By Edel Brophy, Global Regulatory Manager, Fenergo.
Keeping up with compliance regulations across multiple jurisdictions can be tricky for financial institutions. Hugely ambitious, the ratification of the state law the California Consumer Privacy Act (CCPA) is one of the toughest challenges they’ve faced. With just one month to go, it’s therefore concerning that one third (33%) of US banks admit that they are still unprepared for the January 1 deadline. More than four in ten (41%) say they have no knowledge to only partial knowledge about the law.
The Growing Data Privacy Challenge and Impact on Financial Institutions
With the emergence of CCPA, the area of data privacy is set to become a much more pressing regulatory issue for financial institutions. Since the introduction of the European General Data Protection Regulation (GDPR), financial institutions have been walking on a regulatory tightrope when it comes to client lifecycle management in an attempt to strike the right balance between complying with Anti-Money Laundering (AML)/Know Your Customer (KYC), a multiple of other regulations (i.e. OTC Reform, Tax and Investor Protection) and new data privacy rules. Larger financial institutions have good foundations of privacy if they have a presence in Europe. However, for US financial institutions, who haven’t had to comply with GDPR, CCPA brings in new requirements that they haven’t come up against before.
When a financial institution onboards a new customer, they must undergo Anti-Money Laundering (AML) and Know Your Customer (KYC) and other regulatory compliance checks, which involves collecting a vast array of data and documents to validate that the person or entity is who they say they are and pose no significant risk to the financial institution.
However, it is this very collection and processing of customer data and documents that causes conflict with the need to comply with data protection rules. Financial institutions implementing data privacy rules will need to ensure that their onboarding processes encapsulate compliance with both AML/KYC regulations and data privacy rules. By creating a strong synergistic approach to regulatory and data protection compliance through automation, processes can be re-used for other requirements. It is expected that the biggest operational hurdle will involve client consent and outreach.
GDPR vs. CCPA
The CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability. For example, GDPR provides for obligations in relation to the appointment of Data Protection Officers, the maintenance of a register of processing activities, and the need for Data Protection Impact Assessments in specified circumstances. On the other hand, CCPA does not specifically focus on accountability-related obligations, even though such provisions exist, such as the obligation for companies to train their staff that deal with requests from consumers.
It is also noteworthy that the core legal framework of the CCPA is quite different from the GDPR. A fundamental principle of the GDPR is the requirement to have a “legal basis” for all processing of personal data. That is not the case for the CCPA. Moreover, the CCPA excludes from its scope the processing of some categories of personal information altogether, such as medical data which is covered by other U.S. laws including Health Insurance Portability and Accountability Act (HIPAA) as well as personal information processed by credit reporting agencies.
Moreover, the CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their homepage. In addition, the CCPA includes specific provisions in relation to data transferred as a consequence of mergers and acquisitions, providing consumers with the right to opt-out if the “third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.”
With time running out before the CCPA deadline, here are some best practices to help financial institutions get up to speed with the new regulation.
- Determine which privacy regimes affect the organization – it might be broader than just CCPA. Ensure controls and solutions align with all these different regimes to prevent a lot of unnecessary admin and amendments at a later stage.
- Take the GDPR mantra “privacy by design and by default” to heart. This will ensure that new processes are developed with applicable privacy requirements in mind from the outset.
- Take control of data flows — Understand where and to whom data is transferred and stored. CCPA has strict rules on disclosure of personal information to third parties. This information needs to be disclosed to consumers who in turn can object to such transfers. By compiling and maintaining a register or mapping of data flows, organizations can stay on top of their obligations. This would also be incredibly helpful in the event of an erasure request.
- Be as transparent as possible with consumers at every possible opportunity. Privacy statements in layman’s terms will ensure data subjects are fully informed about the use of their information.
Automate the data protection compliance process with a rules-driven technology solution integrated with third party entity data and aligned with current compliance processes and obligations. This way financial institutions have a 360-degree view of all clients/counterparties. This will not only help with CCPA and GDPR requirements but will also support other regulatory client outreach programs for existing and new obligations. What valuable lessons did we learn from GDPR that will help with CCP implementation? Financial institutions need to make sure to map everything; what data is held, where, how and why and to whom is data shared and stored. This creates a solid foundation upon which a compliance program can be built. Also, organizations need to be prepared to respond to access requests quickly. Many organizations were left scrambling after GDPR came into effect and the requests started rolling in. Plus, it’s important that the organization has a good system for tracking opt-out information carefully. Finally, financial institutions need to ensure privacy notices are carefully written and include everything required by law. Banks have a lot to gain by getting CCPA compliance right and a lot to lose if they don’t! They simply can’t afford to be unprepared for the January 2020 deadline.
It’s going to be difficult to evaluate the impact of CCPA until it goes into effect and larger companies release what their approaches are going to be. As 2020 draws closer, many states are considering their own privacy laws including MA, MN, PA, NJ and NY. We would not be surprised to see the US pass a federal privacy law in the future.