Financial services compliance requirements are in place for a purpose, given that they represent one of the prime targets for cyberattacks. These regulations are a way to ensure organizations maintain a minimum standard of protection.

However, there is one thing you must understand — being compliant does not mean you’re secure.

According to Verizon’s 2023 Data Breach Investigations Report, there were 5,199 confirmed data breaches last year. The aftermath of a cyberattack is always unpleasant, but for financial institutions, it’s especially difficult. Not only do they lose customer trust, the fines and penalties for non-compliance are tough.

Compliance regulations, again, are a minimum standard of protection, commonly referred to as check mark compliance. They do not come with the level of security necessary to protect an organization pre- and post-breach. You can be compliant but not secure; however, if you are secure, then you most often also will be compliant.

In this blog, we’ll go through several financial services compliance requirements, then provide additional information on how to go beyond the minimum with cybersecurity.

What Is Financial Services Compliance?

Simply put, financial services compliance is a set of rules the finance sector must follow. Often, these rules are enacted to protect clients, including investors, shareholders, and banking customers.

Targeting financial institutions and fintech firms, financial regulations primarily look at how private and sensitive information is managed to protect customer and client data from data breaches.

[Related Reading: Addressing Fintech Security Concerns and Compliance Regulations]

Financial Data Security Regulations

Following are some important financial services compliance requirements organizations should follow:

General Data Protection Regulation (GDPR)

General Data Protection and Regulation (GDPR) is a comprehensive European Union regulation that governs online privacy and how data is managed across EU Member States. A primary goal of GDPR is to give individuals more control over their personal data. From a business perspective, it aims to standardize the way personal data is managed between EU Member States.

If you live outside of the EU, you might question GDPR’s relevance. Even though GDPR is an EU law, many organizations you interact with every day are affected if they have a presence in Europe. For this reason, many global companies chose to apply GDPR compliance policies across their entire organization to avoid confusion and create unnecessary challenges.

GDPR lays out seven protection and accountability principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

GDPR is one of the EU’s most comprehensive pieces of legislation. Ultimately, the regulation’s goal is to protect private data and standardize financial security standards in a growing digital economy. Its key points include:

  • Clearly defining personal data, such as ID numbers, health records, employment information such as CVs and human resource records, video and audio recordings, customer information, biometrics, cookie IDs and IP addresses
  • Personal data collected must be relevant, collected for specific and legitimate purposes, and retained only as long as needed.
  • Personal data must be accurate and kept up to date.
  • Companies should process personal data transparently and in a manner that protects a person’s privacy.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure the protection of cardholder data. The comprehensive guidelines seek to standardize the way the following parties process, store, and transmit cardholder data:

  • Merchants
  • Service providers
  • Financial institutions
  • Developers and vendors of payment processing solutions, services, and products

Launched in 2006, PCI DSS aims to improve customer security throughout the transaction journey. It has six goals and 12 security requirements for ensuring compliance. PCI DSS 4.0 goals are:

  • Build and maintain a secure network and systems
  • Protect account data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

The 12 requirements for achieving PCI DSS compliance are:

  • Requirement 1: Install and maintain network security controls
  • Requirement 2: Apply secure configurations to all system components
  • Requirement 3: Protect stored account data
  • Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
  • Requirement 5: Protect all systems and networks from malicious software
  • Requirement 6: Develop and maintain secure systems and software
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Identify users and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Log and monitor all access to system components and cardholder data
  • Requirement 11: Test security of systems and networks regularly
  • Requirement 12: Support information security with organizational policies and programs

Deploying an intrusion detection system (IDS)

PCI DSS requirement 11.4 states that all financial institutions must use an intrusion detection system (IDS) to detect network intrusions. This is to be used in conjunction with a firewall to prevent unwanted network traffic.

The purpose of your firewall is to prevent unauthorized parties from accessing your data from the outside. Your IDS serves as the second line of defense by monitoring suspicious activity that makes it past your firewall to detect and neutralize threats as quickly as possible.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 is a U.S. law passed in the wake of the WorldCom, Enron, and Tyco scandals. Meant to crackdown on corporate fraud and corruption, SOX primarily focuses on how companies record and disclose financial information.

While most of the act doesn’t focus on cybersecurity, one part does — Section 404, Management Assessment of Internal Controls. This section states organizations must have measures in place to protect the authenticity and availability of financial data. Then there’s Section 302, which stipulates a company’s CEO and CFO must certify the authenticity of the organization’s financial data.

Protecting the integrity of corporate financial data

Essentially, SOX financial service compliance requirements require public companies to protect their financial data from tampering. For cybersecurity, this means implementing safeguards that keep financial data protected. These safeguards can include:

  • Logical and physical access controls
  • A disaster recovery plan that involves routine backups and business continuity planning
  • A change management system that only allows authorized personnel to make changes and documents any changes made

In a SOX audit, an IT department can demonstrate financial industry compliance by showing the organization:

  • Conducts routine backups of financial data
  • Implemented comprehensive access controls for financial data

Gramm-Leach-Bliley Act (GLBA)

GLBA came into effect in the United States in 1999. It lays forth financial data security standards requiring the Federal Trade Commission (FTC) to regulate the distribution of private financial information. Under GLBA, financial institutions are required to:

  • Inform customers of their data-sharing practices
  • Educate customers on their right to opt-out of having their data shared with third parties

GLBA defines financial institutions as any organization “significantly engaged” in financial activities. This includes companies that:

  • Offer lending, check cashing, and wire transfer services
  • Broker and/or service loans
  • Provide services like financial planning, accounting, investment advisement, tax preparation, and credit counseling
  • Collect debts
  • Offer real estate settlement services

The list above isn’t exhaustive. For a comprehensive list of companies bound to the GLBA’s financial services compliance requirements, read section 4(k) of the Bank Holding Company Act.

Type of data to protect

GLBA requires financial institutions to protect the security and confidentiality of customer data defined as “nonpublic personal information” (NPA). This data includes:

  • Social Security numbers
  • Information given by customers to receive a financial product or service. This includes names, addresses, and even income information.
  • All information about a customer related to transactions between the financial institution and customer. This includes payment histories, account numbers, deposit balances, and credit and debit purchases.
  • Information received about customer in connection with offering a financial product or service. Examples include information from a consumer report or court record.

GLBA doesn’t protect personal information lawfully made available to the public. This includes publicly available government records and anything available for public access.

Security policies and processes

GLBA’s primary focus is to protect customer data. From a security aspect, becoming GLBA compliant requires companies to implement measures to safeguard all customer data in their possession. These measures can include, but aren’t limited to:

  • Assigning professionals to coordinate your information security program
  • Implementing safeguards to keep customer data protected, and regularly test those safeguards
  • Tracking and recording network activity, including all attempts to access protected customer data

GLBA also requires companies to be transparent about their security policy. To do this, organizations must provide an accurate description of ongoing security practices and policies.

Payment Services Directive (PSD2)

The PSD2 is an EU financial IT compliance regulation aimed at regulating payment services and their providers. The directive requires IT compliance from businesses in both the EU and the European Economic Area (EEA).

PSD2 affects the payment industry in two major ways:

  • It requires stronger security protocol for online transactions.
  • Banks and other financial institutions are required to hand over consumer bank accounts to third-party payment service providers (if the customer gives consent).

The PSD2 is also meant to bridge the gap between fintech, banks, and other payment service providers. This requires banks to deploy APIs for sharing account information with other financial institutions, including third-party providers.

Updated security requirements

Full IT compliance for financial institutions requires meeting PSD2 security requirements.

Payment service providers are required to implement multifactor authentications for all remote and proximity transactions. This means implementing two of the following three security features:

  • A security feature only the customer knows, such as a unique password, code, or personal identification number
  • An item to grant security access, like a mobile phone, smartcard, or token
  • Something inherent to the user, such as a fingerprint scan or photo scan

Moreover, any elements selected should be mutually independent of another. This means that in the event of a data breach, one compromised feature cannot compromise the other security features.

Basel III

Basel III is a voluntary global framework developed by the Basel Committee on Banking Supervision (BCBS). It was the third installment of the four-part Basel Accords with a goal of strengthening the regulation of the international banking sector.

Basel III and IT controls

Basel III doesn’t focus on financial IT compliance. Instead, it focuses on financial issues in the global banking sector, such as liquidity requirements and minimum leverage ratios.

However, Basel III does state that banks operating with inadequate IT controls should have greater risk capital reserves as compensation.

Its predecessor, Basel II, defines whether a bank has adequate IT infrastructure or not. It suggests that financial institutions have systems in place to prevent:

  • Improper disclosure of information
  • Execution of unauthorized transactions
  • Confidential data from being accessed and modified by unauthorized parties
  • Any changes (including system outages) that could compromise security infrastructure

New York Department of Financial Services (NYDFS) Cybersecurity Regulation

The NYDFS Cybersecurity Regulation (23 NYCRR Part 500) is a set of financial service compliance requirements set forth by the NYDFS, in accordance with the Financial Services Law. NYFDS combats the growing threat of cyberattacks against the financial service industry by requiring organizations to implement stronger policies and controls.

All entities regulated under the Department of Financial Services must follow the NYDFS Cybersecurity Regulation, including but not limited to:

  • State-chartered banks
  • Private bankers
  • Lenders
  • Foreign banks operating in New York
  • Mortgage and insurance companies
  • Service providers and third-party vendors

Organizations with less than 10 employees and organizations that generated under $5 million in gross annual revenue from New York operations over the past three years are given limited exemptions.

Cybersecurity policy regulations

Companies regulated by the DFS must have a cybersecurity strategy aligned with the NIST Cybersecurity Framework. This means they must:

  • Deploy a security infrastructure that protects against internal and external threats
  • Have an up-to-date system for detecting security attacks
  • A plan for responding to security issues, and work to recover from those issues

Along with these financial security standards, DFS also requires these organizations to designate a CISO and create a comprehensive cybersecurity strategy.

Reporting policies

The NYDFS’ financial IT compliance regulations also include procedures for reporting. CISOs must prepare an annual report covering:

  • The organization’s cybersecurity policy in detail
  • Security risks the organization faces
  • The effectiveness of their cybersecurity policies and procedures

California Consumer Privacy Act (CCPA)

CCPA is a law that gives California consumers more control over how businesses use their personal data. It gives consumers the right to:

  • Know about their personal data collected
  • Delete their data
  • Opt-out of their data being sold
  • Non-discrimination for exercising the aforementioned rights

CCPA and cybersecurity

CCPA is designed to safeguard consumers’ personal information. The act defines personal information as a number of things, including but not limited to:

  • Names, postal and email addresses, passport numbers, IP addresses, and other unique identifiers
  • Commercial records, including records of personal property, goods and services purchased, and consumer purchasing history
  • Biometric information
  • Geolocation data
  • Internet activity, including browsing and search history
  • Professional and employment information
  • Educational information

While CCPA isn’t centered around IT compliance for financial institutions, it does include fines and penalties for companies that fail to protect this data.

So, what does this mean?

Organizations operating in California should identify their data that meets the classification of “personal information” and take steps to safeguard that information. As such, the best action is to have a cybersecurity infrastructure to:

  • Protect data from internal and external threats
  • Promptly identify security issues as they arise
  • Stop attacks as quickly as possible

Other Financial Services Compliance Considerations

The aforementioned regulations and frameworks serve as your starting point for financial IT compliance. They are required as a minimum level of protection, but they aren’t the only thing to consider when meeting financial data security standards.

Truly protecting sensitive data requires you to go above and beyond the minimum. Consider the following:

Managing third-party vendors

It’s common for financial institutions to work with third-party vendors. When the CCPA passed, there was significant concern about working with third parties. That’s because financial institutions could be held accountable when vendors experience data breaches.

Now that your company could also be culpable, how do you ensure vendors follow financial industry compliance standards?

  • Look at how much data third-party vendors have access to. Then ensure they have limited access to only what they need on your company network.
  • Require all vendors to conduct regular security audits and security reports. Their security practices should be completely transparent.
  • Ensure your vendors have a security strategy that aligns with your company’s practices, so they’re not your weakest cybersecurity link.

Encryption guidelines

An up-to-date firewall is an effective way to protect against cyberattacks, but what happens if attackers get through your first line of defense? That’s where encryption comes in.

Encryption acts as an added layer of security by obfuscating data, making it incomprehensible to unauthorized parties.

But not all encryption is created equal. Some encryption services are more secure than others, which is why your encryption should meet the Federal Information Processing Standards (FIPS) if your organization has highly sensitive data.

Encryption guidelines include:

  • Advanced Encryption Standard (AES) using at least a 128-bit key
  • Key management system to protect against data loss
  • External network transport should be encrypted using SSL, TLS, SSH, IPSEC, or a similar secure protocol

Companies should opt for either full-disk encryption or folder encryption for sensitive data on mobile devices as well.

Improving Financial Services Compliance

Meeting all financial services compliance requirements is step one. Step two goes further to ensure your organization is secure in the likelihood of a successful breach.

From asset discovery and vulnerability scanning to 24/7 monitoring and threat detection, Fortra’s Alert Logic MDR and Fortra XDR can help you meet your compliance objectives. To learn more, schedule a demo today.


Test Your Knowledge

Take this 3 question quiz to test your financial services compliance know-how.

Antonio Sanchez
About the Author
Antonio Sanchez
Antonio Sanchez is Fortra’s Principal Evangelist. He has over 20 years of experience in the IT industry focusing on cyber security, information management, and disaster recovery solutions to help organizations of all sizes manage threats and improve their security posture.

Related Post

Ready to protect your company with Alert Logic MDR?