One of the main concerns for fintechs is that they may be victims of data breaches, putting their businesses and customers at serious personal and financial risk. Another possibility is that they will be used as tools in the perpetration of criminal activities such as money laundering and terrorist financing.
For these reasons, financial institutions should aim to comply with relevant regulations and authorities. The focus should not only be on global data protection best practices but also on international anti-money laundering (AML) regulations. Both of these need a deep understanding of the rules that apply, as well as, in some cases, active cooperation between fintechs and other regulatory bodies.
Even though regulations vary from country to country and region to region, financial institutions shouldn't just focus on the laws in their own area. There are international standards that not only give credibility to the institutions that need it but also make it easy to do business and handle money across borders.
Why does data privacy matter?
Since there is a heavy dependence on the Internet and online business, privacy has become a necessity. Countries have put in place laws that limit how organizations can collect, use, and store the personal information of people. The way privacy laws are created and enacted is impacted by the fact that the internet and everything associated with it are, by their very nature, limitless. There are laws that have some features of international privacy law, such as the fact that they may apply outside of their country of origin. However, there is no international privacy law that applies everywhere.
What international data privacy laws exist?
On a global scale, there is no legal authority dealing with individual privacy. Instead, there are territorial privacy regulations that apply only to specific countries or regions. These laws make it legal to collect, use, and store the personal information of legal persons.
Some of the most well-known data privacy laws are the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA), the EU General Data Protection Regulation (GDPR), the EU ePrivacy Directive, the California Consumer Privacy Act (CCPA), and the California Online Privacy Protection Act (CalOPPA).
As a general rule, these rules only apply in the places where they were established. But some data privacy laws have special parts that let the rules be used outside of the country ("extraterritoriality"). For example, in order for GDPR to apply, a data controller or processor must also reside in the EU, as even if an organization is based outside of the EU, it must follow the GDPR if it offers goods or services in the EU or keeps track of what people in the EU do online.
Compliance with international privacy laws
As mentioned above, there is no single legal instrument applicable internationally. However, it is possible that a business operating on a global scale will be subject to more than one data privacy law. For example, an e-commerce store based in Canada that sells goods or services to people in the EU and Brazil must comply with the GDPR and LGPD due to extraterritorial applicability restrictions in these laws. Because the company is based in Canada, it will also be subject to PIPEDA. Furthermore, if the same e-commerce company provides services to California residents and, for example, handles the personal data of more than 50,000 California residents, it must consider CCPA compliance.
As seen by the preceding example, organizations conducting business globally will very certainly be required to comply with global privacy regulations applicable in the areas where they do business.
Who enforces global data privacy laws?
There is no single authority that enforces privacy laws worldwide. In fact, each authority tasked with enforcing certain data privacy laws in a certain territory is the main enforcing authority. This basically means that a supervisory authority in a particular territory will only be able to enforce the privacy law applicable only in that territory, subject to certain limitations such as the extraterritorial application of data privacy laws.
The supervisory authority enforcing data privacy law in a particular jurisdiction will have tools such as carrying out inspections, demanding organizations to demonstrate their compliance with a particular privacy law, imposing fines, and other penalties.
Mutual cooperation between supervisory authorities in some countries may be possible in order to improve individual privacy protection. This kind of mutual cooperation would allow bringing to justice violations of privacy that take place internationally (i.e. where the data subject is in one country and the organization holding his/her data gets hacked as a result of poor security measures is in another country).
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU-wide data privacy law that intends to strengthen individuals' fundamental rights to personal information and privacy in the digital age.
Even though the GDPR has been implemented and is in effect in Europe, it has far-reaching effects. Its scope extends outside the EU, and businesses providing goods or services to EU nationals for the purpose of monitoring their online behavior must comply with it regardless of location.
GDPR gives data subjects a number of rights, such as the right to access data, the right to erasure (also called the "right to be forgotten"), the right to data rectification, the right not to be subject to automated decision-making, and so on. These rights provide data subjects with more control over their personal data and how organizations utilize it.
GDPR imposes severe fines for noncompliance. The regulation specifies a two-tiered penalty scheme. As a result, for less serious infractions, the administrative fee is equal to 2% of worldwide annual revenue or 10 million euros, whichever is greater, and for more serious violations, the administrative fine is equal to 4% of global annual sales or 20 million euros, whichever is more.
What is CCPA?
The California Consumer Privacy Act (CCPA), is a state-wide legislative act in the United States that intends to govern how businesses all over the world are permitted to handle the personal information of California citizens.
Unlike GDPR, the CCPA exclusively applies to for-profit organizations. If a company does business in California and gathers personal information from at least one California citizen, the following conditions must be met:
The business (i) makes more than $25 million in gross sales every year, (ii) handles personal information about at least 50,000 Californians, households, or devices every year, or (iii) makes more than half of its annual sales from selling personal information.
What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) compliance is focused on the ability of your business to handle secure credit card transactions. This set of security rules was put in place in 2004 to prevent credit card fraud and data theft as much as possible.
Financial institutions must put in place a number of best practices, such as data encryption, firewalls, and strong anti-virus protection, in order to be PCI DSS compliant. Being PCI-compliant shows customers that a business is safe to trust with sensitive data and personal financial information.
If a business doesn't follow the rules, it could lose the ability to accept credit card payments on its sites. Investing in PCI DSS compliance is highly recommended.
What is SOC 2?
Systems and Organization Controls 2 (SOC 2) compliance is part of the American Institute of CPAs’ Service Organization Control reporting platform. Its intent is to ensure the safety and privacy of customers’ data. As a way to keep data safe, it lays out five trust service principles: security, availability, processing integrity, confidentiality, and privacy of customer data.
SOC 2 is not a prescriptive list of controls, tools, or processes. Instead, it lists the criteria that must be met to keep information security strong. This lets each company choose the practices and processes that work best for their own goals and operations.
SOC 2 applies to any technology service provider or SaaS company that handles or stores customer data. Third-party vendors, other partners, or support organizations that these companies work with should also be SOC 2-compliant to make sure that their data systems and safety measures are always reliable.
What is SOX?
The Sarbanes-Oxley Act of 2002 (SOX) was passed by the United States Congress to protect the public from fraudulent or erroneous practices by corporations or other business entities.
The goal of the law was to make financial reporting clear and formalize internal control systems. It added and changed requirements for all U.S. public company boards, management, and public accounting firms. In addition, penalties for fraudulent activity are much more severe.
Meeting SOX compliance requirements is not only a legal obligation but also good business practice.
All organizations should behave ethically and limit access to financial data. It also has the added benefit of helping organizations keep sensitive data safe from insider threats, cyberattacks, and security breaches.
The data security framework of SOX compliance can be summarized by four primary pillars:
- Ensure financial data security
- Prevent malicious tampering of financial data
- Track data breach attempts and remediation efforts
- Keep event logs readily available for auditors
In conclusion
Knowing the relevant laws is not enough. Financial institutions must also make sure that their systems are always updated to reflect any changes to the rules.
Even though the goal is to make sure that systems are airtight and can't be broken, hackers and other people who may want to take advantage of any holes in their systems are constantly trying to break into financial institutions. Therefore, every fintech and startup must ensure that they develop a strong incident response plan to ensure that, in the case of a lapse or breach, they are well prepared to respond adequately.
This is why at Flagright, we always invest in our security infrastructure and periodically review our measures in order to ensure compliance with international data protection and AML regulations. Flagright is SOC 2, GDPR, and CCPA compliant. This is to ensure that your data is always safe with us.
Contact us to schedule a free demo here.