Privacy Regulations and Data Rights for Financial Services
August 5, 2021
Financial services firms face a complex maze of privacy regulations that differ by state and country jurisdictions. Meanwhile, the rights to use customer data have evolved significantly.
During a panel discussion at the Expert-in-the-Loop (EITL) Forum on May 25–26, 2021, Compliance.ai CEO Kayvan Alikhani discussed the challenges of data rights and privacy with Michael Delune, general counsel at Manufacturers Bank, and Kelvin Dickenson, senior vice president of product, risk and compliance at SAI Global Risk. They also explored the challenges associated with managing the complexity of compliance.
Data Rights Have Become a Branch of Privacy
The explosion of smartphones, cloud computing, and social media over the last 20 years have pushed privacy considerations and data rights to the forefront. Governments struggle to balance the needs of businesses with consumers’ right to have both their privacy and their data protected. Technology companies have been calling on Congress to move toward a uniform federal privacy standard.
“Privacy laws have evolved not so much out of any coherent theory, but with the evolution of digital technologies,” said Delune. “The definition of privacy used to be limited to health and other personal information, but has expanded to everything from names and addresses to biometric information, preferences, and even inferential data.”
One of the biggest challenges that all institutions will face is establishing frameworks to manage their data protection environment.
“The data privacy law is evolving so dynamically that it’s important for companies to establish a base framework that allows them to adapt quickly to changes in the law,” said Delune. “Businesses should begin by inventorying their data and identifying what kind of data they have about whom. The framework goes hand in hand with managing risk and controls.”
The regulatory landscape will continue to shift toward laws like New York’s strict 23 NYCRR Part 500, which established cybersecurity requirements for financial services companies, according to Dickenson.
“Privacy rights follow the evolution of the data, and regulations just follow the evolution of the privacy rights,” he said. “Banks will need to be vigilant about watching this space, and technology can help.”
Ethical Frameworks for Privacy
Beyond legal privacy requirements, a financial institution’s ethical framework will affect how it handles privacy, the panelists agreed.
“It comes down to how a company views privacy requirements,” said Dickenson. “Do they feel an ethical obligation to their customers based on the fact that they’re realizing revenue by holding data they don’t own? Or do they feel like it’s another checkbox requirement?”
Alikhani pointed out that there’s a distinction between a culture of compliance, which involves doing the minimum necessary, and a culture of ethics.
“The cost of non-compliance is becoming much higher, which makes it easier to convince management that you need a culture of compliance,” he said. “But it will be a lot more challenging to convince them to adopt a culture of ethics. Very few companies have been able to succeed at making ethics a part of their brand. Patagonia is an exception.”
Companies can turn data privacy into an advantage, distinguishing themselves by showing that they value securing consumers’ personal data above and beyond what’s required by law.
Latest Developments in Federal Privacy Legislation
The panelists agreed that in the wake of several state legislatures enacting privacy laws over the last several months, the need for federal legislation has become much clearer.
“Many industries would like to be regulated at the federal level rather than having to develop compliance programs that meet 50 different state standards plus international standards,” says Delune.
One example of recent federal legislation is the bi-partisan Social Media Privacy Protection and Consumer Rights Act of 2021 (S. 1667), reintroduced in May by Senator Amy Klobuchar (D-MN). Among the bill’s requirements is that platforms must write their terms of service in plain language and must notify users within 72 hours if there’s a data breach.
In addition, Section 4021 of the CARES Act, Credit Protections During COVID-19, temporarily amends the Fair Credit Reporting Act (FCRA) to protect consumers who ask for payment accommodations. This has implications for lenders, creditors, and others who furnish data to credit reporting agencies.
These regulations have given rise to several cautionary stories of litigation. In February 2021, TikTok agreed to pay $92 million as part of a class-action lawsuit alleging that the company broke one of the toughest laws in this area, Illinois’ Biometric Information Privacy Act (BIPA). The same month, a federal judge approved an even larger settlement—$650 million—in another class-action lawsuit against Facebook for violating the same law.
“These large settlements are part of another trend we’re seeing as privacy laws evolve,” said Delune. “Traditionally, a plaintiff had to assert quantifiable damages, which are very difficult to prove. Now judges are awarding a specific amount per claim. If you multiply that by the sheer volume of records involved in these kinds of breaches, the numbers are staggering.”
Adtech Regulations Evolving
Another area of privacy concern relates to advertising technology, or ad tech. Regulations are just beginning to address the ways ad tech can track user behavior online.
“By design, the industry players have no incentive to be upfront about their activities,” said Delune. “I suspect that the industry is rife with violations of data rights laws, but we’re seeing scrutiny increase.”
Companies tread a fine line between giving users the benefits that tracking technology offers with expectations of privacy.
“People want to be able to get their bank balance on their iPhone just by showing their face, but they don’t want their faces to determine what ads they’re served,” said Dickenson.
Financial services firms will be in a better position if they can disclose to consumers why they have data and how they’re protecting it.
“The trend seems to be to give consumers the power to control their data across platforms,” added Delune.
Advice for Financial Services Organizations
The compliance landscape is constantly changing, but panelists agreed that for financial services firms, investing in regulatory compliance on the front end, as a cost of doing business, is a much more prudent posture than rectifying compliance violations through fines, litigation, or expensive settlements.
“There are two areas organizations should be watching,” said Dickenson. “The first, from a compliance lens, is to watch Europe. Your data rights are a little bit like spring fashion: they start in Europe, but they always end up in the United States.
“The second is to follow evolving consumer sentiment, to go beyond compliance to feeling the pulse of the market and what consumers expect. Consumers will choose to do business with companies that respect data privacy. They’ll see those companies as trustworthy partners.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.