Financial Institutions and the Impact of New Privacy Regulations
January 29, 2020 | 10 minutes read
There is no company today that has not given thought to the protection of its data and the privacy laws that are being initiated, passed, and enforced all over the globe. No matter your industry, some type of security, privacy, and data protection rules have touched your business.
The European Union passed the General Data Protection Regulation to provide data protection and privacy rights to EU citizens. The rules apply in the EU, in European Economic Areas (EEA), but it also addresses the transfer of personally identifiable information (PII) outside of the EU.
Following that example, many other data privacy regulations have been passed. The California Consumer Privacy Act or the CCPA, has recently gone into effect. California is just the first state of many to enact such regulations, many more are about to follow suit. The rules of the CCPA don’t just apply to companies inside California, but any business, financial institution or any other for-profit enterprise that does business with California residents. The reach for many of these rules go far beyond the border in their initials.
So Many Abbreviations
It can be difficult to understand the privacy laws. There is no one regulation that fits every purpose. We have covered the GDPR and CCPA, above, but there is also HIPAA or the Health Insurance Portability and Accountability Act. This is the one most people are aware of signing the permission forms at their doctor’s office. The US Department of Education has the Family Educational Rights and Privacy Act, or FERPA, which covers the privacy protection of students’ records and information. Countries all around the world and individual states are all taking privacy seriously and passing their own legislation that protects its citizens but the rules apply beyond their borders. Thailand, which has always valued the quiet privacy of its citizens, has passed its own regulations called the Personal Data Protection Act, PDPA. So many abbreviations, but one thing in common, protect the personally identifiable information of citizens and consumers.
Preparing A Privacy Audit
If all the new abbreviations were not dizzying enough, learning to comply with all the new regulations can be. There can be severe penalties for not understanding how the law applies to your business, your customers, and the way you treat your data. Laws in other areas of the country or even the world can apply to you. Before stepping into hot water with the authorities being proactive with privacy and initiating a privacy audit for your company’s data would be wise.
Sometimes it is not as clear to the consumer or even the business owner the difference between confidentiality and privacy. This is why it is good to have a privacy professional help walk you through your audit and help with an understanding of the type of data you have and how it is being used. For the purpose of your business audit, confidentiality refers to the sharing of information without consent. You must be able to protect your consumer, client, employee, or other personal data from exposure or being shared without first getting express permission. Privacy means that you will honor freedom from intrusion on private matters, which as a holder of someone’s personal data, you agree to protect it, and those who do come into contact with it in the course of doing business with you, also will not do anything negligent with it or share it.
The more one tries to put the word ‘privacy’ in a neat little box, the harder it is to contain. When attempting to define your company’s privacy policies and creating your audit process, you will be able to manage most of your privacy audit in a series of methodical steps:
- Subjective Context: Attempting to define privacy in a corporate environment can be challenging. If an employee uses the internet and the search data is saved and sold, is it confidential, private or company data?
- Risk Identity: Following your data, your tech department can help guide you through identifying all potential areas, devices or systems which pose a privacy risk for company data.
- Risk Inspection: In order for the rules to assess and examine the risk to private data it must be parsed through obvious steps to interpret the results:
- Designate a Ranking: What is the risk? Assign a value or scale.
- Review Executions: If then statements checked. Now that you have an assigned value, your policy was implemented. Recheck the results, has the risk lowered?
- Evaluate Residual Risk: The risk to privacy can be valued, policies followed, and yet there may remain what is considered a residual risk of privacy violations.
This is where having a strong written company privacy policy comes in. It should have guidelines for each level of management to follow with any type of information, and have detailed instructions on when a data breach occurs and to whom to report the risk. Having senior staff and administration able to be proactive with a solid risk management strategy works well for everyone. Communication should be a top priority in keeping transparency open. It will make it easier to learn from any mistakes made so that future data breaches may be able to be avoided.
The administration should monitor the steps in the guidelines and go over them regularly with their employees. Having everyone on the same page and well-trained in handling and protecting company data reduces the overall risk. Set up a yearly consultation with a privacy professional to review any legal changes, and new rules, and conduct an internal audit. Regularly monitor and review for any updates to the policy that need to occur to keep the company up to date. Doing these things will help keep some of the risk down and make it easier to handle privacy policies from the boardroom, to employees, to the consumer.
Identity Authentication
Banks and financial institutions are required to follow existing fair banking regulations, consumer protection laws, and privacy laws. With new regulations in constant flux, there may be some uncertainty as to where to begin. While there are no current US regulations that require that banks follow open banking standards, many foreign countries are already doing so. The EU and UK have both initiated regulations that require banks to deploy application programming interfaces or APIs. APIs must be available to third-party developers. If banks in the US want to keep up with the worldwide banking trends, keeping up with regulations on a global scale is a necessity.
To assure that banks follow privacy regulations, they will have to verify that any third-party application using their services provides the end-user with appropriate disclosures. The disclosures would detail the company’s privacy policies and commitment to fair banking regulations. Data management systems will require comprehensive privacy audits. Beyond the scope of keeping records for current customers, banks have to keep records for millions of transactions entering and leaving their system. For legal purposes, banks are also required to collect data to protect themselves, consumers, and national security from money laundering and exploitation. Attempting an open banking concept, while maintaining privacy regulations and strict data security brings many challenges.
One way that banks meet this challenge is through Identity Authentication. While privacy laws often focus on what happens to the data, where it goes, and how long it is stored; identity is the second half of the equation. The National Institute of Standards and Technology has a specific standard that has become a US regulation, called Special Publication 863. This standard has become has recently been updated to separate the aspects of proving identity and authentication factors. Banks and financial institutions have consistently relied on this standard but now will have to address privacy concerns concurrently.
Due to the importance placed on banks and financial institutions, their data needs are straightforward. They need to know where the data is coming from, how to protect the data they have, and to who are they giving the data to; they need to know where it is going. This is where identity comes in. Banks require that businesses or individuals provide proof of identity, often this is regulated as to types of proof that is considered acceptable. Identification happens once, then authentication happens at each transaction. It’s like proving who you are when setting up your account, then using account numbers, usernames and passwords to authenticate that its you who are accessing the account to make transactions. All bank records, though, have privacy implications.
Security and Surveillance Systems
There is internal data security and privacy issues concerning banking data. Security and surveillance systems also provide a unique privacy concern. The systems help ensure customer and staff safety, but in the event that the information is requested, such as to demonstrate a fraudulent transaction or a robbery, the customer data that is unrelated to the event in question will need to be redacted. Protecting the release of personally identifiable information (PII) of customers or private citizens, is part of following the new privacy standards. While banks and financial institutions can release information under a court order for law enforcement or public safety, any other reasons for the release of data will require redaction of footage.
What is Redaction
To understand redaction better, it is the process of censoring, removing, or obscuring data, video, or audio for security or liability reasons. Following existing data privacy or consumer privacy laws are reasons corporations use redaction systems to help protect their data. Banks and financial institutions have been in the business of protecting data, theirs included, for many years. In 1999, the Gramm-Leach-Bliley Act or GLBA was one of the first regulations on disclosing personal data. Newer privacy laws have expanded on this and being able to harness, control, and secure data is an important part of the banking industry.
Releasing the data requires privacy protections, for the consumer and the institution. Redaction systems can be used on data before it is released and a system that can handle multiple forms of information works well with banking environments. Calls are monitored and recorded for the safety of the consumer and the staff members. That information is retained for a designated period of time. Any PII held within the audio data of the call, such as account numbers, credit card numbers, or social security numbers can be redacted from the audio. Security video can be redacted for faces, phones, monitors, and any other information that could be considered PII. Documents, or even databases, which can be used to extract data, can also be redacted for information like account numbers or other important data. Banks can require a two-step identity-authentication process to obtain the missing data from the consumer.
Full Protection
For banks and financial institutions to stay ahead of the global banking trends, it will require having full control of their data. Having an in-house redaction system that banking managers, security, and others as required, can be fully trained on and work with interchangeably will allow the data to flow, meet deadlines, and not interrupt daily transactions.
Redaction policies can be in place and as data is collected and secured, redaction can be done by IT or another designated department. The penalties for failing to comply with the privacy laws are far too great to risk the trust of the community when it comes to banking or working in the financial industries. Consumers put their money with corporations and enterprises that they have placed trust in. At the same time, being able to meet court orders, such as Freedom of Information Act or FOIA requests, as well as other requirements for data is essential.
Recently, a US Court judge has initiated one of the first rulings regarding privacy law, foreign privacy laws, and banking institutions. The conclusion was that the burden of complying with the new foreign privacy laws would not give any significant relief in producing bank records. Contrary, the judge ordered the records to be produced in an extremely short amount of time, with only redactions permitted by foreign privacy laws allowed, and a log for each redaction presented.
Getting a step up on the privacy, identity, authentication, and data security competition can make or break an institution. Today’s standards are just stepping stones to tomorrow’s tougher solutions. Getting staff trained and policies in place now to be able to use quality redaction systems as data is collected and stored will keep enterprises viable for years to come. Data makes or breaks a business, and redaction is part of the process that keeps that data secure.