August 30, 2022
How Skyflow Helps Fintechs Comply with Financial Privacy Laws
If you’re a privacy professional, or you pay attention to the issue of data privacy, you know that the terrain is shifting rapidly. Companies that collect any kind of sensitive data are likely to be subject to several different data privacy laws. This is especially true of fintech companies who need solutions to ease their regulatory compliance burden. Skyflow’s Fintech Data Privacy Vault provides such solutions.
Anyone who is responsible for the privacy and security of customer financial data at a fintech company needs to implement extensive technical safeguards to stay in compliance with various laws and regulations: encryption, data governance, monitoring, logging, the list goes on. Your fintech company derives a lot of value from data that you collect from your users, so it’s critical to be proactive about continuously augmenting your incident response protocols and your data governance, audit, logging, and risk assessment capabilities.
Using Skyflow’s Fintech Data Privacy Vault can help you to get a handle on data governance while providing privacy and security that goes beyond current regulatory requirements – all while letting you use sensitive data to provide useful insights for your product, design, marketing, and sales efforts. In this post, we’ll look at the regulatory landscape that fintechs face in the US, and how Skyflow can help fintechs to be proactive about data privacy compliance.
Data privacy regulations in the US have evolved significantly in the years following the passage of the first US financial privacy law, the Gramm-Leach-Bliley Act (GLBA), in 1999. GLBA requires companies that offer financial products to follow an extensive set of data privacy and security rules. Recently, the Federal Trade Commission (FTC) strengthened a component of GLBA called the Safeguards Rule, as a part of a broader national shift towards strengthening privacy regulations.
This, along with the growing number of state privacy laws like the California Consumer Privacy Act (CCPA), means that both traditional banking institutions and fintech startups are facing an increasingly complex set of compliance requirements. Adding to this already significant list of changes, the Consumer Financial Protection Bureau (CFPB) is also taking a more active role in data privacy regulation to protect the financial interests of consumers. We’ll start by taking a closer look at the original US financial privacy law, GLBA.
GLBA was the first privacy law aimed at regulating financial institutions. It’s a federal law that requires financial companies to inform their customers of any data collection practices that include nonpublic personal information (NPI) and to grant customers the right to opt out of this collection.
GLBA defines NPI as personal information provided by a consumer “resulting from any transaction with the consumer or any service performed for the consumer”. GLBA offers a set of requirements, including risk assessment, monitoring, and building out a team or designating a person to manage your security and compliance programs. Failure to follow these guidelines can result in hefty fines levied by the FTC.
But while GLBA was a good first step, several states have been working to provide additional data privacy protections to their residents – most notably, California.
California’s CCPA and CPRA
CCPA, passed in California in 2018, has a complex relationship with GLBA. Although they ostensibly have the same goal, CCPA does not preempt GLBA. To minimize overlap, there’s a broad (but not total) exemption for financial institutions written into CCPA. The complexity lies in the fact that even with this exemption there are still data collection practices covered by CCPA that are not covered by GLBA. As a result, these practices are rarely exempt from CCPA oversight.
CCPA has a much broader definition of regulated information than GLBA (Personal Information, or PI, as defined here), and CCPA regulates the collection of this information. Regulation of PI goes well beyond data collected from people purchasing financial products, and includes things like email addresses collected for marketing, website behavior tracking, and any other data points that could theoretically be used to identify someone.
So, while GLBA provides the primary set of sensitive data rules for fintechs, CCPA adds another layer of requirements, as shown below:
However, these requirements have changed now that CCPA has been amended by passage of the the California Privacy Rights Act (CPRA). CPRA, an updated version of CCPA, is now being enforced. CPRA goes even further than CCPA in defining regulated information by carving out a newly and broadly-defined category of “sensitive personal information” (SPI). Anyone using SPI is only allowed to collect it if the user “opts in” to its collection, and it can only be used for specified business purposes.
Known as the “GDPR of California”, CPRA creates a new enforcement agency: the California Privacy Protection Agency (CPPA). CPPA will perform annual cybersecurity audits, review submitted risk assessments, and issue fines for noncompliance. But while California continues to evolve its approach to data privacy regulation, the regulatory landscape at the federal level is continuously evolving with the update of the FTC’s GLBA Safeguards Rule and the recent involvement of the Consumer Financial Protection Board (CFPB) in issues of data privacy.
Safeguards Rule Update and Other Developments
In 2021, the FTC updated the Safeguards Rule component of GLBA, making significant changes, including:
- Regulating “Finders”: Expanding the definition of “financial companies” to include “finders”, i.e. companies that match consumers with financial products, whether they themselves are involved in providing these products or not
- Strengthening Encryption Requirements: Requiring NPI to be encrypted at rest and in transit
- Requiring Annual Risk Assessments: Enforcing a program where an internal security assessor must provide an annual risk assessment report to the financial institution’s governing body
- Defining Exceptions for Smaller Businesses: Carving out an exception for businesses with fewer than 5,000 customers – which removes some, but not all, requirements of the Safeguards Rule for smaller businesses
In 2022 the FTC also announced that they will begin making additional rules around data privacy and security. And, the US Congress is considering passing a national data privacy law, the American Data Privacy and Protection Act (ADPPA). These updates serve as a reminder that data privacy regulations are still rapidly evolving, and are subject to further changes going forward.
Another Regulator: the CFPB
In addition to the FTC, the CFPB has also been paying close attention to how personal information is used and shared amongst companies since it was established in 2008. The mandate of the CFPB is to protect consumers from financial harm, so while data privacy isn’t their focus, they do have an interest in regulating how data is used by financial institutions.
The CFPB recently announced an inquiry into payment platforms, part of an effort by federal agencies to better understand any data privacy risks that might exist in current payment services. The inquiry, initiated in 2021, is aimed at large tech companies like Facebook and Amazon as well as large banks that might benefit from financial data collection.
Because so much of this technology has developed so quickly, the CFPB’s short term goals include assembling a team of technologists who can offer expert insight on modern data collection technologies. Although the short-term implications of this inquiry look limited, its existence is a strong indication that policymakers and oversight groups consider modern data collection to be a “wild west” that needs to be reined in.
Go Beyond the Legislation
These changes are aimed at pushing companies to spend time and resources thinking through their security practices, encouraging them to take a privacy-conscious approach to everything they do. But, when it comes to providing effective data privacy and security, you should consider compliance with these laws to be a necessary, but not sufficient, step toward ensuring data privacy for your customers.
By going beyond what these laws require, and instead focusing on delivering effective data privacy, you can proactively position your company as a data privacy leader – and avoid scrambling to comply with each requirement piecemeal.
I believe that there’s a big difference between these requirements and what most users would consider sufficient security for their most valuable personal data. This isn’t the fault of fintech companies — even the most successful company is going to have trouble finding the resources to build a robust monitoring system, performing a deep analysis of where the sensitive data that they collect is going, and fixing any issues they discover. Making this easy is where the data privacy vault comes in.
How Skyflow Fintech Data Privacy Vault Can Help
Skyflow Fintech Data Privacy Vault is an ideal tool to help you comply with the growing body of privacy legislation and assure your users that you’re taking all possible measures to protect the privacy and security of their sensitive data (NPI, PI, SPI, etc.). The vault can easily integrate with your existing systems, providing you with:
- Strong Encryption: Encrypting data at rest, in transit, and in memory (going beyond what’s required by the Safeguards Rule) to ensure that any and all sensitive data you use is secure at all times
- Sophisticated Governance: RBAC and ABAC access controls give your security team granular control over data flow and access, letting you grant each team just the minimum dataset they require to run core workflows and innovate without putting sensitive data at risk
- Monitoring and Logging: Real-time monitoring and audit logging lets you track where sensitive data is flowing and how it is used. This helps your security team to detect any accidental or malicious misuse of sensitive data early, and gives your security and privacy leaders an in-depth view of the state of data security at your company
Current privacy legislation for fintech companies is complex, and is likely to become even more complex in the future. Meeting the growing list of federal and state-level requirements will require you to take a proactive approach that centralizes and protects any sensitive data that you collect, store, or use for transactions or analytics.
Skyflow’s Fintech Data Privacy Vault is the ideal tool to help you go beyond meeting these requirements to keep sensitive user data truly private and secure. If you’d like to learn more, get in touch with us.
Note: This post discusses legal compliance, but it should not be construed as legal advice. Consult your own legal counsel before changing how you handle sensitive financial data.