In our modern digital landscape, the intersection of cybersecurity, finance and tech has become a focal point for regulators. With the rise of fintech, insurtech, personal financial management, alternative investments, and complex financial APIs, legal frameworks are evolving to keep pace.
Below are five notable cybersecurity legal updates within the financial sector, impacting financial institutions, fintech companies, and their service providers both domestically and abroad:
- EU’s Digital Operational Resilience Act (DORA);
- SEC Amendments to Regulation S-P;
- FTC Standards for Safeguarding Consumer Information;
- Nacha’s Updates to Operating Rules; and
- CFPB’s Rulemaking on Personal Financial Data Rights.
The Digital Operational Resilience Act (DORA) is an EU regulation that applies to financial entities and third parties that support them. DORA requires that applicable organizations must “follow rules for the protection, detection, containment, recovery and repair capabilities against [information and communication technology]-related incidents,” per the DORA website.
When Does it Take Effect?
DORA entered into force on January 16, 2023, and will apply to each member state of the EU beginning January 17, 2025.
Who Does This Apply to?
Financial Entities: Under DORA, financial entities are defined broadly to include banks, insurance providers, investment firms, payment institutions, credit institutions and credit rating agencies, and more.
ICT Third-Party Service Providers: DORA’s scope also includes Information Communication Technology (ICT) third-party service providers. ICT third-party service providers are companies that provide digital and data services to financial entities. These providers include hardware providers as well as cloud computing services, software, data analytics services and providers of data center services. After identification, these providers are then be deemed critical or non-critical, with critical ICT service providers subject to additional requirements.
Key Takeaways
DORA establishes uniform requirements regarding network security and information systems that support financial entities.
To establish this uniform framework, the Act requires:
- Managing risk of ICT resources. Financial entities are required to create and maintain an internal governance and control framework for the effective management of ICT risk.
- Reporting on ICT-related incidents and major operational or security payment-related incidents. Financial entities are required to report major ICT-related incidents, and to voluntarily report cyber threats to competent authorities.
- Digital operational resilience testing. Financial entities are required to establish, maintain and review a sound and comprehensive digital operational resilience testing program, including a range of assessments, tests, methodologies, practices and tools.
- Contracting with ICT third-party service providers. Financial entities and ICT third-party service providers are required to clearly set out relevant rights and obligations in writing, including specific elements defined in the Act. Additionally, critical ICT-providers are subject to additional requirements.
- Implementing measures for management of ICT third-party risk. Financial entities are required to adopt, and regularly review, a strategy on ICT third-party risk including a register of information related to the required contractual agreements between financial entities and ICT third-party service providers.
Because the definition of “ICT third-party service providers” includes a range of entities that provide digital and data services, it is important that both financial entities and providers of ICT services are familiar with the requirements imposed by DORA.
Regulation S-P is a set of rules created by the Security and Exchange Commission (SEC). It requires certain parties to adopt written policies and procedures for the protection of customer records and information. The amendments to the Regulation are designed to address the expanded use of technology and associated risks that have emerged since the Regulation’s original adoption in 2000.
When Does it Take Effect?
The SEC adopted the amendments to Regulation S-P on May 16, 2024, with an effective date of August 2, 2024. Larger entities will need to comply by December 3, 2025 while smaller entities will need to comply by June 1, 2026.
Who Does This Apply To?
Regulation S-P applies to “covered institutions”, including broker-dealers, registered investment companies, as well as registered investment advisors (RIAs), funding portals, and transfer agents registered with the SEC or another appropriate regulatory agency.
Key Takeaways:
The amendments to Regulation S-P modernize the rules regarding the treatment of consumers’ nonpublic personal information by imposing privacy-related protections.
Among other things, the amended Regulation requires:
- Adopting an incident response program. Covered institutions must adopt written policies and procedures for incident response programs to handle unauthorized access of information. This policy should be reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information.
- Updating consumer notification protocols. As part of the required incident response programs, covered institutions are required to notify consumers whose sensitive information was or is reasonably likely to have been accessed or used without authorization. This notice must be as soon as reasonably practicable, but no later than 30 days after the Covered Institution has become aware of the unauthorized access.
- Providing oversight of service providers. Covered institutions are required to establish, maintain and enforce written policies that are reasonably designed to require oversight – including through monitoring of service providers to ensure that any individuals impacted by breach of sensitive information receive any required notices.
- Expanding the scope of the Regulation. The amended Regulation aligns more closely to the FTC’s Safeguards Rule. Both rules apply to “customer information,” defined as “any record containing nonpublic personal information” about a customer of a financial institution. Additionally, the amendments broaden the group of customers whose information is protected under this Regulation.
- Updating recordkeeping and annual privacy notices. The amended Regulation will add requirements to certain covered institutions to maintain written documentation of compliance. Additionally, certain covered institutions must provide a clear and conspicuous privacy notice at least annually during the customer relationship.
The Federal Trade Commission’s (FTC’s) Standards for Safeguarding Consumer Information (the Safeguards Rule) is a set of regulations that requires certain financial institutions to protect consumer information.
When Does it Take Effect?
In October 2023, the FTC announced the revised provisions of the Safeguards Rule, and the Rule took effect on May 13, 2024.
Who Does This Apply To?
The Safeguards Rule applies to “financial institutions” that are covered by the FTC’s jurisdiction. This includes mortgage and payday lenders, finance companies, mortgage brokers, account services, check cashers, and investment advisors that are not required to register with the FTC, among others. This rule does not apply to those financial institutions subject to the authority of another regulator under §505 of the Gramm-Leach-Bliley Act.
Additionally, there are exemptions to this rule, including financial institutions that maintain consumer information concerning fewer than 5,000 consumers.
Key Takeaways
The Safeguards Rule requires financial institutions to develop and maintain an information security program to protect consumer information. The amendments to the Safeguards Rule require entities to report data and security breaches affecting 500 people or more.
Among other things, the Safeguards Rule requires:
- Implementation of a security program. Financial institutions are required to develop, implement, and maintain a comprehensive security program. This program should be appropriate to the size, complexity, nature and scope of activities, and sensitivity of consumer information. The FTC Safeguards Rule also imposes minimum security controls on financial institutions, including but not limited to secure development, encryption and MFA.
- Notifying the FTC. The amendment requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving at least 500 consumers.
The National Automated Clearing House Association (Nacha) Operating Rules govern how the Automated Clearing House (ACH) Network functions. The Nacha Rules cover all ACH payments, providing guidelines for securely storing, accessing, and transmitting sensitive customer information.
When Does it Take Effect?
The changes to the Nacha Operating Rules became effective on October 1, 2024.
Who Does This Apply To?
The Nacha Operating Rules apply to entities that collect and store non-public sensitive information in ACH transactions, including bank account and routing numbers, social security numbers, and driver’s license numbers, among other information.
Key Takeaways
In 2024, the Nacha Operating Rules underwent amendments as part of a larger risk management package. These amendments are intended to reduce fraud and improve the recovery funds after fraud has occurred.
Among other things, the amendments to the Rules include:
- Allowing financial institutions to return entries via R17. A receiving depository financial institution (RDFI) may, but is not required, to use return code R17 to return an entry it believes is fraudulent. This amendment defines the return code for this use and is designed improve the recovery of funds that originated from fraud.
- Expanding the uses of Request for Return. An originating depository financial entity (ODFI) may request a return from the RDFI for any reason. Under this amendment, the ODFI would still indemnify the RDFI for compliance with the request, and compliance by the RDFI remains optional.
- Creating additional funds availability exceptions. This amendment provides RDFIs with an additional exception from the existing funds availability requirements, including credit entries that the RDFI suspects are fraudulent. This rule is intended to improve the recovery of funds obtained by fraud.
- Modifying the timing of Written Statement of Unauthorized Debit (WSUD). While the rule previously allowed that a WSUD could be date on or after the Settlement Date of Entry, this amendment will allow a WSUD to be signed and dated by the receiver on or after the date on which the entry is presented to the receiver – even if the debit has not yet been posted to the account.
- Requiring RDFI to return unauthorized debit. When returning a consumer debit as unauthorized, the RDFI must make the return by the sixth banking day following the completion of its review of the consumer’s signed WSUD. This prompt return will is intended to alert the ODFI of potential issues, and is intended to improve the recovery of funds and occurrence of future fraud.
The Consumer Financial Protection Bureau (CFPB) issued a final Rule to carry out the personal financial rights established by the Consumer Financial Protection Act of 2010 (CFPA). This Rule allows consumers to access account data controlled by certain providers of consumer financial products in a safe, secure manner.
When Does it Take Effect?
The data providers covered under this Rule must comply with the requirements in phases: the largest institutions will have to comply by April 1, 2026, while the smallest institutions must comply by April 1, 2030.
Who Does This Rule Apply To?
Under this Rule, a “data provider” is required to make the covered data available, in electronic form, to consumers and certain authorized third parties.
A “data provider” includes depository institutions, such as credit unions, and non-depository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services. However, the rule does not apply to certain small depository institutions.
Key Takeaways
This Rule enables consumers and authorized third parties to access consumer account information. This enables account holders to make more informed and freely made decisions regarding their providers.
Among other things, the Rule requires:
- Disclosing certain information. Data providers must provide certain data – including information about transactions, costs, charges, and usage – available to consumers and authorized third parties upon request.
- Adhering to disclosure requirements. Disclosures must be made in a standardized and machine-readable format and in a commercially reasonable manner, among other disclosure requirements.
- Banning “screen scraping” by third parties. A data provider cannot comply with the requirement to make certain data available to third parties by allowing the third party to use “screen scraping” – an access method using consumer credentials to log in to the consumer account to retrieve data.