The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

US Banks Unprepared for California Consumer Privacy Act – What Can They Do?

By Edel Brophy, Global Regulatory Manager, Fenergo.

Keeping up with compliance regulations across multiple jurisdictions can be tricky for financial institutions. Hugely ambitious, the ratification of the state law the California Consumer Privacy Act (CCPA) is one of the toughest challenges they’ve faced. With just one month to go, it’s therefore concerning that one third (33%) of US banks admit that they are still unprepared for the January 1 deadline. More than four in ten (41%) say they have no knowledge to only partial knowledge about the law.

The Growing Data Privacy Challenge and Impact on Financial Institutions

With the emergence of CCPA, the area of data privacy is set to become a much more pressing regulatory issue for financial institutions. Since the introduction of the European General Data Protection Regulation (GDPR), financial institutions have been walking on a regulatory tightrope when it comes to client lifecycle management in an attempt to strike the right balance between complying with Anti-Money Laundering (AML)/Know Your Customer (KYC), a multiple of other regulations (i.e. OTC Reform, Tax and Investor Protection) and new data privacy rules. Larger financial institutions have good foundations of privacy if they have a presence in Europe. However, for US financial institutions, who haven’t had to comply with GDPR, CCPA brings in new requirements that they haven’t come up against before.

When a financial institution onboards a new customer, they must undergo Anti-Money Laundering (AML) and Know Your Customer (KYC) and other regulatory compliance checks, which involves collecting a vast array of data and documents to validate that the person or entity is who they say they are and pose no significant risk to the financial institution.

However, it is this very collection and processing of customer data and documents that causes conflict with the need to comply with data protection rules. Financial institutions implementing data privacy rules will need to ensure that their onboarding processes encapsulate compliance with both AML/KYC regulations and data privacy rules. By creating a strong synergistic approach to regulatory and data protection compliance through automation, processes can be re-used for other requirements. It is expected that the biggest operational hurdle will involve client consent and outreach.

GDPR vs. CCPA

The CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability. For example, GDPR provides for obligations in relation to the appointment of Data Protection Officers, the maintenance of a register of processing activities, and the need for Data Protection Impact Assessments in specified circumstances. On the other hand, CCPA does not specifically focus on accountability-related obligations, even though such provisions exist, such as the obligation for companies to train their staff that deal with requests from consumers.

It is also noteworthy that the core legal framework of the CCPA is quite different from the GDPR. A fundamental principle of the GDPR is the requirement to have a “legal basis” for all processing of personal data. That is not the case for the CCPA. Moreover, the CCPA excludes from its scope the processing of some categories of personal information altogether, such as medical data which is covered by other U.S. laws including Health Insurance Portability and Accountability Act (HIPAA) as well as personal information processed by credit reporting agencies.

Moreover, the CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their homepage. In addition, the CCPA includes specific provisions in relation to data transferred as a consequence of mergers and acquisitions, providing consumers with the right to opt-out if the “third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.”

With time running out before the CCPA deadline, here are some best practices to help financial institutions get up to speed with the new regulation.

  • Determine which privacy regimes affect the organization – it might be broader than just CCPA. Ensure controls and solutions align with all these different regimes to prevent a lot of unnecessary admin and amendments at a later stage.
  • Take the GDPR mantra “privacy by design and by default” to heart. This will ensure that new processes are developed with applicable privacy requirements in mind from the outset.
  • Take control of data flows — Understand where and to whom data is transferred and stored. CCPA has strict rules on disclosure of personal information to third parties. This information needs to be disclosed to consumers who in turn can object to such transfers. By compiling and maintaining a register or mapping of data flows, organizations can stay on top of their obligations. This would also be incredibly helpful in the event of an erasure request.
  • Be as transparent as possible with consumers at every possible opportunity. Privacy statements in layman’s terms will ensure data subjects are fully informed about the use of their information.

Automate the data protection compliance process with a rules-driven technology solution integrated with third party entity data and aligned with current compliance processes and obligations. This way financial institutions have a 360-degree view of all clients/counterparties. This will not only help with CCPA and GDPR requirements but will also support other regulatory client outreach programs for existing and new obligations. What valuable lessons did we learn from GDPR that will help with CCP implementation? Financial institutions need to make sure to map everything; what data is held, where, how and why and to whom is data shared and stored. This creates a solid foundation upon which a compliance program can be built. Also, organizations need to be prepared to respond to access requests quickly. Many organizations were left scrambling after GDPR came into effect and the requests started rolling in. Plus, it’s important that the organization has a good system for tracking opt-out information carefully. Finally, financial institutions need to ensure privacy notices are carefully written and include everything required by law. Banks have a lot to gain by getting CCPA compliance right and a lot to lose if they don’t! They simply can’t afford to be unprepared for the January 2020 deadline.

It’s going to be difficult to evaluate the impact of CCPA until it goes into effect and larger companies release what their approaches are going to be. As 2020 draws closer, many states are considering their own privacy laws including MA, MN, PA, NJ and NY. We would not be surprised to see the US pass a federal privacy law in the future.

Related content

WEBINAR

Recorded Webinar: The post-Brexit UK sanctions regime – how to stay safe and compliant

When the Brexit transition period came to an end on 31 December 2020, a new sanctions regime was introduced in the UK under legislation set out in the Sanctions and Anti-Money Laundering Act 2018 (aka the Sanctions Act). The regime is fundamentally different to that of the EU, requiring financial institutions to rethink their response...

BLOG

ESMA Report Calls for Improvement in EMIR Data Quality, Monitoring of SFTR Data

The European Securities and Markets Authority (ESMA) has published a report on European Markets Infrastructure Regulation (EMIR) and Securitised Financing Transactions Regulation (SFTR) data quality – and it’s not all good news. While progress has been made, more effort is needed by national competent authorities (NCAs) and ESMA to further improve EMIR data quality. The...

EVENT

RegTech Summit New York City

Now in its 5th year, the RegTech Summit in NYC explores how the North American financial services industry can leverage technology to drive innovation, cut costs and support regulatory change.

GUIDE

Entity Data Management Handbook – Seventh Edition

Sourcing entity data and ensuring efficient and effective entity data management is a challenge for many financial institutions as volumes of data rise, more regulations require entity data in reporting, and the fight again financial crime is escalated by bad actors using increasingly sophisticated techniques to attack processes and systems. That said, based on best...