the Washington Privacy Act in 2019.  Although the GDPR-like bill died during the 2019 legislative calendar, it was re-introduced in January 2020.

New Hampshire’s bill, “relative to the collection of personal information by businesses” (HB 1680) is closely aligned with the CCPA and if passed would take effect January 1, 2021, with enforcement beginning as early as July 1, 2021.

However, 50 separate consumer privacy laws will create compliance chaos for organisations of all sizes, so there needs to be a comprehensive consumer privacy and data protection law at the federal level in the U.S. to address compliance issues. This legislation should also incorporate minimum security requirements for organisations to deploy to protect consumer data.

While it would be surprising if the Consumer Online Privacy Rights Act becomes federal law in 2020, this year will see U.S. lawmakers finally make progress in creating federal legislation protecting data privacy and security for consumers.

The Consumer Online Privacy Rights Act (COPRA) was introduced in the Senate in December 2019.  Like GDPR and the California Consumer Privacy Act (CCPA) COPRA would require companies furnish individuals data that has been stored upon request.  People could also have the opportunity to correct inaccuracies about the data or many cases delete it upon request.  In addition, COPRA includes biometrics including facial recognition data and geolocation data as sensitive information.

In November 2019, the Online Privacy Act of 2019 was introduced in the U.S. House of Representatives.  The bill resembles the Senate bill and adds for the creation of the U.S. Digital Privacy Agency (DPA) – an independent federal agency that would enforce privacy protections and investigate abuses.   If enacted, the bill also includes penalties and enforcement details and would empower state attorneys general to enforce violations and would permit private class action lawsuits against organizations.

Australian Data Privacy Regulations

The Consumer Data Right (CDR) was planned in late 2017 with a goal to provide Australians with greater access to and control over their own data.  By controlling their data, individuals could determine and share their data would any organization they wish to.  This applies to consumers as well as businesses.

The initial benefactor of the CDR are banking customers as the CDR has served as the foundation for open banking in Australia.   The CDR will initially apply to Australia’s “Big 4” banks (ANZ, Commonwealth Bank, NAB and Westpac) and in the first phase the banks are mandated to share “product reference data” with “accredited data recipients”.   The data shared would include fees, charges, interest rates, credit card and mortgage product eligibility criteria.  The Big 4 complied well ahead of schedule during the summer of 2019.  The following phase would include the sharing of transactional data for debit and credits, savings and checking accounts and the last phase would encompass mortgages and personal loans.

The deadline has been pushed out due to security concerns. Australia’s policymakers and regulators are well aware that that security is of the utmost.  Yet it is odd that open banking does not include the Strong Customer Authentication requirements that Europe has mandated for PSD2.  It’s imperative to use strong customer authentication regardless if that includes biometrics like facial recognition, behavioural biometrics or fingerprints, one-time passwords generated securely through a mobile app or hardware device or security keys based on public key cryptography such as those certified by the FIDO Alliance.

The regulatory landscape is constantly evolving, especially in highly regulated industries such as the financial services industry. Its likely that legislation at federal level won’t be implemented this coming year, we will see legislation introduced at a state level that will drive federal laws on consumer data privacy.

What we will see, are financial institutions working to improve data security and privacy, by adopting better tools for authentication, identity verification and risk analysis that will ultimately help prevent data breaches and fraud.