Privacy Regulations and Data Rights for Financial Services
August 5, 2021
Financial services firms face a complex maze of privacy regulations that differ by state and country jurisdictions. Meanwhile, the rights to use customer data have evolved significantly.
During a panel discussion at the Expert-in-the-Loop (EITL) Forum on May 25–26, 2021, Compliance.ai CEO Kayvan Alikhani discussed the challenges of data rights and privacy with Michael Delune, general counsel at Manufacturers Bank, and Kelvin Dickenson, senior vice president of product, risk and compliance at SAI Global Risk. They also explored the challenges associated with managing the complexity of compliance.
Data Rights Have Become a Branch of Privacy
The explosion of smartphones, cloud computing, and social media over the last 20 years have pushed privacy considerations and data rights to the forefront. Governments struggle to balance the needs of businesses with consumers’ right to have both their privacy and their data protected. Technology companies have been calling on Congress to move toward a uniform federal privacy standard.
“Privacy laws have evolved not so much out of any coherent theory, but with the evolution of digital technologies,” said Delune. “The definition of privacy used to be limited to health and other personal information, but has expanded to everything from names and addresses to biometric information, preferences, and even inferential data.”
One of the biggest challenges that all institutions will face is establishing frameworks to manage their data protection environment.
“The data privacy law is evolving so dynamically that it’s important for companies to establish a base framework that allows them to adapt quickly to changes in the law,” said Delune. “Businesses should begin by inventorying their data and identifying what kind of data they have about whom. The framework goes hand in hand with managing risk and controls.”
The regulatory landscape will continue to shift toward laws like New York’s strict 23 NYCRR Part 500, which established cybersecurity requirements for financial services companies, according to Dickenson.
“Privacy rights follow the evolution of the data, and regulations just follow the evolution of the privacy rights,” he said. “Banks will need to be vigilant about watching this space, and technology can help.”
Ethical Frameworks for Privacy
Beyond legal privacy requirements, a financial institution’s ethical framework will affect how it handles privacy, the panelists agreed.
“It comes down to how a company views privacy requirements,” said Dickenson. “Do they feel an ethical obligation to their customers based on the fact that they’re realizing revenue by holding data they don’t own? Or do they feel like it’s another checkbox requirement?”
Alikhani pointed out that there’s a distinction between a culture of compliance, which involves doing the minimum necessary, and a culture of ethics.
“The cost of non-compliance is becoming much higher, which makes it easier to convince management that you need a culture of compliance,” he said. “But it will be a lot more challenging to convince them to adopt a culture of ethics. Very few companies have been able to succeed at making ethics a part of their brand. Patagonia is an exception.”
Companies can turn data privacy into an advantage, distinguishing themselves by showing that they value securing consumers’ personal data above and beyond what’s required by law.
Latest Developments in Federal Privacy Legislation
The panelists agreed that in the wake of several state legislatures enacting privacy laws over the last several months, the need for federal legislation has become much clearer.
“Many industries would like to be regulated at the federal level rather than having to develop compliance programs that meet 50 different state standards plus international standards,” says Delune.
One example of recent federal legislation is the bi-partisan Social Media Privacy Protection and Consumer Rights Act of 2021 (S. 1667), reintroduced in May by Senator Amy Klobuchar (D-MN). Among the bill’s requirements is that platforms must write their terms of service in plain language and must notify users within 72 hours if there’s a data breach.
In addition, Section 4021 of the CARES Act, Credit Protections During COVID-19, temporarily amends the Fair Credit Reporting Act (FCRA) to protect consumers who ask for payment accommodations. This has implications for lenders, creditors, and others who furnish data to credit reporting agencies.
These regulations have given rise to several cautionary stories of litigation. In February 2021, TikTok agreed to pay $92 million as part of a class-action lawsuit alleging that the company broke one of the toughest laws in this area, Illinois’ Biometric Information Privacy Act (BIPA). The same month, a federal judge approved an even larger settlement—$650 million—in another class-action lawsuit against Facebook for violating the same law.
“These large settlements are part of another trend we’re seeing as privacy laws evolve,” said Delune. “Traditionally, a plaintiff had to assert quantifiable damages, which are very difficult to prove. Now judges are awarding a specific amount per claim. If you multiply that by the sheer volume of records involved in these kinds of breaches, the numbers are staggering.”
Adtech Regulations Evolving
Another area of privacy concern relates to advertising technology, or ad tech. Regulations are just beginning to address the ways ad tech can track user behavior online.
“By design, the industry players have no incentive to be upfront about their activities,” said Delune. “I suspect that the industry is rife with violations of data rights laws, but we’re seeing scrutiny increase.”
Companies tread a fine line between giving users the benefits that tracking technology offers with expectations of privacy.
“People want to be able to get their bank balance on their iPhone just by showing their face, but they don’t want their faces to determine what ads they’re served,” said Dickenson.
Financial services firms will be in a better position if they can disclose to consumers why they have data and how they’re protecting it.
“The trend seems to be to give consumers the power to control their data across platforms,” added Delune.
Advice for Financial Services Organizations
The compliance landscape is constantly changing, but panelists agreed that for financial services firms, investing in regulatory compliance on the front end, as a cost of doing business, is a much more prudent posture than rectifying compliance violations through fines, litigation, or expensive settlements.
“There are two areas organizations should be watching,” said Dickenson. “The first, from a compliance lens, is to watch Europe. Your data rights are a little bit like spring fashion: they start in Europe, but they always end up in the United States.
“The second is to follow evolving consumer sentiment, to go beyond compliance to feeling the pulse of the market and what consumers expect. Consumers will choose to do business with companies that respect data privacy. They’ll see those companies as trustworthy partners.”
Asif Alam is the Chief Executive Officer at Compliance.ai. A leader in shaping disruptive technology, his experience includes building products using AI and natural language processing for GRC, payments, lending, risk, trading, and new solutions, from Fortune 500 companies to startups.
In his most recent role, he served as the Chief Strategy Officer of ThoughtTrace, unlocking new revenue streams and markets, and reignite portfolio growth. ThoughTrace was then acquired by Thomson Reuters in 2021.
He brings more than 20 years of management and business experience; increasing profitability, unlocking new revenue streams and markets, and reignite portfolio growth for companies like Thomson Reuters, Crux Informatics, and Finastra. Asif is a forward-thinking expert driving engagement via client forums, public presentations, and white papers.
Cesar Lee is a Principal at WRV, a venture capital fund focused on early-stage investments in hardware, semiconductor, and other technology-related companies. Previously, he was an investment professional at Riverwood Capital, a technology-focused, late-stage venture capital, and private equity fund. He began his career at RBC Capital Markets, where he was part of the Mergers & Acquisitions group for two years and the Equity-linked & Derivatives group for one year. While at RBC, Cesar spent a majority of his time working on M&A advisory transactions for technology companies.
Cesar’s investment experience includes buyouts, later stage, early stage and seed rounds. Cesar has completed transaction in the U.S., Latin America, and Asia, and in technology sectors including data centers, software, semiconductors, consumer electronics, robotics, big data, and internet.
Maria Devassy is a RegTech, Content, and Technology leader with over 20 years of experience helping companies bridge the gap between technology, product, and business. Maria has held leadership positions with MetricStream, KPMG, Oracle Corporation, and other technology companies. She has launched several successful RegTech products, business partnerships, and advised Fortune 100 clients on risk management, audit, advisory, and compliance business across Industries.
Hugh Cadden is a recognized expert in derivative financial and trading markets including futures, options, and swaps. Hugh is currently a senior consultant and expert with OnPoint Analytics, Inc. an economic, finance and statistical consultancy specializing in expert testimony for complex litigation. He has been specializing in the organization, operation, and regulation of financial and trading markets for over 40 years. Hugh’s experience includes both the public and private sectors and he has held senior level positions with the U.S. Commodity Futures Trading Commission including serving as Director of the Division of Trading and Markets and Deputy Director of Enforcement. He has been qualified as an expert on financial and trading market matters before the Commodity Futures Trading Commission, the Securities and Exchange Commission, the U.S. Tax Court, Financial Industry Regulatory Authority, National Futures Association, American Arbitration Association and federal courts.
Drake Ross is a former bank regulator who specialized in compliance with consumer protection regulations while at the OCC, FDIC, and OTS. While at these agencies, he provided extensive training and guidance and developed materials to ensure full comprehension and proper application of rules, laws, policies, and guidance, and served as a Subject Matter Expert in numerous areas. Because of his expertise, he often presented at agency and industry events. He also played a significant role in successful windup of the 2008 IndyMac Bank failure, where because of his extensive knowledge of the FDIC deposit insurance regulations, he was called upon to administer highly-complex insurance determinations.
Carliss Chatman is an Assistant Professor of Law teaching Contracts, Agency and Unincorporated Entities, Corporations, and Transactional Skills. Her work is influenced by over two decades of service on non-profit boards and involvement with community organizations. Through leadership positions, she has developed expertise in corporate governance and non-profit regulation. She has also been instrumental in strategic planning and fundraising efforts. Prior to law teaching, Professor Chatman was a commercial litigation attorney in Houston, Texas. In practice, she focused on trial law, appeals and arbitration in pharmaceutical, health care, mass torts, product liability, as well as oil, gas, and mineral law. In addition to negotiating settlements and obtaining successful verdicts, Professor Chatman has also analyzed and drafted position statements regarding the constitutionality of statutes and the impact of statutory revisions for presentation to the Texas Legislature.
Sign me up for all regulatory updates
Get access to EITL Forum recordings
Mariam is an Operating Principal at Cota Capital. Mariam has experience providing guidance on strategic and operational planning to Venture and Growth stage companies. Prior to Cota Capital, Mariam spent her career in management consulting as a Director at KPMG. She has experience leading global transformation programs and developing innovative service offerings for Fortune 500 companies in the Technology sector. Mariam has an MBA from UCLA’s Anderson school of management with an emphasis in Finance and Entrepreneurship. She has a Bachelors in Science in Finance and a Bachelors in Science in Economics from Santa Clara University.
Chris Callison-Burch is an Associate Professor in Computer and Information Science Department at the University of Pennsylvania. His research interests include natural language understanding and crowdsourcing. He has served the Association for Computational Linguistics as the General Chair for the ACL 2017 conference, as an action editor for the Transactions of the ACL, as an editorial board member for the Computational Linguistics journal, and an officer for NAACL (the North American chapter of the ACL) and for SIGDAT (the special interest group for linguistic data and corpus-based approaches to natural language processing)
Tom Ladt is an experienced executive and investor. Tom has lead and served on the boards of several public and private companies serving highly regulated industries such as technology, healthcare, real estate, and food processing. Tom has also served in key governmental roles and on numerous community boards.
Jeroen Plink is a global executive with a proven track record of developing and growing businesses, teams, and technologies with innovation and passion. Jeroen was CEO of Practical Law US during its acquisition by Thomson Reuters. He now serves on numerous boards and acts as a strategic consultants for start-ups.
Global Legal and Compliance executive with 15+ years of success in the SaaS technology and financial services industries. Partner to the CEO and executive team in corporate transactions, business development, product expansion, and regulatory navigation during periods of intense growth and organizational change. An advocate of effective risk management that starts with sound business practices and putting the customer first.
Richard Dupree has held multiple Risk, Compliance and Operations positions at regional, national, and global financial services firms including Wells Fargo, Silicon Valley Bank, Bank of the West and BNP Paribas. Rick currently advises FinTechs and RegTechs and sits on industry panels, contributes to industry whitepapers, thought leadership efforts, and speaks at industry seminars on Risk and Compliance challenges faced by banks and FinTechs.
Brian advises clients on legal and regulatory compliance in the financial, tech, and procurement sectors. His passion is helping businesses succeed in heavily regulated environments. As counsel and trusted advisor to businesses of all sizes, and as a former regulator, policymaker, and federal official, Brian acutely understands the unintended burdens that even well-intentioned government requirements can put on innovation and business growth, as well as how to create policies that strike the right balance.
Brian served as National Ombudsman in the Obama Administration, leading the federal Office of Regulatory Enforcement Fairness in assisting hundreds of startups, entrepreneurs, and small business owners in every industry and every state.
Dr. Marsha Ershaghi Hames is Managing Director of Strategy & Development at LRN, a leader in advising and educating organizations about ethics and regulatory compliance, as well as corporate culture, governance and leadership. With the focus of inspired behavior versus required behavior, LRN is a leading voice in the industry for companies to build ethical cultures instead of “check-the-box” compliance approaches. She’s advised Department of Justice corporate monitors on successful program transformation under CIAs (Corporate Integrity Agreements. With over 20 years of experience in leading multinational ethics and compliance strategies, Marsha has become a highly sought-after thought leader on leading Corporate Compliance and Ethics practices.
Carla Carriveau is currently the Senior Managing Counsel at Wealthfront, an automatic investment service firm in Redwood City, California. Carla was previously Senior Counsel, Division of Trading and Markets, at the United States Securities and Exchange Commission. As a former regulator with over 15 years of experience in helping small businesses navigate legal and regulatory needs in the financial services sector, Carla advises Compliance.ai on financial services regulation, the regulatory landscape and industry practices.
