Over the last few decades – and driven by the digital transformation – compliance has become a core part of the financial services sector. But, today, security, compliance, and legal teams aren’t just ensuring that regulatory obligations are met because they’re legally compelled to. Compliance plays an important role in protecting firms’ reputations.
The problem is, compliance is broad and multi-faceted. There are many ways in which a firm can fall out of compliance, especially in sensitive industries such as finance. Why? Because one of the leading causes of non-compliance is data loss and, according to one report, 62% of breached data came from financial services in 2019.
When it comes to privacy and data security, the financial services sector has a pretty strict regulatory environment, especially when compared to other sectors and in major markets like the United States, the European Union, and the United Kingdom, where financial services compliance is governed by intricate regulatory frameworks.
That’s why we’ve put this article together. We’ve compiled a list of the three compliance standards most relevant to those working in financial services and have outlined the key requirements of each, as well as exactly what organizations are affected.
Looking for something specific? Click the text below to jump down the page.
The US arguably has the most complex regulatory regime for financial products and services. Why? There’s a long list of reasons, including national politics and the country’s federalist nature. But, the federal GLBA is the “big one” that covers all “financial institutions,” a broad definition that includes any business that is “significantly engaged in providing financial products or services.”
These include:
The primary compliance obligation for firms under the GLBA is the requirement to develop a written security program that outlines how they safeguard consumer information. It is a fairly flexible obligation that requires firms to:
Although the GLBA is flexible, financial services firms are expected to implement basic protections against cybersecurity risks. These include encrypting customer information and implementing solutions that prevent inbound and outbound threats. Find out why protecting data on email is especially important.
GLBA violations can attract hefty penalties, including fines of up to $100,000 per violation and prison time of up to five years.
In the UK, the primary piece of legislation that governs the regulated financial services market is the Financial Services and Markets Act 2000. This piece of legislation also establishes regulatory bodies like the Financial Conduct Authority (FCA), which is responsible for the regulation of conduct in wholesale financial markets.
Prior to the FSMA, compliance was viewed as a low priority within firms. The FSMA was introduced to act as a full, accurate, and accessible document that outlines the roles and responsibilities of the financial services and market industries.
If you hadn’t heard of the other two compliance standards on this list, you’ve almost certainly heard of this one. At the time of the GDPR’s introduction in 2018, it was the largest change to data protection legislation in almost 20 years and it’s where financial services firms around the world can find some of the most thorough guidance on their compliance obligations.
It gives regulators the power to impose hefty fines to organizations that are not compliant, and it has shaken up many industries where wide-scale privacy changes are required to achieve compliance. Read more about the biggest fines issues so far in 2020 on our blog.
The GDPR was established amid growing concerns around the safety of personal data and the need to protect it from hackers, Insider Threats, and unethical use. It effectively puts individuals back in control of their data, giving them the power to control how businesses use it. You must be able to move or dispose of this data if requested.
Still scratching your head? We’ve answered 13 FAQs about GDPR.
The GDPR impacts the sector in a few distinct ways.
You must have client consent
The GDPR says that you must explicitly gain consent to gather personal data and say why you are collecting it. You must also gain additional consent if you wish to share this information. Personal information refers to anything that could be used to identify an individual, such as:
You have end-to-end accountability for data
IT systems are at the core of any financial firm and constantly have data passing through them.
The GDPR requires firms to understand all the dataflow across their organization and reduce exposure to external vendors and parties. Firms must also ensure vigilance when sharing data, particularly across borders. In layman’s terms: the GDPR holds businesses accountable for safeguarding customer data. Organizations are obligated to take steps to ensure data isn’t disclosed, either intentionally or accidentally, where there isn’t a legitimate reason.
Did you know that misdirected emails are the number one data loss incident reported to the Information Commissioner’s Office (ICO)? Learn more about the consequences of “fat fingering” an email here.
Your clients have a right to erasure
GDPR gives your clients the right to ask for their data to be removed without the need for any outside authorization. Financial institutions can keep some data to ensure compliance with other regulations (for example, information relevant to credit records) but in all other circumstances, data must be destroyed when requested.
You are bound by strict protocols in the event of a loss
Before GDPR, firms could adopt their own protocols in the event of a data breach. Now, GDPR compels firms to report any data breaches, no matter how big or small, to the relevant regulatory or supervisory authority within 72 hours, such as the ICO.
The notification must:
Impacted clients must also be notified of the breach, the potential outcome, and any remediation “without undue delays”. That’s one reason why a data breach can negatively impact reputation and customer trust. But, those are the only consequences.
Penalties for non-compliance are very harsh and can be as severe as a fine of 4% of annual global turnover or €20 million—whichever is higher. And they’re being handed out more often now too, with over 36 fines issued in March 2020 alone. That’s a new record.
That means ensuring compliance is essential.
Financial services firms are under increased pressure to monitor and control their data and restrict the movement of it to prevent both accidental and deliberate loss.
Of all the places where data can be lost, email represents one of the most common. In fact, 90% of data breaches begin with email. Why? Because it’s a threat vector for both inbound and outbound threats like phishing, data exfiltration, and misdirected emails.
Tessian prevents all these threats using machine learning by monitoring and applying human understanding to email behavior. Across three solutions, Tessian analyzes email data to understand and interpret communications and steps in when it detects that something’s “off”. For example, if an employee sends company data to a personal email account or if someone receives an email with a suspicious domain that could be a phish. Best of all, Tessian works quietly in the background, doesn’t disrupt workflow, and helpful, in-the-moment warnings reinforce training and remind employees of existing policies. That means it’s good for everyone.
Learn more about how Tessian has been used by financial institutions such as Evercore, Man Group, and Premier Asset Management to proactively protect customer data and achieve full compliance. You can read more customer stories here.
