Financial services compliance requirements exist for a reason. To put it simply, financial institutions are among the most targeted verticals for cyberattacks, and these regulations are a way to ensure that organizations maintain a minimum standard of protection.
However, there is one thing you must understand –– being compliant does not mean you’re secure.
According to Verizon’s 2020 Data Breach Investigations Report, there were 3950 confirmed data breaches over the past year. Personal data was accessed in nearly 60% of the breaches that occurred –– almost twice as much as the previous year.
The aftermath of a cyberattack is always unpleasant, but for financial institutions, it’s especially difficult. Not only do you lose customer trust, the fines and penalties for non-compliance are tough.
Compliance regulations, again, are a minimum standard of protection, commonly referred to as check mark compliance. They do not come with the level of security necessary to protect an organization pre- and post-breach. You can be compliant but not secure; however, if you are secure, then you will also be compliant.
In this post, we’ll break down the financial services compliance requirements in detail, then provide more information on how to go beyond the minimum with security.
What Is Financial Compliance?
Simply put, financial compliance is a set of rules the finance sector must follow. Often, these rules are enacted to protect clients, like investors, shareholders, and banking customers.
Targeting financial institutions and fintech firms, financial regulations primarily look at how private and sensitive information is managed, so customer and client data are protected from data breaches.
[Related Reading: Addressing Fintech Security Concerns and Compliance Regulations]
Financial Data Security Regulations
Below are some important financial services compliance requirements that organizations must follow:
General Data Protection Regulation (GDPR)
Remember around Q3 2018 when everyone was inundated with company emails talking about their privacy policies? That was because the General Data Protection and Regulation (GDPR) just went into effect.
GDPR is a comprehensive regulation in EU law that governs online privacy and how data is managed within the European Union. One of the primary goals of GDPR is to give individuals more control over their personal data. From a business perspective, it aims to standardize the way personal data is managed between countries within the EU.
If you’re living outside of the EU, you might be wondering why GDPR is relevant. Even though GDPR is an EU law, many of the companies you interact with every day are affected if they also have a presence in Europe. For this reason, many international companies chose to apply GDPR compliance policies across their entire organization to avoid confusion and create unnecessary challenges.
The GDPR lays out seven principles for data collection:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
GDPR is one of the most comprehensive pieces of legislation passed by the EU in recent times. Ultimately, the goal of the regulation is to protect private data and standardize financial security standards in a growing digital economy. Its key points include:
- Clearly defining personal data, such as ID numbers, health records, employment information like CVs and Human Resource records, video and audio recordings, customer information, biometrics, cookie IDs and IP addresses
- Personal data collected must be relevant, collected for specific and legitimate purposes, and retained only as long as needed
- Personal data must be accurate and kept up to date
- Companies should process personal data transparently and in a manner that protects the privacy of the person
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a series of financial data security guidelines designed to safeguard credit and debit account data.
The guidelines seek to standardize the way the following parties process, store, and transmit cardholder data:
- Service providers
- Financial institutions
- Developers and vendors of payment processing solutions, services, and products
The PCI DSS goals are:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control steps
- Routine monitoring and testing of networks
- Maintaining an up-to-date information security policy
- Implementing and maintaining a firewall that protects cardholder data
- Creating (and updating) unique system passwords rather than generic vendor-supplied passwords
- Protecting cardholder data through encryption, and conducting routine scans to ensure all data is encrypted
- Ensuring cardholder data is encrypted when transmitted, and never sending this data to unknown locations
- Deploying anti-virus software and keeping it updated regularly
- Deploying an information security system and keeping it up to date
- Limiting access to cardholder data on a need-to-know basis
- Assigning every employee with cardholder information a unique ID
- Securely storing physical copies of cardholder data and restricting those with access
- Using access logs to track and monitor who accesses data, when they access it, and how many times the data is accessed
- Conducting routine tests and scans for system vulnerabilities
- Maintaining a policy that addresses these information security steps across your organization, extending to both employees and contractors
What are the minimum firewall requirements?
The PCI DSS guidelines require all organizations that process cardholder information to have (and maintain) a firewall to prevent unauthorized access.
They’ve even laid out set guidelines for implementing and managing your firewall. These guidelines include:
- Changing your firewall’s generic password to a unique one
- Only give payment system access to employees when it’s necessary to get the job done
- Deny all unauthorized traffic
- Security auditors must ensure all connections serve a business purpose, and any insecure connections must be found and immediately corrected
On top of that, the firewall must be updated and always patched to protect customers against the ever-changing threat landscape.
The PCI DSS defines these guidelines as the minimum firewall requirements for providing a satisfactory barrier against unwanted traffic.
Deploying an intrusion detection system (IDS)
PCI DSS requirement 11.4 states that all financial institutions must use an intrusion detection system (IDS) to detect and/or prevent network intrusions. This is to be used in conjunction with the firewall to prevent unwanted access.
The purpose of your firewall is to prevent unauthorized parties from accessing your data from the outside. Your IDS serves as the second line of defense by monitoring hackers who do make it past your firewall, making it easier for you to detect and neutralize threats as quickly as possible.
The Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 is a law passed by the United States in the wake of the WorldCom, Enron, and Tyco scandals. Meant to crackdown on corporate fraud and corruption, the act primarily focuses on how companies record and disclose financial information.
While most of the act doesn’t focus on cybersecurity, one part does –– Section 404, Management Assessment of Internal Controls. This section states that organizations must have measures in place to protect the authenticity and availability of financial data.
Then there’s Section 302, which stipulates that the company’s CEO and CFO must certify the authenticity of the organization’s financial data.
Protecting the integrity of corporate financial data
Essentially, financial service compliance requirements of the SOX act require public companies to protect their financial data from tampering. For cybersecurity, this means implementing safeguards that keep financial data protected. These safeguards can be several things, including:
- Logical and physical access controls
- A disaster recovery plan that involves routine backups and business community planning
- A change management system that only allows authorized personnel to make changes, and documents any changes made
In a SOX audit, your IT department can demonstrate financial industry compliance by showing the company…
- Conducts routine backups of financial data
- Implemented comprehensive access controls for financial data
Gramm-Leach-Bliley Act (GLBA)
The GLBA law came into effect in the United States in 1999. It lays forth financial data security standards requiring the Federal Trade Commission (FTC) to regulate the distribution of private financial information. Under this act, financial institutions are required to…
- Inform customers of their data-sharing practices
- Educate customers on their right to opt-out of having their data shared with third-party sources
The act defines financial institutions as any company “significantly engaged” in financial activities. This includes companies that…
- Offer lending, check cashing, and wire transfer services
- Broker and/or service loans
- Provide services like financial planning, accounting, investment advisement, tax preparation, and credit counseling
- Collect debts
- Offer real estate settlement services
The list above isn’t exhaustive. For a comprehensive list of companies bound to the GLBA’s financial services compliance requirements, read section 4(k) of the Bank Holding Company Act.
Type of data protected
GLBA requires financial institutions to protect the security and confidentiality of customer data defined as “nonpublic personal information” (NPA). This data includes:
- Social Security numbers
- Information given by customers to receive a financial product or service; this includes names, addresses, and even income information
- All information about a customer related to transactions between the financial institution and customer; this includes payment histories, account numbers, deposit balances, credit and debit purchases, and more
- Information received about customer in connection with offering a financial product or service; examples include information from a consumer report or court record
The act doesn’t protect personal information that has been lawfully made available to the public. This includes publicly available government records, information from phonebooks and newspapers, and anything else available for public access.
Security policies and processes
The primary focus of the GLBA is to protect customer data. From a cybersecurity aspect, becoming GLBA compliant requires companies to implement measures to safeguard all customer data in their possession. These measures can include, but aren’t limited to…
- Assigning professionals to coordinate your information security program
- Implementing safeguards to keep customer data protected, and regularly test those safeguards
- Track and record network activity, including all attempts to access protected customer data
GLBA also requires companies to be transparent about their security policy by providing an accurate description of ongoing information security practices and policies.
Payment Services Directive (PSD2)
The PSD2 is a financial IT compliance regulation in the EU aimed at regulating payment services and their providers. The directive requires IT compliance from businesses in both the EU and the European Economic Area (EEA).
The PSD2 affects the payment industry in two major ways:
- It requires stronger security protocol for online transactions
- Banks and other financial institutions are now required to hand over consumer bank accounts to third-party payment service providers (if the customer gives consent)
The PSD2 is also meant to bridge the gap between fintech, banks, and other payment service providers. This requires banks to deploy APIs for sharing account information with other financial institutions, including third-party providers.
Updated security requirements
Full IT compliance for financial institutions requires meeting the security requirements laid out by the PSD2.
Payment service providers are required to implement multi-factor authentication for all remote and proximity transactions. This means implementing two of the three security features below:
- A security feature only the customer knows, like a unique password, code, or personal identification number
- An item to grant security access, like a mobile phone, smart card, or token
- Something inherent to the user, like a fingerprint scan or photo scan
Moreover, any elements selected should be mutually independent of another. This means, in the event of a data breach, one compromised feature cannot compromise the other security features.
Basel III is a voluntary global framework developed by the Basel Committee on Banking Supervision (BCBS). It was the third installment of the four-part Basel Accords, and its aim is to strengthen the regulation of the international banking sector.
Basel III and IT controls
Basel III doesn’t focus on financial IT compliance. It focuses on financial issues in the global banking sector, such as liquidity requirements and minimum leverage ratios.
However, Basel III does state that banks operating with inadequate IT controls should have greater risk capital reserves as compensation.
Its predecessor, Basel II, is used to define whether a bank has adequate IT infrastructure or not. It suggests that financial institutions have systems in place to prevent:
- Improper disclosure of information
- The execution of unauthorized transactions
- Confidential data from being accessed and modified by unauthorized parties
- Any changes (including system outages) that could compromise security infrastructure
New York Department of Financial Services (NYDFS) Cybersecurity Regulation
The NYDFS Cybersecurity Regulation (23 NYCRR Part 500) is a set of financial service compliance requirements set forth by the NYDFS, in accordance with the Financial Services Law. It was designed to combat the growing threat of cyberattacks against the financial service industry by requiring organizations to implement stronger policies and controls.
All entities regulated under the Department of Financial Services are required to follow the NYDFS Cybersecurity Regulation, including but not limited to:
- State-chartered banks
- Private bankers
- Foreign banks operating in New York
- Mortgage and insurance companies
- Service providers and third-party vendors
Organizations with less than 10 employees and organizations that generated under $5 million in gross annual revenue from New York operations over the past three years are given limited exemptions.
Cybersecurity policy regulations
Companies regulated by the DFS must have a cybersecurity strategy aligned with the NIST Cybersecurity Framework. This means they must:
- Deploy security infrastructure that protects against internal and external threats
- Have a system for detecting cybersecurity attacks and keep that system up to date
- Respond to all detected cybersecurity issues, and work to recover from those issues
Along with these financial security standards, the regulation also requires these organizations to designate a CISO and create a comprehensive cybersecurity strategy.
The NYDFS’ financial IT compliance regulations also include procedures for reporting.
CISOs are required to prepare a yearly report covering:
- The organization’s cybersecurity policy in detail
- Security risks the organization faces
- The effectiveness of their cybersecurity policies and procedures
California Consumer Privacy Act (CCPA)
The CCPA is a law that gives California consumers more control over how businesses use their personal data. It gives consumers:
- The right to know about their personal data collected
- The right to delete their data
- The right to opt-out of their data being sold
- The right to non-discrimination for exercising the aforementioned rights
The CCPA and cybersecurity
The CCPA is designed to safeguard personal information of consumers. The act defines personal information as a number of things, including but not limited to:
- Names, postal and email addresses, passport numbers, IP addresses, and other unique identifiers
- Commercial records, including records of personal property, goods and services purchased, and consumer purchasing history
- Biometric information
- Geolocation data
- Internet activity, including browsing and search history
- Professional and employment information
- Educational information
While the act isn’t centered around IT compliance for financial institutions, it does include fines and penalties for companies that fail to protect this data.
So, what does this mean?
Organizations operating in California should identify their data that meets the classification of “personal information” and take steps to safeguard that information. As such, the best action is to have the cybersecurity infrastructure to:
- Protect data from internal and external threats
- Promptly identify cybersecurity issues as they arise
- Stop attacks as quickly as possible
Other Financial IT Compliance Considerations
The regulations and frameworks mentioned above serve as your starting point for financial IT compliance — they are required as a minimum level of protection, but they aren’t the only thing to consider when meeting financial data security standards.
Truly protecting sensitive data requires you to go above and beyond the minimum, and the considerations below will help.
Managing third-party vendors
It’s common for financial institutions to work with third-party vendors for several products and services.
When the CCPA passed, there was a lot of concern about working with third parties. That’s because financial institutions could also be held accountable when vendors experience data breaches.
Now that your company could also be culpable, how do you ensure vendors are also following financial industry compliance standards?
- Look at how much data third-party vendors have access to, then make sure they don’t have too much access to your company network
- Require all vendors to conduct regular security audits and security reports –– their cybersecurity practices should be completely transparent
- Ensure your vendors have a security strategy that aligns with your company’s practices, so they’re not your weakest cybersecurity link
An up-to-date firewall is an effective way to protect against cyberattacks, but what happens if attackers get through your first line of defense? That’s where encryption comes in.
Encryption acts as an added layer of security by obfuscating data, making it incomprehensible to unauthorized parties.
But not all encryption is created equal. Some encryption services are more secure than others, which is why your encryption should meet the Federal Information Processing Standards (FIPS) if your company has highly sensitive data.
- Advanced Encryption Standard (AES) using at least a 128-bit key
- Key management system to protect against data loss
- External network transport should be encrypted using SSL, TLS, SSH, IPSEC, or a similar secure protocol
Companies should opt for either full-disk encryption or folder encryption for sensitive data on mobile devices as well.
Following these standards will help ensure sensitive data stays out of the wrong hands.
Improving Financial Industry Regulatory Compliance
Meeting all the financial services compliance requirements is step one. Step two is going further to ensure your organization is also secure in the likelihood of a successful breach.
From asset discovery and vulnerability scanning to 24/7 monitoring to detect threats, Alert Logic MDR can help you meet your compliance objectives. To learn more, request an MDR demo today.