businessman struggling under weight of PSD2 block

As 2018 draws to a close, we’re taking a look back at some of the most valuable insights our authors have shared.  In case you missed it, this is one of the articles our readers couldn’t get enough of this year.


The Developments Impacting Financial Institutions Now

It’s hard to wrap your head around all the myriad regulations for financial institutions, and these changes can directly impact an organization’s digital transformation initiatives. Many countries are calling for further regulation, while in the U.S. we’re seeing reform and deregulation, as evidenced by the repeal of the Dodd-Frank Act. Global regulation and standards expert Mike Magrath presents the top regulations, laws and standards you need to pay attention to.

There is a lot happening in regard to regulation for financial institutions (FIs) around the globe. In many countries, there is a drive for further regulation; meanwhile, in the U.S., we are seeing bank regulation reform and deregulation, as evidenced by the repeal of the Dodd-Frank Act. Below, we’ve compiled the top regulations, laws and standards impacting financial institutions this year:

Dodd-Frank Repeal

In May 2018, President Trump signed into law the Economic Growth, Regulatory Relief and Consumer Protection Act, commonly known as the Dodd-Frank repeal. While this law removes many of the regulations imposed on banks in the wake of the Great Recession, it also bears particular relevance to mobile banking and e-signatures.

The new law includes a provision called the MOBILE Act (Making Online Banking Initiation Legal and Easy). This provision makes it easier for banks to onboard new customers remotely without the need for the customer to travel to a branch to complete the process. Banks can now create an entirely digital onboarding process by verifying a scan or digital copy of a new customer’s government-issued identification, such as a driver’s license. While some states already allowed banks to accept a scanned driver’s license as proof of identity, the Dodd-Frank repeal makes it legal at a national level. From there, the customer can complete the necessary forms and enter data online or via mobile and even sign documents using an electronic signature to finalize the process.

In addition, e-signatures can also play a role in verifying key customer information. When a prospective client tries to open a new account, the client must provide his or her name, date of birth and Social Security number. The back office verifies this information with the Social Security Administration (SSA) through a program called the Consent-Based Social Security Number Verification (CBSV). Before the Dodd-Frank repeal, neither banks nor customers were able to submit an e-signature to initiate this process. They would be forced to download, print and sign a hard copy of the form; scan and upload the form to their computer; and finally email the form to a third-party provider or upload it to a third-party portal. The Dodd-Frank repeal directs the CBSV to accept electronic signatures for this process. This process is extremely important for preventing identity and fraud attempts, and now with the Dodd-Frank Repeal, it will also provide convenience for the consumer and efficiency for the bank.

PSD2: Payment Services Directive 2

Banks and third-party providers (TPP) have to comply with the Payment Services Directive 2 (PSD2) requirements on strong customer authentication by September 14, 2019. Following publication of the final PSD2 Regulatory Technical Standards (RTS), financial institutions are actively preparing and implementing their PSD2 compliance strategy. In doing so, FIs should be aware of these PSD2 criteria:

  1. Strong customer authentication: Authentication must be based on two or more factors, including passwords or PIN, tokens or mobile devices and biometrics.
  2. Transaction risk analysis: PSD2 mandates the use of transaction risk analysis to deter fraudulent payments.
  3. Dynamic linking: For payment transactions, the authentication code must be dynamically linked to both the amount and payee.
  4. Mobile app security: Payment service providers must adopt security measures to mitigate the risk resulting from compromised mobile devices. PSD2 also mandates the use of dedicated mobile app cloning countermeasures in applications, also known as replication protection.

GDPR: General Data Protection Regulation

On May 25, 2018, the GDPR became the main legal framework for data protection in the EU. The objective of the GDPR is to give control over personal data to EU citizens and residents. No matter where they are based, companies that handle data belonging to EU citizens must comply with the GDPR or face severe financial penalties.

To comply, the European Union Agency for Network and Information Security (ENISA) recommends implementing two-factor authentication, as well as mobile application security, to protect access to systems that process personal data.

In addition, for the GDPR consent requirement, e-signature technology is an appropriate means to comply. Electronic signature technology can be used to capture consent from customers. It can also be used to sign contracts between data controllers and data processors.

NYDFS: New York State Department of Financial Services

The NYDFS regulates approximately 1,500 banks and financial institutions. Many international institutions with operations in New York fall under the DFS regulation. The DFS published its Cybersecurity Requirements for Financial Services Companies, which includes 22 provisions requiring financial services organizations to better protect data. Through a risk assessment, financial institutions must implement effective controls to prevent unauthorized access to information systems or nonpublic information. These controls may include multifactor authentication, biometric authentication and risk-based authentication.

PCI DSS 3.2: Payment Card Industry Data Security Standard

PCI DSS 3.2 is an information security standard for organizations that handle branded credit cards from the major card brands. The standard was put in place to address security threats to customer payment information. All entities involved in payment card processing are regulated by the PCI DSS, including acquirers, issuers, merchants, processors and service providers. It also applies to all other entities that store, process or transmit cardholder data.

Requirement 8.3, which became mandatory on February 1, 2018, requires organizations to incorporate multifactor authentication for all nonconsole access to the cardholder data environment, as well as remote network access originating from outside the entity’s network.

Trends and Highlights Across the Rest of the World

In addition to the regulatory changes in Europe and North America, we are also seeing a growing trend toward open banking initiatives around the world. Countries such as Australia, Hong Kong, Singapore, and Japan have all moved to an open banking policy.

Beyond this trend, there are a number of legislative and regulatory highlights to mention in other areas of the globe.

Recent Latin American Regulations:

  • Brazil: The House of Representatives Bill of Law No. 53/2018 was passed by the Senate in July 2018. The law regulates the processing of personal data in both the public and private sector.
  • Chile: Chile passed significant amendments to Law No. 19,628 on the Protection of Private Life. The amendment was passed in August 2018 and regulates the protection and processing of personal data. Furthermore, the law creates a new agency responsible for data protection.
  • Bermuda: The country passed an ICO Bill and Digital Asset Business Act as part of their strategy to attract cryptocurrency and blockchain companies. This law revises the Banks and Deposits Companies Act 1999 with provisions more agreeable to tech industries. It also classifies these companies under a new category, called restricted banks.

Recent Asia-Pacific Regulations:

  • Australia: Australia will be implementing a phased rollout of the open banking regime beginning July 1, 2019. Australia’s four major banks (with nonmajor banks to follow) must give consumers access to, and control over, their banking data. This includes data related to mortgages, credit and debit cards, deposits, personal loans and more.
  • Singapore: The Monetary Authority of Singapore (MAS) has directed all financial institutions to tighten their customer verification processes. Effective immediately, additional information beyond name, NRIC number, address, gender, race and date of birth must be used for customer verification before undertaking transactions with the customer. This extra information could include a one-time password, PIN, biometrics, last transaction date and other authentication information.
  • Malaysia: As part of an anti-money laundering and counter-terrorist financing initiative, reporting institutions are now required to perform ongoing due diligence on their business relationships with their customers.

Legal Regulations and Opportunity

We’re in a period of flux in the regulatory stance of countries around the world. Whether heading toward greater restrictions or deregulation, change is coming in one form or another. For that reason, it is imperative to stay current on the latest regulatory changes as well as new proposals being discussed in the jurisdictions in which you operate. They may have a crucial impact on your digital transformation initiatives.

Michael Magrath

Mike Magrath is a member of the FIDO Alliance’s Privacy and Public Policy Working Group, the Biometrics Institute’s Privacy and Policy Expert Group and the Identity Ecosystem Steering Group’s (IDESG) Board of Directors. The IDESG is a voluntary, public-private partnership built around the National Strategy for Trusted Identities in Cyberspace (NSTIC) and is the only independent body dedicated to redefining how people and organizations identify themselves online, by fostering the creation of privacy-enhancing trusted digital identities. He also served as Chairman of the Health Information Management Systems Society (HIMSS) Identity Management Task Force in 2016 to 2017. The Task Force represented HIMSS’ membership with regard to national and industry initiatives on identity management, such as the NSTIC and the IDESG and other national policy and technical efforts.

Mike is currently Director, Global Regulations & Standards at  OneSpan. Prior to OneSpan, he served as Director for Identity Solutions for DrFirst, a leading U.S. health IT solution provider, and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).  Mike previously lead Gemalto’s market and business development activities in the U.S. government and healthcare markets and was a contributing member of the Health Record Banking Alliance, WEDI, HIMSS, the Medical Identity Fraud Alliance and the Secure ID Coalition.

He served as Chairman of the Secure Technology Alliance’s (formerly the Smart Card Alliance) Health & Human Services Council from 2010-2014 where he led initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. He served as an advisor to the American Medical Association supporting a Center for Disease Control grant to develop and test the viability of a “Health Security Card” to identify and expeditiously treat victims in the event of a disaster.

Mike holds a Bachelor’s Degree in Psychology from the University of Massachusetts at Amherst. He is married with three children and resides in Northern Virginia.

Related Post