California’s pioneering Consumer Protection and Privacy Act (CCPA), the first comprehensive consumer privacy law passed in the United States, went into force on January 1, 2020 but some of the law’s implications are already emerging.
Similar to the General Data Protection Regulation (GDPR), it has granted consumers the right to know more about how an organisation conducts its privacy practices as well as the right to view, delete and own identifiable information, preventing the company from selling personal data.
Financial insitutions are not exempt from the law. As regulators are focusing on standardisation, banks should assess their data processes and review privacy practices to account for their interaction with regulations like GDPR and CCPA, in addition to the Federal Deposit Insurance Corporation’s Final Rule FDIC 370 and Capture Consent.
Michael Yatsko, senior director of compliance at DocuSign, spoke to Finextra about their recent report ‘4 Regulatory Changes Impacting Data, Identity and the Digital Trail’ and the significance of data and identity in the digital trail of entire transaction journeys.
Privacy vs. identity
Yatsko highlights that “from a regulatory standpoint, there are two overarching factors that will impact data. One is privacy, and privacy regulations are becoming more and more disparate across the globe.
“GDPR is the most well-known of the bunch and it focuses on the data lifecycle and what happens to the data itself. Argentina, South Korea and many other countries have enacted new privacy regulations as well, so while GDPR is the most well-known, it’s not the first, nor is it going to be the last.”
The second factor that impacts data is identity and as Yatsko explains, “identity is playing a larger role in these types of transactions.” He adds that many US regulations refer to a specific technical standard by the National Institute of Standards and Technology called Special Publication 863.
Yatsko says that this standard is “the benchmark on identity proofing for the US government” and it has recently been updated to separate and implement identity proofing from authentication.
“Where they used to combine identity and authentication, they’ve now broken that apart into two separate categories and that has a trickle-down effect on financial institutions that have been relying on that standard.”
The authentication factor
Financial institutions that have been supporting businesses need to understand where data is being collected from the individuals themselves, how that data is protected and who that data is shared with.
“Being able to know where the data is, how to protect it and where it is going outside of the organisation itself is a critical piece to all of this as well. From an identity standpoint, the FIs that are supporting businesses need to provide strong identity proofing of the individuals, either through remote sessions or in person sessions.
“This is known as non-repudiation: knowing that the person is who they say that they are. Identification is a one-time event, but authentication needs to happen at each transaction.
“You only approve a person once, just like you do with your passport, but each time that you go through customs, you have to show that passport as your credential. That’s what authentication is and that’s what individuals need to do when they’re processing data,” Yatsko explains.
Solving the issue of determining what data is missing from disparate systems, Yatsko says that the ‘Recordkeeping for Timely Deposit Insurance Determination,’ otherwise known as FDIC 370, which facilitates payment of insured deposits when a large depository institution fails, or when the value of the bank’s assets falls to below the market value of the bank’s liabilities to depositors, has helped standardise recordkeeping.
“FDIC 370 establishes exactly what the requirements are. If I still need to understand all disparate information systems, I can perform a gap analysis to identity discrepancies against those requirements.”
He goes on to say how if FIs cannot meet the requirements outlined by FDIC 370 or do not communicate well with each other, the process will need to be modernised. This will be explored further in an upcoming article.