Introduction
Consumers’ personal data is used by companies to sell their products and services, but when this data is personal or private, discretion and safety are essential. In some of the US states, there are personal data regulations that keep an eye on companies processing and using consumers’ data. A good example of this is the California Consumer Privacy Act(CCPA). A relatively new law, CCPA came into effect on June 28, 2018, as part of the California Civil Code. It has been praised as a step in the right direction for data regulations by industry pundits, as it solidly defines how data can be protected and how its misuse will result in dire consequences.
But one of the questions that returned to the spotlight after it’s introduction was, ‘Why isn’t there a federal body like this to regulate data privacy all over the country?’ This is where the US can benefit from a step for Unified Data Protection, a central regulation from the Federal Government that oversees and regulates all handling of consumer data. It will give control to the consumers over their personal data while unifying data privacy laws for all states in the US and simplify regulations for international companies. A Unified Data Protection Regulation will have provisions to process US consumer’s data regardless of the location of the company.
Such a body will force the companies to disclose how the data is processed making the purpose, tenure, and sharing of data transparent to the consumer. The Government will impose heavy fines on companies that violate the regulations making the consent of the consumer irrevocably mandatory. This article focuses on how such a unified regulation would impact the different levels of banking and the types of banks in the US.
What Is The Current System Of Banking In The US And How Does It Handle Data Privacy?
Unlike most countries, banking in the US is regulated at state and federal levels, and depending on the class of the bank it is subject to state or federal regulations. The central banking system which regulates all other banks is called the Federal Reserve and was established in 1913.
Duties of the Federal Reserve include:
- Conduct the national monetary policy
- Regulate and supervise banking institutions
- Sustain the stability of the financial system
- Financial services to the U.S. government, depository institutions, and foreign official institutions.
Banks in the US are regulated by the Federal Reserve and overseen by the Federal Deposit Insurance Corporation(FDIC) and the Office of the Comptroller of the Currency(OCC). The banks are classified into:
National Banks
It includes all federally chartered banks and has permission to operate in any part of the country. It is not subject to state laws barring a few exceptions. Even though these banks fall under federal jurisdiction, they must comply with state regulations too, if there are any making it a burden for them.
Depending on the type of charter and structural organization, a bank may be subject to many federal and state regulations and is specifically supervised by the OCC. It is important to note that not all national banks possess nationwide operations as some of them have operations in only one city, county, or state. A common misconception is that the Federal Reserve is a national bank, but this is untrue as it is a system of institutions chartered by Congress for financial oversight.
Banks from other countries that have established a presence in the US are called International Banks. Even though they fall under the category of National Banks, It is noteworthy to consider them as a third category for easier understanding. Some of them have exceptions with the national status and a few of them already follow protocols from other countries’ financial regulatory bodies. Many of these banks are European and already follow GDPR regulations even in the US. Sometimes these are not direct implementations.
State banks
State banks are state-chartered and are permitted to operate within the state where they are chartered. They can acquire customers from other states, but they can not open branches in other states unless they acquire the respective state’s charter or a national charter from the federal government. It is also mandatory for them not to have “National” or “Federal” in their names and nomenclature.
Is Data Privacy Safe in This System of Banking?
Information security and banking privacy in the US is not protected through a singular law rendering the regulation of privacy sector-based. Thus regulations are different in different states and all states do not possess sufficient research data or machinery for good regulation. This leads to risk and data breaches.
Gramm-Leach-Bliley Act (GLB) regulates the collection, disclosure, and use of personal /non-public information by banks. Federal Trade Commission (FTC) with guidelines from GLB act as the primary protector of banking privacy. It fines violators of state and federal banking privacy laws and these violations are treated as civil offenses in contradiction to other countries where they are usually considered criminal offenses. Nonetheless, there are too many discrepancies and contradictions in these laws that create loopholes and increase risk.
Cyber attacks cost an average of $18.3 million annually per company in 2019 making the total cost $164.6 million. This was through more than 1,473 cyberattacks over the year. The risk is clear from this data and a change for the better is inevitable.
How Has Unified Data Protection Been Implemented In Other Regions?
The most relevant implementation of Unified Data Protection regulation is in the European Union which is the General Data Protection Regulation(GDPR). It sets the guidelines for the collation and processing of personal data, exclusive for consumers from the EU. GDPR instructs companies to give proper data disclosures to their consumers while not compromising any privacy and protection they are entitled to. For example, timely notification of any personal data breach to the consumer is mandatory while making sure this information can not be misused by any third parties.
GDPR succeeded the first Unified Data Protection initiative in Europe, Data Protection Directive 95/46/EC which was created on 24 October 1995. Major banks in the EU encouraged it because it brought more security and credibility for the financial sector. But with advancing technology it became outdated by the late 2000s forcing the EU to consider a new unified data protection framework for 4 years before sanctioning it on 14 April 2016. GDPR came into complete effect on 25 May 2018.
Even though GDPR is for consumers and companies in Europe it affects international entities too. Any company which uses the personal data of a consumer from the EU must follow the regulations which strictly include overseas companies. A bank from the US will have to reframe their process to comply with the regulation. This is important because international US banks already have to comply with data protection regulations rendering them more preferable for consumers.
Notable privileges prescribed for consumers:
Right to Access
Consumers have the right to access their personal data and information. They should be aware of how this personal data is processed and who all will have access to it. Data must be treated as a resource that belongs to its respective owner, the consumer.
Right to Erasure/Be Forgotten
Consumers or customers have the right to request the erasure of personal data. This can be on any one of a number of grounds prescribed. This has certain regulations provided by GDPR, but it still lets the option to be forgotten open to the customer.
Right to Object and Automated Decisions
This allows a consumer to object to processing personal information for non-service related reasons. This includes marketing or sales. Data controllers must allow a consumer the right to stop controllers from processing their data any time they prefer.
Notable guidelines to companies:
Data Controller and Processor
The processing of data has two entities involved- a data controller and a data processor. A data controller is an entity (person, organization, etc. that establishes the why and the how of processing data). A data processor is an entity that performs the data processing overseen by the controller.
Pseudonymization
Pseudonymisation is a needed process for stored data that transforms personal data. The resulting data is not attributed to a subject without the use of additional information. Examples include encryption, tokenization, etc. This renders the consumer data accessible while keeping it partially anonymous.
Notification
The data controller must notify the supervisory authority without delay, especially in cases of discrepancies and malpractices. In Normal functioning, there is an exception if the breach is unlikely to compromise the rights and freedoms of the consumers.
Data Protection Officer
The companies must appoint a data protection officer to oversee the processes.
Penalties to Companies
Penalties will be charged from companies for not sticking to the regulations. a fine up to €10 million or 2% of the annual turnover of the company is issued This may go as high as the authority deems necessary under a set guideline.
How Will Unified Data Protection Affect The Us Banking Sector?
The US is a considerable volatile environment for financial data privacy. 71% of all data breaches in the country are financially motivated which means that almost every 3 in 4 data breaches in the US is in the financial sector. The FBI reported that the amount lost to financial scammers is nearly $1 billion per year and the primary reason for this is the easy access scammers have to private data. Banks do not commercialize and misuse personal data like IT giants, but they do overuse it at times. There have been instances where financial institutions sold consumer data to third parties. Such practices need to be stopped, or at the least regulated.
In 2018 more than 67% of financial institutions reported increased cyber attacks. It was also noted that these cyber attacks are 300 times more likely to hit the banking sector than others. 65% of the top-ranked 100 banks failed web security testing in 2017. This was reported by Carbon Black; Markets Insider, Independent, and IBS Intelligence.
A Unified Data Protection Regulation will bring more clarity to the industry and other regulatory bodies will get defined guidelines and protocols. Banks will have a better understanding of consumer databases while maintaining privacy. Overall, the Unified Data Protection Regulation will have a major impact on the financial sector. Let’s look at how it will affect the three different tiers of the 5,177 banks and savings institutions in the country.
How Will It Affect State Chartered Banks?
Relatively, state banks will have to adapt more to the new mechanics. This is especially for banks in states with undefined regulations as they will need additional machinery and manpower. They will also have to dive deeper into automation banking and advanced technology, prima facie making this seem cumbersome. But in the long run, this will help the bank dwell in an advancing industry, and more importantly, this will give the consumer immeasurable authority over her personal data. That is the primary objective of Unified Data Protection.
The overall functioning level of state banks will upgrade with an exceptional increase in the standard of services. This includes more user-friendly online services, on-time notifications, and reduced delays.
Study shows 5,400 banks in the U.S. compete to sustain customer satisfaction. They need to attract new deposits. Local banks must exhibit their advantages in the fields of accessibility, customer service, and financial advice. To an extent, this would level the playing field.
How Will It Affect Federally Chartered Banks (National Banks)?
The capital to be spent on implementation for NationalBanks will be high but in the long term, it will help them establish an international standard in banking. It would make it easier for them to attain international bank status and branching out to Europe will be much easier as they will not have too many regulatory novelties from GDPR.
The biggest relief for National Banks is that they do not have to satisfy multiple regulatory bodies. JPMorgan Chase had reported the extra work going into adjusting data privacy regulation depending on each state. This is reduced with the introduction of a federal system.
How Will It Affect International Banks?
Most International Banks operating in the USA have a considerable presence in Europe and many of them are already following GDPR protocols. A similar system in the US would benefit them. As they have the most number of customers they will contribute the most to changing the financial landscape. International data breaches are most likely to occur and data protection at this level will reduce that risk. Even more dangerous aspects like money laundering and terrorist funding can be limited with such steps.
Banks will be aware of consumer information and will process it with better care as they are not allowed to provide data to third parties. This will give privacy to the consumer while maintaining a keen eye for malpractices. This is essential as the international economy is a sandbox for financial scams and regulations will reduce this.
Banks like HSBC and Deutsche Bank will have a more even battleground while competing with other National banks as they are already under the scrutiny of other international bodies of regulation. With a unified regulatory body, all banks will have to stick to the same rules and compete on the same track. This will benefit the consumer with better options and opportunities.
What Are The Boons And Banes That Follow?
Significant advantages of Unified Data Privacy include:
- Improved Cybersecurity- It will directly impact data privacy and security improvements encourage banks to develop better security measures reducing risk.
- Standardization of Data Protection– Its compliance will be assessed by state wise agencies cementing the credibility of each bank as they must stick to the same rule book.
- Sustainable Reputation- The banks will have a better reputation as a single breach can bring down a financial Goliath. Regulations will render safety not just for the customer, but for the bank too.
- Enhanced Trust- It will encourage consumers to genuinely share their data with the bank. They are aware of how safe their data will be handled giving them a sense of satisfaction to be in control.
- Loyal Customers- The trust built fuels the customers’ loyalty making them prefer the services of the banks that provide the best service. Sustained credibility enhances loyalty.
Significant concerns may include:
- Non-Compliance Penalties- Severe penalties are imposed on non-compliant participants because, without strong consequences, compliance will not be effective. Sometimes the magnitude of fines would be overwhelming but this is an avoidable responsibility for the banks. A good example of this is the fines imposed by GDPR for non-compliance. Google was imposed a fine of €50 million for breach of GDPR protocols by the French regulator CNIl.
- The Cost of Compliance- The capital and machinery required for implementation will be considerable for banks. Especially for small banks. Though long term benefits outweigh this, it is still a concern.
- Overregulation- If not properly implemented, it will backfire. Overregulation will add more complications to the banking process as too many formalities will tire the consumer and the bank. A delay in time could also occur due to the extra steps added for regulation. All of this is avoided with apt regulatory sanctions. Nonetheless, it is difficult to define them.
Conclusion
There is no doubt in saying that data has become a resource and companies are selling their customer’s data for profit. In such times it is necessary to keep personal data secure. In this perspective, the banking sector to data is what the judiciary is to governance- something that can never be tainted or compromised.
Banks contain a plethora of sensitive information and strict regulation on this is inevitable and precedent. As we are moving towards a global economy, it is only sensible to unify scattered sectors. The innovators in the financial sector should always keep in mind that all the short term discomforts will breed greater benefits for the industry and consumers.
Unified Data Protection regulations will enhance the safety of the consumers’ data. It will build the trust people are losing in companies and their handling of personal data. But furthermore, the significant aspect is that Unified Data Protection is merely the embracing of the coming. We are accelerating our advancements to the future where there is no doubt it holds multitudes of data resources. We are simply trying to protect that future with such strides.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Visit www.signzy.com for more information about us.
You can reach out to our team at reachout@signzy.com
Written By:
Signzy
Written by an insightful Signzian intent on learning and sharing knowledge.