Protecting customer data has become increasingly imperative for fintechs: digital broker-dealers, robo-advisors, online lenders, and providers of digital banking, payments, and finance tools. While the wide range of applicable regulations can make compliance challenging, you can simplify the challenges by reviewing our Data Protection Compliance Checklist. It can help you build data protection best practices that meet today’s requirements and also evolve over time as more and more countries and U.S states pass privacy and disclosure legislation.
Privacy concerns and recent legislation ushering in stricter customer data protection rules and customer disclosure requirements. Fintechs must maintain cybersecurity measures and protect client data, at the risk of steep penalties. A host of regulations are already affecting many firms – likely including yours.
Assuming your fintech interacts with the public, even if primarily only through a web interface or mobile app, you should start following the expansion of privacy rights. It’s not if but when.
Regional Fintech Data Protection Regulations are a Patchwork
Enhanced privacy laws have already been enacted in Europe and California, governing the collection of sensitive personal information and establishing notice requirements. We will look at these more closely below. Virginia is the most recent U.S. state to adopt privacy legislation, slated for enactment in 2023. A group of other states is also working intently on crafting consumer privacy legislation, including Florida, Minnesota, New York, Oklahoma, and Washington.
The legislative jumble is mind-boggling. There exists no global or U.S. standard…yet. In the U.S., an elaborate mishmash of laws operates at both state and federal levels, giving consumers a wide range of individual rights across the board. For example, companies may be able to insist firms rectify errors, make some deletions, or restrict marketing using their data.
Important laws for fintechs to comply with include:
- FTC. From the federal side, the Federal Trade Commission (FTC) can bring enforcement actions to protect consumers against deceptive practices like marketing and for companies’ failure to protect consumers’ information. The FTC has issued guidelines to address transparency, giving consumers access to what has been collected and educating them about privacy practices. The agency also limits data collection to appropriate purposes and requires you to dispose of that data once it has outlived those purposes.
- GLBA. Other federal laws deal with specific sectors like financial services. A key statute, Gramm-Leach-Bliley (1999) applies across most areas of the financial services sector. It primarily requires you to secure private information and notify customers if it is improperly disclosed.
- SEC. Investment-related fintechs should especially focus on investment regulations enforced by the Securities and Exchange Commission.
- Regulation S-P compels broker-dealers, investment companies, and investment advisors to commit to writing everything related to customer data. They must document explicit instructions on safeguarding customer information and records, notify customers about their data’s use and opt-out choices.
- The Investment Company Act Rule 38-1 and Investment Advisers Act Rule 206 (4)-7 flesh out additional cybersecurity and data protection requirements.
- State laws also impose restrictions, obligations, and penalties. As of November 2020, 25 US attorneys general are now overseeing privacy laws. Every state now has breach notification rules covering that state’s residents. The most proactive states so far have been Massachusetts, New York, California, and Illinois.
How You are Required to Handle Customer Data Protection
You are sitting on a heap of personal customer data, as a part of your business. What should you do to avoid running afoul of the regulators? The answers depend on effectively including protection and privacy principles in your full compliance stack.
To start with, the FTC offers some overarching principles. You should:
- Maintain reasonable security measures
- Avoid violating the FTC’s consumer privacy framework when collecting, processing, or sharing information
- Steer clear of misleading advertising
For good measure, here are additional best practices:
In all cases, regulators expect you to demonstrate solid, good faith efforts.
Aligning Requirements to Compliance
For digital finance platforms, compliance starts from the ground up. Your infrastructure needs to follow robust business continuity and security best practices and to support the ability to detect threats and breaches. Bad actors get more sophisticated every day. Your technology must also be able to diagnose breaches that do occur, tracing them back to the specific means of the breach. Finally, you must be able to look back and audit in case you need to demonstrate that breaches did not occur.
Privacy requirements also emerge from the strategic decisions you make around whether to register as a regulated entity. As we discussed above, some requirements apply to any business. Others are unique to broker-dealers, money transmitters, or other providers of specific financial services.
Finally, you must also adopt a two-pronged approach designed to prevent data loss and protect against breaches. This approach includes documentation of policies and procedures, training of most if not all firm employees, and specific workflows, processes, and tasks conducted by compliance staff and overseen by a senior executive (i.e., a Chief Compliance Officer).
Breaches Have Consequences
There are extensive risks to neglecting customer data protection rules, with wide-reaching implications for your entire business. Your company’s reputation may pay a hefty price in bad publicity, damaging years of hard-earned customer trust. Remember that reputational damage often has a long tail, reaching far into the future. Transgressions could inflict damage on many fronts, ranging from lost business, system downtime, and customer churn. Larger companies might even see a downdraft in their stock prices.
Examples of Data Breach Fines and Penalties
Regulatory fines and penalties can turn out to be draconian, too. If, for instance, violations are calculated on a per-incident basis, and if hundreds or thousands of customers are implicated or compromised, penalties can rapidly amount to millions of dollars.
For example, the California Consumer Privacy Act of 2018 (CCPA) imposes a penalty of $2,500 per unintentional and $7,500 per intentional violation. Now multiply those numbers by thousands or even hundreds of thousands of affected customers.
The concern is not just theoretical. Several examples highlight the consequences:
- L.A.-based digital banking and cash advance platform Dave suffered a breach in summer 2020, compromising 7.5 million records associated with 3 million email addresses. Although there has been no evidence of financial loss, personal customer details have been traded on the dark web. A class-action suit was quickly filed on behalf of users.
- Technology platform Plaid is facing several lawsuits over privacy violations involving misleading login screens, ingesting user data from other finance apps, and affecting 200 million individual accounts.
- In 2017, Equifax exposed the personal information of 147 million people, when hackers attacked an unpatched vulnerability. The breach received a firestorm of press and transformed the entire credit reporting industry, imposing costly requirements to provide free credit reports, free tools to freeze inquiries, and more. In January 2020, Equifax agreed to a $575 million settlement, and the matter still remains in the courts as the company and plaintiffs file appeals, suits, and countersuits.
Why Worry about Customer Data
New laws in both Europe and California are upending the practices companies have been comfortable with for so many decades. In Europe, GDPR, and in California, CCPA legislation are forcing a radical rethink for collecting, storing, and deploying personal information.
Does it still matter if your fintech is neither based nor operating in those locations? The answer is a resounding yes. If you serve any clients who reside in those Europe or California (and soon, Virginia), you must comply with their applicable regulations. In other words, if you have any online footprint, you should take care, because you are inevitably collecting and potentially sharing personally identifiable details.
There are some distinctions between these two regimes. CCPA mandates that users expressly opt out from sharing their information; GDPR users must opt in. CCPA is generally less prescriptive and only applies to companies with gross annual revenues over $25 million when they are handling the personal information of over 50,0000 people.
Wherever your firm is based, the importance of customer data protection has become an increasing concern. It is safer to stay compliant with the basic parameters of both of these regimes. InnReg can help. We work exclusively with fintechs. We have extensive experience with data privacy and cybersecurity. Whether or not you are a regulated entity, we can work with you to identify your current exposures, plan out ways to remediate them, and build a compliance program to help you mitigate your risks. We can then support or even fully outsource the necessary compliance tasks.
While data protection poses a complex challenge, our expertise in fintech regulation and compliance gives you solutions tailored to your situation. Do you have questions about applying our Data Protection Compliance Checklist to your unique needs? Feel free to reach out so we can further discuss your exposures and help you develop your plan of action.