The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

US Banks Unprepared for California Consumer Privacy Act – What Can They Do?

Share article

By Edel Brophy, Global Regulatory Manager, Fenergo.

Keeping up with compliance regulations across multiple jurisdictions can be tricky for financial institutions. Hugely ambitious, the ratification of the state law the California Consumer Privacy Act (CCPA) is one of the toughest challenges they’ve faced. With just one month to go, it’s therefore concerning that one third (33%) of US banks admit that they are still unprepared for the January 1 deadline. More than four in ten (41%) say they have no knowledge to only partial knowledge about the law.

The Growing Data Privacy Challenge and Impact on Financial Institutions

With the emergence of CCPA, the area of data privacy is set to become a much more pressing regulatory issue for financial institutions. Since the introduction of the European General Data Protection Regulation (GDPR), financial institutions have been walking on a regulatory tightrope when it comes to client lifecycle management in an attempt to strike the right balance between complying with Anti-Money Laundering (AML)/Know Your Customer (KYC), a multiple of other regulations (i.e. OTC Reform, Tax and Investor Protection) and new data privacy rules. Larger financial institutions have good foundations of privacy if they have a presence in Europe. However, for US financial institutions, who haven’t had to comply with GDPR, CCPA brings in new requirements that they haven’t come up against before.

When a financial institution onboards a new customer, they must undergo Anti-Money Laundering (AML) and Know Your Customer (KYC) and other regulatory compliance checks, which involves collecting a vast array of data and documents to validate that the person or entity is who they say they are and pose no significant risk to the financial institution.

However, it is this very collection and processing of customer data and documents that causes conflict with the need to comply with data protection rules. Financial institutions implementing data privacy rules will need to ensure that their onboarding processes encapsulate compliance with both AML/KYC regulations and data privacy rules. By creating a strong synergistic approach to regulatory and data protection compliance through automation, processes can be re-used for other requirements. It is expected that the biggest operational hurdle will involve client consent and outreach.

GDPR vs. CCPA

The CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability. For example, GDPR provides for obligations in relation to the appointment of Data Protection Officers, the maintenance of a register of processing activities, and the need for Data Protection Impact Assessments in specified circumstances. On the other hand, CCPA does not specifically focus on accountability-related obligations, even though such provisions exist, such as the obligation for companies to train their staff that deal with requests from consumers.

It is also noteworthy that the core legal framework of the CCPA is quite different from the GDPR. A fundamental principle of the GDPR is the requirement to have a “legal basis” for all processing of personal data. That is not the case for the CCPA. Moreover, the CCPA excludes from its scope the processing of some categories of personal information altogether, such as medical data which is covered by other U.S. laws including Health Insurance Portability and Accountability Act (HIPAA) as well as personal information processed by credit reporting agencies.

Moreover, the CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their homepage. In addition, the CCPA includes specific provisions in relation to data transferred as a consequence of mergers and acquisitions, providing consumers with the right to opt-out if the “third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.”

With time running out before the CCPA deadline, here are some best practices to help financial institutions get up to speed with the new regulation.

  • Determine which privacy regimes affect the organization – it might be broader than just CCPA. Ensure controls and solutions align with all these different regimes to prevent a lot of unnecessary admin and amendments at a later stage.
  • Take the GDPR mantra “privacy by design and by default” to heart. This will ensure that new processes are developed with applicable privacy requirements in mind from the outset.
  • Take control of data flows — Understand where and to whom data is transferred and stored. CCPA has strict rules on disclosure of personal information to third parties. This information needs to be disclosed to consumers who in turn can object to such transfers. By compiling and maintaining a register or mapping of data flows, organizations can stay on top of their obligations. This would also be incredibly helpful in the event of an erasure request.
  • Be as transparent as possible with consumers at every possible opportunity. Privacy statements in layman’s terms will ensure data subjects are fully informed about the use of their information.

Automate the data protection compliance process with a rules-driven technology solution integrated with third party entity data and aligned with current compliance processes and obligations. This way financial institutions have a 360-degree view of all clients/counterparties. This will not only help with CCPA and GDPR requirements but will also support other regulatory client outreach programs for existing and new obligations. What valuable lessons did we learn from GDPR that will help with CCP implementation? Financial institutions need to make sure to map everything; what data is held, where, how and why and to whom is data shared and stored. This creates a solid foundation upon which a compliance program can be built. Also, organizations need to be prepared to respond to access requests quickly. Many organizations were left scrambling after GDPR came into effect and the requests started rolling in. Plus, it’s important that the organization has a good system for tracking opt-out information carefully. Finally, financial institutions need to ensure privacy notices are carefully written and include everything required by law. Banks have a lot to gain by getting CCPA compliance right and a lot to lose if they don’t! They simply can’t afford to be unprepared for the January 2020 deadline.

It’s going to be difficult to evaluate the impact of CCPA until it goes into effect and larger companies release what their approaches are going to be. As 2020 draws closer, many states are considering their own privacy laws including MA, MN, PA, NJ and NY. We would not be surprised to see the US pass a federal privacy law in the future.

Leave a comment

Your email address will not be published. Required fields are marked *

*

Related content

WEBINAR

Upcoming Webinar: How Financial Institutions can adjust to working in the New Normal

Date: 8 September 2020 Time: 10:00am ET / 3:00pm London / 4:00pm CET The very sudden impact of Covid-19 and resultant shutdown of physical sites has stress-tested financial institutions and vendors to their limits. Now banks and firms are slowly starting to re-open offices. But what will the new normal look like and what steps...

BLOG

Governor Software Partners with AI Specialists Waymark for Global Coverage

Oversight solutions specialist Governor has become a global reseller of financial regulatory content from UK-based Waymark Tech: including current regulations, regulatory news and regulatory change. The agreement launches Governor Software’s regulatory compliance solution onto the world stage, as Governor Reg can now support compliance teams across all financial regulations worldwide. Governor Reg was initially developed...

EVENT

Data Management Summit New York City

Now in its 9th year, the Data Management Summit (DMS) in NYC explores the shift to the new world where data is redefining the operating model and firms are seeking to unlock value via data transformation projects for enterprise gain and competitive edge.

GUIDE

Entity Data Management Handbook – Sixth Edition

High-profile and punitive penalties handed out to large financial institutions for non-compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations have catapulted entity data management up the business agenda. So, too, have industry and government reports on the staggering sums of money laundered on a global basis. Less apparent, but equally important, are...