The introduction of smarter technological tools and applications gives consumers the opportunity to take control of their financial lives like never before. People can manage their banking and investment relationships in one place with the simple click of a button or by downloading an app. Individuals can invest, manage their budget, pay others, and quickly obtain a mortgage, all without stepping into a building or speaking to a single person. In addition, financial tools like ePayments provide enhanced security, enable easier identification of unlawful transactions, and promote financial inclusivity.
Despite the rapid change in technology and the emergence of “FinTech” products, the laws governing consumer privacy and data security protection have not kept pace, nor have they significantly evolved in nearly twenty years. In parallel and over the last twenty months, privacy and data protection have emerged as a significant regulatory challenge – not just for traditional technology companies but for any industry that deals in personal data (i.e., most companies). This is especially true for the financial services sector and the burgeoning fintech industry.
Banks are increasingly adopting more technology. Among the traditional lending institutions carving a path toward fintech is Capital One. Yet in March a single hacker breached Capital One’s servers, gaining access to financial information of over 100 million consumers in the US and Canada. This hacker is responsible for one of the largest data breaches ever – an action that will cost the company hundreds of millions of dollars and, more importantly, lose the trust of the affected consumers who relied on the bank to properly store their personal information.
Although the fall-out to Capital One customers appears limited (99% of social security numbers remain uncompromised), calls for increased regulation in the US continue to gain traction. Notably, the Credit Union National Association has called for “Congress to act to set federal data privacy standards [and for] Congress to treat data privacy as a national security issue.”
Where does that leave us from a regulatory perspective?
The Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) share overlapping regulatory responsibilities for customer information. However, the supervision of the application of their laws to non-traditional financial institutions and companies, that do not collect consumer financial information, remains unclear.
Senator Ron Wyden (D-OR) who is sponsoring a bill tweeted “I’m sick of waking up to headlines revealing that millions of Americans had their information stolen because a billion-dollar company failed Cybersecurity 101. Corporations will only take Americans’ privacy seriously when CEOs are held personally accountable.”
These are challenging times – privacy is entering a state of flux and social norms and legal systems are trying to catch up with the changes that digital technology has brought. Privacy is a complex construct, influenced by many factors, and it can be difficult to future-proof business plans to keep up with evolving technological developments and consumer expectations. Meanwhile, confusion surrounding regulatory authority is leading to gaps in consumer protection.
Is more regulation necessarily the right answer? The financial services sector accounts for approximately USD 700 billion in IT spending a year. It is paramount, therefore, to anticipate security breaches as connected devices provide a wider field for potential attack than traditional IT systems. Even security solutions such as two-factor verification are not always effective, since hackers have developed ways of stealing secure codes sent to users through text messages.
Although fintech companies currently work within a relatively regulation-free environment, changes are afoot. It is imperative that organisations act pre-emptively and proactively to help shape the regulatory process, outline policy outcomes and ensure a regulatory framework that continues to support financial innovation. Fintech must be regulated in a way that accounts for the associated risks it produces while simultaneously fostering development of the technology. For this reason, regulators must adopt holistic frameworks capable of regulating the multitude of technology applications, both now and in the future.
Author: Alexis Serfaty, Director of Global Public Policy, Access Partnership