Top 2021 Banking and Security Regulations
In 2020, financial institutions found themselves forced to engage with their customers almost solely through digital channels, namely e-banking and financial mobile applications. The pandemic’s restrictions on movement and in-person meetings also meant that they had to onboard a significant cohort of older and less digitally aware clients.
This large rise in the use of mobile finance apps was noticed by two other parties: hackers and regulators. Hackers increased attacks intended to steal personal information or cardholder data, while regulators became increasingly concerned with financial data security compliance. The developers of financial services apps need to ensure data security compliance to operate in various markets, reassure their customers that they are handling their data with care, and importantly, reduce risk and exposure associated with regulatory censure.
The introduction of new compliance requirements or the updating of existing ones in 2021 represent significant risk management concerns for banking and fintech app publishers. Here are the major financial data security compliance regulations to be aware of in 2021.
Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
Canada’s anti-money laundering legislation will introduce significant changes in June 2021. The expanded ruleset will change how politically-exposed persons are reported on, and will bring cryptocurrencies under the remit of reporting obligations.
One of the most significant of these changes is that foreign Money Services Businesses (MSBs), which had not previously been obligated to report under the FINTRAC legislation, will now have to do so. This will significantly increase reporting obligations and associated risks for foreign fintech firms operating in the Canadian market.
Payment Services Directive 2 (PSD2)
The latest tranche of regulatory requirements mandated by the European PSD2 came into force on December 31, 2020, though some countries will maintain a grace period through the end of Q1 2021. The PSD2 changes focus on fraud reduction through mandatory Strong Customer Authentication (SCA), as well as opening the door for greater innovation and customer engagement by laying down guidelines for so-called “super wallets.”
The SCA changes mean that customers of banking and financial digital services must use two forms of identification to gain access. These can be from something they own (such as a phone), something they know (such as a password), or something they are (biometric info such as a fingerprint, iris, facial recognition, or palmprint).
For many app developers, the regulation of third-party apps that can access and aggregate bank accounts will signal a significant opportunity for competition and innovation in the banking services sector. With the PSD2’s framework, developers that meet financial data security compliance must be allowed access to their customers’ accounts, meaning product quality, rather than legacy account loyalty, should play a bigger role in consumer decisions.
California Consumer Privacy Act (CCPA)
The new changes introduced to the CCPA on January 1 will demand even stronger data compliance. It will also widen the net of companies it applies to. The act’s core provisions already grant consumers the rights to access information held about them, demand its deletion, and opt-out from future collection, though these only previously applied to “for-profit” businesses, such as those with revenues in excess of $25 million.
From the beginning of 2021, however, compliance obligations will also extend to any data affected by HIPAA, the Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects. For finance and mobile banking developers doing business in California, it’s another layer of financial data security compliance that they need to fulfill.
The Gramm–Leach–Bliley Act, also known as the Financial Services Modernization Act, directly affects financial institutions and how they share financial data, offer advice, and report incidents. The new year and the new Biden administration could see significant changes being made that would increase the financial data security compliance burden on applicable firms. These may include:
- Broadening the definition of security events to include any unauthorized access
- Expanding audit trail obligations
- Mandating real-time monitoring of digital financial services to improve fraud detection
- Time-limiting data retention
EU 5th and 6th Anti-Money Laundering Directives
The latest provisions of AMLD5 focus on money laundering and what constitutes a crime within the European Union and came into force in January 2021. It expands the list of firms that will have to report ownership information and reinforces customer authentication standards. It will directly affect digital providers of financial services, such as cryptocurrency exchanges.
Although AMLD5 is relatively new, its next iteration, AMLD6, will start to be enforced in June 2021. The new directive will see an EU-wide harmonization of what constitutes an offense, including tax, environmental, and cybercrimes. It will be the first time that cybercrime will be directly addressed in this context and will increase the range of those who may be held criminally liable.
Monetary Authority of Singapore Technology Risk Management Guidelines
In response to what it described as a “clear indication” of increasing cyber threats, the Monetary Authority of Singapore (MAS) issued revised Technology Risk Management Guidelines in January this year.
Following a number of cyber attacks on critical supply chain elements and financial institutions (FIs) in 2020, the more robust policy guidelines require stronger oversight of third-party service providers, improved risk mitigation strategies, and effective penetration testing. It will also require the appointment by FIs of a “chief information officer and a chief information security officer, with the requisite experience and expertise, are appointed and accountable for managing technology and cyber risks”.
Payment Card Industry Data Security Standard (PCI/DSS)
These various regulations and government efforts need to integrate with gatekeepers such as the PCI and PCI/DSS system for allowing payment processing. The extant CPoC (Contactless Payments on COTS) Standard was introduced in 2019 and delineated security requirements for SoftPOS (software point-of-sale) solutions, allowing for payments to be accepted through off-the-shelf mobile devices or tablets without adding specialized hardware. However, these transactions had been limited as they couldn’t accept PIN entries on mobile devices. As a result, they had hard monetary limits (for example, €50 in most EU countries).
PCI is expected to release a new CPoC standard, which will allow for the entry of PIN on a standard mobile device to greatly expand the transactions capable of being processed.
Financial data security compliance is critical for all fintech and mobile banking app developers for a number of reasons, including:
- Reducing costs of data breaches
- Avoiding regulatory fines
- Maintaining customer trust and loyalty
- Capacity to operate in multiple jurisdictions
Application protection is the key to ensuring developers and vendors maintain financial data security compliance wherever they are doing business. Apps must be shielded against the multitude of attack vectors that hackers can use to gain access. Common threats include:
- Reverse engineering
- Code tampering
- Man-in-the-middle attacks
- Running apps on rooted/jailbroken devices
- Side-channel attacks
- Stealing encryption keys
Encryption keys, for example, have become a favorite target of hackers frustrated by higher encryption standards. If they can steal the encryption key, then the strength of the encryption used to protect the data being stored or transmitted doesn’t matter. Outside of hardware modules, which are cumbersome to apply and not available on every device, only a technique such as white-box cryptography can keep encryption keys safe. In fact, the PCI CPoC Standard makes white-box cryptography compulsory when there is no guaranteed hardware protection of the keys.