Over the last few decades – and driven by the digital transformation – compliance has become a core part of the financial services sector. But, today, security, compliance, and legal teams aren’t just ensuring that regulatory obligations are met because they’re legally compelled to. Compliance plays an important role in protecting firms’ reputations.
The problem is, compliance is broad and multi-faceted. There are many ways in which a firm can fall out of compliance, especially in sensitive industries such as finance. Why? Because one of the leading causes of non-compliance is data loss and, according to one report, 62% of breached data came from financial services in 2019.
The regulatory framework
When it comes to privacy and data security, the financial services sector has a pretty strict regulatory environment, especially when compared to other sectors and in major markets like the United States, the European Union, and the United Kingdom, where financial services compliance is governed by intricate regulatory frameworks.
That’s why we’ve put this article together. We’ve compiled a list of the three compliance standards most relevant to those working in financial services and have outlined the key requirements of each, as well as exactly what organizations are affected.
Looking for something specific? Click the text below to jump down the page.
Gramm-Leach-Bliley Act (GLBA)
The US arguably has the most complex regulatory regime for financial products and services. Why? There’s a long list of reasons, including national politics and the country’s federalist nature. But, the federal GLBA is the “big one” that covers all “financial institutions,” a broad definition that includes any business that is “significantly engaged in providing financial products or services.”
- Banks and related services;
- Investment firms;
- Non-bank lenders (e.g. interest-free finance, payday loans);
- Mortgage brokers; and
- Real estate appraisers.
What are the main compliance obligations under the GLBA?
The primary compliance obligation for firms under the GLBA is the requirement to develop a written security program that outlines how they safeguard consumer information. It is a fairly flexible obligation that requires firms to:
- Designate an employee to manage the program;
- Identify risks in operational areas and assess relevant security safeguards; and
- Adjust the program as risk factors develop.
Although the GLBA is flexible, financial services firms are expected to implement basic protections against cybersecurity risks. These include encrypting customer information and implementing solutions that prevent inbound and outbound threats. Find out why protecting data on email is especially important.
What are the penalties for non-compliance?
GLBA violations can attract hefty penalties, including fines of up to $100,000 per violation and prison time of up to five years.
Financial Services and Markets Act 2000 (FSMA)
In the UK, the primary piece of legislation that governs the regulated financial services market is the Financial Services and Markets Act 2000. This piece of legislation also establishes regulatory bodies like the Financial Conduct Authority (FCA), which is responsible for the regulation of conduct in wholesale financial markets.
The FCA’s objectives include:
- Ensuring market confidence and financial stability;
- Promoting public awareness;
- Protecting consumers (i.e. from instances of data loss); and
- Reducing financial crime.
Prior to the FSMA, compliance was viewed as a low priority within firms. The FSMA was introduced to act as a full, accurate, and accessible document that outlines the roles and responsibilities of the financial services and market industries.
Who does the FSMA apply to?
- Any authorized firm conducting regulated financial activities such as deposit taking, insurance-related activities, financing activities, and consumer credit activities.
What requirements exist concerning compliance under the FSMA?
- Regulated firms must have systems in place to ensure they are compliant with applicable laws. Like many other compliance standards though, The Act does not specify which systems. But, if we’re talking specifically about firms’ obligation to prevent data loss, DLP solutions are a good place to start. We have plenty of DLP resources, including an overview of what data loss prevention is, how it works, and an overview of current DLP solutions.
- Controls, systems, and compliance programs can vary depending on the size of the firm and its regulated activities.
- There are several ways that compliance best practice can be conveyed to firms, including through thematic reviews by the FCA.
General Data Protection Regulation (GDPR)
If you hadn’t heard of the other two compliance standards on this list, you’ve almost certainly heard of this one. At the time of the GDPR’s introduction in 2018, it was the largest change to data protection legislation in almost 20 years and it’s where financial services firms around the world can find some of the most thorough guidance on their compliance obligations.
It gives regulators the power to impose hefty fines to organizations that are not compliant, and it has shaken up many industries where wide-scale privacy changes are required to achieve compliance. Read more about the biggest fines issues so far in 2020 on our blog.
What is the GDPR for?
The GDPR was established amid growing concerns around the safety of personal data and the need to protect it from hackers, Insider Threats, and unethical use. It effectively puts individuals back in control of their data, giving them the power to control how businesses use it. You must be able to move or dispose of this data if requested.
Still scratching your head? We’ve answered 13 FAQs about GDPR.
How does the GDPR impact the financial services industry?
The GDPR impacts the sector in a few distinct ways.
You must have client consent
The GDPR says that you must explicitly gain consent to gather personal data and say why you are collecting it. You must also gain additional consent if you wish to share this information. Personal information refers to anything that could be used to identify an individual, such as:
- Email addresses
- Social media profiles
- IP addresses
You have end-to-end accountability for data
IT systems are at the core of any financial firm and constantly have data passing through them.
The GDPR requires firms to understand all the dataflow across their organization and reduce exposure to external vendors and parties. Firms must also ensure vigilance when sharing data, particularly across borders. In layman’s terms: the GDPR holds businesses accountable for safeguarding customer data. Organizations are obligated to take steps to ensure data isn’t disclosed, either intentionally or accidentally, where there isn’t a legitimate reason.
Did you know that misdirected emails are the number one data loss incident reported to the Information Commissioner’s Office (ICO)? Learn more about the consequences of “fat fingering” an email here.
Your clients have a right to erasure
GDPR gives your clients the right to ask for their data to be removed without the need for any outside authorization. Financial institutions can keep some data to ensure compliance with other regulations (for example, information relevant to credit records) but in all other circumstances, data must be destroyed when requested.
You are bound by strict protocols in the event of a loss
Before GDPR, firms could adopt their own protocols in the event of a data breach. Now, GDPR compels firms to report any data breaches, no matter how big or small, to the relevant regulatory or supervisory authority within 72 hours, such as the ICO.
The notification must:
- Contain relevant details regarding the nature of the breach;
- The approximate number of people impacted; and
- Contact details of the firm’s Data Protection Officer (DPO).
Impacted clients must also be notified of the breach, the potential outcome, and any remediation “without undue delays”. That’s one reason why a data breach can negatively impact reputation and customer trust. But, those are the only consequences.
What are the penalties for non-compliance?
Penalties for non-compliance are very harsh and can be as severe as a fine of 4% of annual global turnover or €20 million—whichever is higher. And they’re being handed out more often now too, with over 36 fines issued in March 2020 alone. That’s a new record.
That means ensuring compliance is essential.
Tessian helps financial services firms stay compliant
Financial services firms are under increased pressure to monitor and control their data and restrict the movement of it to prevent both accidental and deliberate loss.
Of all the places where data can be lost, email represents one of the most common. In fact, 90% of data breaches begin with email. Why? Because it’s a threat vector for both inbound and outbound threats like phishing, data exfiltration, and misdirected emails.
Tessian prevents all these threats using machine learning by monitoring and applying human understanding to email behavior. Across three solutions, Tessian analyzes email data to understand and interpret communications and steps in when it detects that something’s “off”. For example, if an employee sends company data to a personal email account or if someone receives an email with a suspicious domain that could be a phish. Best of all, Tessian works quietly in the background, doesn’t disrupt workflow, and helpful, in-the-moment warnings reinforce training and remind employees of existing policies. That means it’s good for everyone.
Learn more about how Tessian has been used by financial institutions such as Evercore, Man Group, and Premier Asset Management to proactively protect customer data and achieve full compliance. You can read more customer stories here.