Financial services compliance requirements exist for a reason as they are among the most targeted verticals for cyberattacks. These regulations are a way to ensure organizations maintain a minimum standard of protection.
However, there is one thing you must understand — being compliant does not mean you’re secure.
According to Verizon’s 2023 Data Breach Investigations Report, there were 5,199 confirmed data breaches last year. The aftermath of a cyberattack is always unpleasant, but for financial institutions, it’s especially difficult. Not only do they lose customer trust, the fines and penalties for non-compliance are tough.
Compliance regulations, again, are a minimum standard of protection, commonly referred to as check mark compliance. They do not come with the level of security necessary to protect an organization pre- and post-breach. You can be compliant but not secure; however, if you are secure, then you most often also will be compliant.
In this blog, we’ll go through several financial services compliance requirements, then provide additional information on how to go beyond the minimum with cybersecurity.
What Is Financial Services Compliance?
Simply put, financial services compliance is a set of rules the finance sector must follow. Often, these rules are enacted to protect clients, including investors, shareholders, and banking customers.
Targeting financial institutions and fintech firms, financial regulations primarily look at how private and sensitive information is managed to protect customer and client data from data breaches.
[Related Reading: Addressing Fintech Security Concerns and Compliance Regulations]
Financial Data Security Regulations
Following are some important financial services compliance requirements organizations should follow:
General Data Protection Regulation (GDPR)
General Data Protection and Regulation (GDPR) is a comprehensive European Union regulation that governs online privacy and how data is managed across EU Member States. A primary goal of GDPR is to give individuals more control over their personal data. From a business perspective, it aims to standardize the way personal data is managed between EU Member States.
If you live outside of the EU, you might question GDPR’s relevance. Even though GDPR is an EU law, many organizations you interact with every day are affected if they have a presence in Europe. For this reason, many global companies chose to apply GDPR compliance policies across their entire organization to avoid confusion and create unnecessary challenges.
GDPR lays out seven protection and accountability principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
GDPR is one of the EU’s most comprehensive pieces of legislation. Ultimately, the regulation’s goal is to protect private data and standardize financial security standards in a growing digital economy. Its key points include:
- Clearly defining personal data, such as ID numbers, health records, employment information such as CVs and human resource records, video and audio recordings, customer information, biometrics, cookie IDs and IP addresses
- Personal data collected must be relevant, collected for specific and legitimate purposes, and retained only as long as needed.
- Personal data must be accurate and kept up to date.
- Companies should process personal data transparently and in a manner that protects a person’s privacy.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a series of financial data security guidelines designed to safeguard credit and debit account data.
The guidelines seek to standardize the way the following parties process, store, and transmit cardholder data:
- Service providers
- Financial institutions
- Developers and vendors of payment processing solutions, services, and products
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control steps
- Routine monitoring and testing networks
- Maintaining an up-to-date information security policy
- Implementing and maintaining a firewall that protects cardholder data
- Creating (and updating) unique system passwords rather than generic vendor-supplied passwords
- Protecting cardholder data through encryption, and conducting routine scans to ensure all data is encrypted
- Ensuring cardholder data is encrypted when transmitted, and never sending this data to unknown locations
- Deploying anti-virus software and updating it regularly
- Deploying an information security system and keeping it current
- Limiting access to cardholder data to a need-to-know basis
- Assigning every employee with cardholder information a unique ID
- Securely storing physical copies of cardholder data and restricting access to it
- Using access logs to track and monitor who accesses data, when they access it, and how many times the data is accessed
- Conducting routine tests and scans for system vulnerabilities
- Maintaining a policy that addresses these information security steps across an organization, extending to both employees and contractors
What are the minimum firewall requirements?
The PCI DSS guidelines require all organizations that process cardholder information to have (and maintain) a firewall to prevent unauthorized network traffic. They’ve even laid out a set of guidelines for implementing and managing your firewall. These guidelines include:
- Changing your firewall’s generic password to a unique one
- Only give payment system access to employees when it’s necessary to get the job done
- Deny all unauthorized traffic
- Security auditors must ensure all connections serve a business purpose, and any insecure connections must be found and immediately corrected
On top of that, the firewall must be updated and always patched to protect customers against the ever-changing threat landscape.
The PCI DSS defines these guidelines as the minimum firewall requirements for providing a satisfactory barrier against unwanted traffic.
Deploying an intrusion detection system (IDS)
PCI DSS requirement 11.4 states that all financial institutions must use an intrusion detection system (IDS) to detect network intrusions. This is to be used in conjunction with a firewall to prevent unwanted network traffic.
The purpose of your firewall is to prevent unauthorized parties from accessing your data from the outside. Your IDS serves as the second line of defense by monitoring suspicious activity that makes it past your firewall to detect and neutralize threats as quickly as possible.
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 is a U.S. law passed in the wake of the WorldCom, Enron, and Tyco scandals. Meant to crackdown on corporate fraud and corruption, SOX primarily focuses on how companies record and disclose financial information.
While most of the act doesn’t focus on cybersecurity, one part does — Section 404, Management Assessment of Internal Controls. This section states organizations must have measures in place to protect the authenticity and availability of financial data. Then there’s Section 302, which stipulates a company’s CEO and CFO must certify the authenticity of the organization’s financial data.
Protecting the integrity of corporate financial data
Essentially, SOX financial service compliance requirements require public companies to protect their financial data from tampering. For cybersecurity, this means implementing safeguards that keep financial data protected. These safeguards can include:
- Logical and physical access controls
- A disaster recovery plan that involves routine backups and business continuity planning
- A change management system that only allows authorized personnel to make changes and documents any changes made
In a SOX audit, an IT department can demonstrate financial industry compliance by showing the organization:
- Conducts routine backups of financial data
- Implemented comprehensive access controls for financial data
Gramm-Leach-Bliley Act (GLBA)
GLBA came into effect in the United States in 1999. It lays forth financial data security standards requiring the Federal Trade Commission (FTC) to regulate the distribution of private financial information. Under GLBA, financial institutions are required to:
- Inform customers of their data-sharing practices
- Educate customers on their right to opt-out of having their data shared with third parties
GLBA defines financial institutions as any organization “significantly engaged” in financial activities. This includes companies that:
- Offer lending, check cashing, and wire transfer services
- Broker and/or service loans
- Provide services like financial planning, accounting, investment advisement, tax preparation, and credit counseling
- Collect debts
- Offer real estate settlement services
The list above isn’t exhaustive. For a comprehensive list of companies bound to the GLBA’s financial services compliance requirements, read section 4(k) of the Bank Holding Company Act.
Type of data to protect
GLBA requires financial institutions to protect the security and confidentiality of customer data defined as “nonpublic personal information” (NPA). This data includes:
- Social Security numbers
- Information given by customers to receive a financial product or service. This includes names, addresses, and even income information.
- All information about a customer related to transactions between the financial institution and customer. This includes payment histories, account numbers, deposit balances, and credit and debit purchases.
- Information received about customer in connection with offering a financial product or service. Examples include information from a consumer report or court record.
GLBA doesn’t protect personal information lawfully made available to the public. This includes publicly available government records and anything available for public access.
Security policies and processes
GLBA’s primary focus is to protect customer data. From a security aspect, becoming GLBA compliant requires companies to implement measures to safeguard all customer data in their possession. These measures can include, but aren’t limited to:
- Assigning professionals to coordinate your information security program
- Implementing safeguards to keep customer data protected, and regularly test those safeguards
- Tracking and recording network activity, including all attempts to access protected customer data
GLBA also requires companies to be transparent about their security policy. To do this, organizations must provide an accurate description of ongoing security practices and policies.
Payment Services Directive (PSD2)
The PSD2 is an EU financial IT compliance regulation aimed at regulating payment services and their providers. The directive requires IT compliance from businesses in both the EU and the European Economic Area (EEA).
PSD2 affects the payment industry in two major ways:
- It requires stronger security protocol for online transactions.
- Banks and other financial institutions are required to hand over consumer bank accounts to third-party payment service providers (if the customer gives consent).
The PSD2 is also meant to bridge the gap between fintech, banks, and other payment service providers. This requires banks to deploy APIs for sharing account information with other financial institutions, including third-party providers.
Updated security requirements
Full IT compliance for financial institutions requires meeting PSD2 security requirements.
Payment service providers are required to implement multifactor authentications for all remote and proximity transactions. This means implementing two of the following three security features:
- A security feature only the customer knows, such as a unique password, code, or personal identification number
- An item to grant security access, like a mobile phone, smartcard, or token
- Something inherent to the user, such as a fingerprint scan or photo scan
Moreover, any elements selected should be mutually independent of another. This means that in the event of a data breach, one compromised feature cannot compromise the other security features.
Basel III is a voluntary global framework developed by the Basel Committee on Banking Supervision (BCBS). It was the third installment of the four-part Basel Accords with a goal of strengthening the regulation of the international banking sector.
Basel III and IT controls
Basel III doesn’t focus on financial IT compliance. Instead, it focuses on financial issues in the global banking sector, such as liquidity requirements and minimum leverage ratios.
However, Basel III does state that banks operating with inadequate IT controls should have greater risk capital reserves as compensation.
Its predecessor, Basel II, defines whether a bank has adequate IT infrastructure or not. It suggests that financial institutions have systems in place to prevent:
- Improper disclosure of information
- Execution of unauthorized transactions
- Confidential data from being accessed and modified by unauthorized parties
- Any changes (including system outages) that could compromise security infrastructure
New York Department of Financial Services (NYDFS) Cybersecurity Regulation
The NYDFS Cybersecurity Regulation (23 NYCRR Part 500) is a set of financial service compliance requirements set forth by the NYDFS, in accordance with the Financial Services Law. NYFDS combats the growing threat of cyberattacks against the financial service industry by requiring organizations to implement stronger policies and controls.
All entities regulated under the Department of Financial Services must follow the NYDFS Cybersecurity Regulation, including but not limited to:
- State-chartered banks
- Private bankers
- Foreign banks operating in New York
- Mortgage and insurance companies
- Service providers and third-party vendors
Organizations with less than 10 employees and organizations that generated under $5 million in gross annual revenue from New York operations over the past three years are given limited exemptions.
Cybersecurity policy regulations
Companies regulated by the DFS must have a cybersecurity strategy aligned with the NIST Cybersecurity Framework. This means they must:
- Deploy a security infrastructure that protects against internal and external threats
- Have an up-to-date system for detecting security attacks
- A plan for responding to security issues, and work to recover from those issues
Along with these financial security standards, DFS also requires these organizations to designate a CISO and create a comprehensive cybersecurity strategy.
The NYDFS’ financial IT compliance regulations also include procedures for reporting. CISOs must prepare an annual report covering:
- The organization’s cybersecurity policy in detail
- Security risks the organization faces
- The effectiveness of their cybersecurity policies and procedures
California Consumer Privacy Act (CCPA)
CCPA is a law that gives California consumers more control over how businesses use their personal data. It gives consumers the right to:
- Know about their personal data collected
- Delete their data
- Opt-out of their data being sold
- Non-discrimination for exercising the aforementioned rights
CCPA and cybersecurity
CCPA is designed to safeguard consumers’ personal information. The act defines personal information as a number of things, including but not limited to:
- Names, postal and email addresses, passport numbers, IP addresses, and other unique identifiers
- Commercial records, including records of personal property, goods and services purchased, and consumer purchasing history
- Biometric information
- Geolocation data
- Internet activity, including browsing and search history
- Professional and employment information
- Educational information
While CCPA isn’t centered around IT compliance for financial institutions, it does include fines and penalties for companies that fail to protect this data.
So, what does this mean?
Organizations operating in California should identify their data that meets the classification of “personal information” and take steps to safeguard that information. As such, the best action is to have a cybersecurity infrastructure to:
- Protect data from internal and external threats
- Promptly identify security issues as they arise
- Stop attacks as quickly as possible
Other Financial Services Compliance Considerations
The aforementioned regulations and frameworks serve as your starting point for financial IT compliance. They are required as a minimum level of protection, but they aren’t the only thing to consider when meeting financial data security standards.
Truly protecting sensitive data requires you to go above and beyond the minimum. Consider the following:
Managing third-party vendors
It’s common for financial institutions to work with third-party vendors. When the CCPA passed, there was significant concern about working with third parties. That’s because financial institutions could be held accountable when vendors experience data breaches.
Now that your company could also be culpable, how do you ensure vendors follow financial industry compliance standards?
- Look at how much data third-party vendors have access to. Then ensure they have limited access to only what they need on your company network.
- Require all vendors to conduct regular security audits and security reports. Their security practices should be completely transparent.
- Ensure your vendors have a security strategy that aligns with your company’s practices, so they’re not your weakest cybersecurity link.
An up-to-date firewall is an effective way to protect against cyberattacks, but what happens if attackers get through your first line of defense? That’s where encryption comes in.
Encryption acts as an added layer of security by obfuscating data, making it incomprehensible to unauthorized parties.
But not all encryption is created equal. Some encryption services are more secure than others, which is why your encryption should meet the Federal Information Processing Standards (FIPS) if your organization has highly sensitive data.
Encryption guidelines include:
- Advanced Encryption Standard (AES) using at least a 128-bit key
- Key management system to protect against data loss
- External network transport should be encrypted using SSL, TLS, SSH, IPSEC, or a similar secure protocol
Companies should opt for either full-disk encryption or folder encryption for sensitive data on mobile devices as well.
Improving Financial Services Compliance
Meeting all financial services compliance requirements is step one. Step two goes further to ensure your organization is secure in the likelihood of a successful breach.
From asset discovery and vulnerability scanning to 24/7 monitoring and threat detection, Fortra’s Alert Logic MDR can help you meet your compliance objectives. To learn more, request an MDR demo today.