//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
FINANCIAL INSTITUTIONS
AVOIDING REGULATORY
DOUBLE JEOPARDY
How to Stay Compliant While Adding Protection
and Value for Customers
INTRODUCTION
Financial institutions face a daunting task when it comes to navigating government data security and
breach regulations—and that’s putting it mildly. At the federal level many rules are vague by design. At the
state level, complexity runs deep: banks and credit unions must comply with different guidelines in the 47
states that have breach laws.
Moreover, compliance is only one of many challenges financial institutions face today. They also must
respond to a range of demographic and technology-related trends that complicate their ability to secure
data and remain compliant. Key needs now include:
• Mobility and digital engagement
• Engaging with the millennial and high-value customer segments
• Technology integration to support outstanding customer experiences, streamlined processes and
improved strategic decision-making
• Analytics for a better understanding of consumer behaviors and decision-making
Ultimately, data reigns in modern financial institutions—and criminals will go to incredible lengths to get
their hands on it. Even if you’re doing everything right from a security standpoint, your institution could still
suffer a breach. This white paper:
• Explores the financial industry regulatory landscape along with some of the key trends that are
influencing institutional operations
• Explains how identity and data breach defense services can help your bank or credit union:
§§ Meet customer expectations
§§ Comply with state data breach laws while improving your standing with federal regulators
§§ Protect your brand reputation.
• Provides five tips for choosing a good identity and data breach defense services provider.
WIDESPREAD THREATS, WORRIED CUSTOMERS
Financial institutions face escalating and increasingly sophisticated cyber
threats that threaten their relationship with customers. FIs are under pressure
to innovate for their customers, yet technological advancements are a doubleedged sword. On the one hand, new technology brings customer convenience
and greater engagement. On the other hand, it creates more customer and
employee access points and the potential for security risks and gaps. Everyone
from lone actors and insiders to criminal organizations may be looking for
FAST FACT:
The finance sector
experiences
300 percent more
security incidents
than other sectors.1
1 “Guide to Cybersecurity for Financial Services Firms,” Lockheed Martin Corp., 2015.
1
The Customer Protection Dilemma
Customers are increasingly aware
that they face risks online …
… but that doesn’t mean they act
accordingly.
94 percent of millennials rely on online
banking3…
…yet 24- to 35 year-olds face the highest
incidence of fraud and are least likely to
take preventive measures.5
62 percent of millennials and 77 percent of baby
boomers worry about online fraud4...
…yet consumers who don’t believe they
can effectively protect their financial data often
ignore preventive measures.6
opportunities in those gaps. Criminals use methods ranging from hacking to social engineering to
malware to find holes in processes and systems, and get at money in different ways. Sometimes, such as
with account takeover or ransomware, it’s direct. But there are plenty of indirect crimes related to data
breaches. For example, crimes such as identity theft and new account fraud can go undiscovered for
months or even years, in some cases.
The first thing that 78 percent of victims do is call their financial institution or credit card issuer for
assistance.7 If their financial service providers are not prepared to help, many, especially millennials, will
jump to a new institution. Worse, if the fraud is related to an institutional data breach, a host of federal or
state regulatory bodies could take action.
GETTING TO THE HEART OF DATA-RELATED COMPLIANCE CHALLENGES
Federal and state regulations related to data and customer protections are a confusing mishmash of
rules. What’s more, federal agencies tasked with protecting consumers add complexities and unknowns to
compliance efforts.
At the federal level, banking regulations are generally focused either on what
happens before data is lost or on preventing fraud. There are no specifications
about what financial institutions must do once data is lost. For example:
• Gramm-Leach-Bliley Act – requires financial institutions to explain
their information-sharing practices to their customers and to safeguard
sensitive data.8
FAST FACT:
80 percent of
financial instiutions
cite cyber risks as a
top concern.2
2 “Guide to Cybersecurity for Financial Services Firms,” Lockheed Martin Corp.,” 2015.
3 “There’s No Slowing Down Millennials,” First Data Corp., 2015.
4 “Online Fraud Perceptions: Millennials Vs. Boomers,” ThreatMetrix, 2016.
5 “2014 Identity Fraud Report,” Javelin Strategy & Research.
6 “2016 Identity Fraud: Fraud Hits an Inflection Point,” 31, Javelin Strategy and Research, 2016.
7 “Online Fraud Perceptions: Millennials Vs. Boomers,” ThreatMetrix, 2016.
8 “Gramm-Leach-Bliley Act,” Federal Trade Commission, https://www.ftc.gov/tips-advice/business-center/privacy-andsecurity/
gramm-leach-bliley-act.
2
• The Identity Theft and Assumption Deterrence Act of 1998 – makes the FTC a central
clearinghouse for identity theft complaints. It requires the FTC to log and acknowledge complaints,
provide victims with relevant information and refer complaints to appropriate entities.9
• The Sarbanes-Oxley Act – mandated a number of reforms to enhance corporate responsibility,
boost financial disclosures and combat corporate and accounting fraud. It created the “Public
Company Accounting Oversight Board” to oversee the activities of the auditing profession.10
Key fraud and data privacy laws aside, several agencies also have mandates to protect consumers. Take
the Consumer Financial Protection Bureau (CFPB), which is tasked with ensuring that banks, lenders and
financial companies treat consumers fairly.11 The CFPB can create new rules or guidelines or even go after
institutions for an inadequate response to a data breach. But it’s difficult to know how they may respond
to different scenarios until they take enforcement actions.
A majority of states at least require written notification in the event of a breach. But beyond that it’s the
Wild West, with varying rules from state to state. Let’s briefly look at some of the considerations around
the more opaque regulatory bodies and state-by-state compliance.
STATE-LEVEL REGULATORY CHALLENGES
Today, forty-seven states mandate that entities provide at least written notification in the event of a
data breach. The timelines for notifications and requirements, however, vary. For example, Connecticut
mandates that organizations provide breach notifications within 90 days. When Social Security numbers
are exposed, organizations must also provide “appropriate” identity theft protection or mitigation
services at no cost for at least a year.12 In Oregon, on the other hand, businesses must notify customers
of breaches impacting more than 250 people and provide a sample copy of the breach notification to the
Oregon Attorney General.13 Only Alabama, New Mexico and South Dakota currently have no requirements.
State-level regulations are also evolving rapidly. In 2015 alone, 33 states considered new bills or
resolutions. Most of the bills were focused either on reporting breaches to stage agencies or on
broadening the types of personal information that should be considered in a security breach.14 Given
evolving threats and increasing citizen awareness, it’s likely that legislators will continue to introduce bills
for the foreseeable future. A federal law could simplify matters to some extent, but currently there are no
options in the works.
THE CONSUMER FINANCIAL PROTECTION BUREAU
The CFPB has a broad mandate, with a lot of room for interpretation. That’s why many financial
institutions are uneasy about what they need to be doing to protect customers and themselves
9 “The Identity Theft and Assumption Deterrence Act of 1998,” Federal Trade Commission,
https://www.ftc.gov/enforcement/statutes/identity-theft-assumption-deterrence-act-1998.
10 “Sarbanes-Oxley Act of 2002,” U.S. Securities and Exchange Commission, https://www.sec.gov/about/laws.shtml#sox2002.
11 “Consumer Financial Protection Bureau,” http://www.consumerfinance.gov/?gclid=CNz8-orM_c0CFQqFfgod1Y8Jvg.
12 “New Data Security Law in Connecticut Imposes New Requirements on Businesses, Regulated Entities, and State
Contractors,” Data Protection Report, July 27, 2015.
13 “Search Data Security Breaches,” Oregon Department of Justice and Consumer protection.
14 “2015 Security Breach Legislation,” National Conference of State Legislatures, December 2015.
3
from regulatory actions. The CFPB’s goal is to “protect consumers and promote fair, transparent and
competitive markets.”15 At a high level, the CFPB has similar consumer protection jurisdiction over the
banks and credit unions that the Federal Trade Commission has over practically every other type of
business in the U.S. In other words, “the banking industry has its very own federal consumer protection
agency.”16 How the CFPB is going to pursue its mandate in the financial industry is unclear. Just consider
that the CFPB pursued its first data security enforcement action in 2016 against an online payments
company. The CFPB alleged the company was misrepresenting data security practices. It hit the offender
with a $100,000 fine and training and security requirements—and there wasn’t even a breach.17 It remains
to be seen how the CFPB may react in the event of an actual breach incident with a financial institution.
The CFPB does note that identity monitoring or identity theft protection services may help consumers
correct identity theft-related problems, but that the terms and conditions of the service are especially
important. For example, it suggests that consumers carefully consider service options, making sure that:
• “Free” trial offers don’t include hidden fees, trial periods or cancellation requirements
• The provider hasn’t been subject to actions by local consumer protection agencies or the state
attorney general’s office.18
THE OFFICE OF THE COMPTROLLER OF THE CURRENCY
The OCC has made cyber security actions a key focus area in recent years. Yet the OCC is far from
definitive on what “has” to be done to protect consumers. The lack of clarity leaves significant leeway for
enforcement actions. The OCC has participated in a Federal Financial Institutions Examination Council
(FFIEC) effort to use a Cyber Security Assessment Tool that is designed to “help institutions identify their
risks and determine their cyber security preparedness.”19 With respect to oversight, however, the OCC’s
role is limited to national banks, federally chartered savings and loan associations, federal branches and
agencies of foreign banks and IAPs.20
INDUSTRY TRENDS COMPLICATE MATTERS
Financial industry trends don’t make responding to broad and vague compliance challenges any easier.
In a nutshell, many strategic areas that require near-term actions also create new security concerns and
potential data exposure points. Let’s briefly explore industry trends that are critical to competitiveness,
yet add to challenges around protecting business and customer data and meeting regulatory guidelines.
15 “Compliance and Guidance,” Consumer Financial Protection Bureau.
16 “How the CFPB and the FTC Interact,” CFPB Monitor, July 7, 2011, https://www.cfpbmonitor.com/2011/07/07/howthecfpb-and-the-ftc-interact-part-i/.
17 “No Breach Required: CFPB Conducts First Data Security Enforcement Action,” Quarles and Brady LLP, March 2016.
18
Monitoring or Identity Theft Protection Service?,”Consumer
Financial Protection Bureau,
http://www.
“What is Identity
consumerfinance.gov/askcfpb/1369/what-identity-monitoring-or-identity-theft-protection-service.html.
19 “Cybersecurity Assessment Tool, Federal Financial Institutions Examination Council,” 2016.
20 “Enforcement Actions,” Office of the Comptroller of the Currency.
4
MARKETING PROGRAMS FOCUSED ON MILLENNIALS AND HIGH-NET-WORTH
CUSTOMER SEGMENTS
Whether you are focusing marketing efforts on millennials or high-income households, their data is at a
premium not only for your institution, but also for thieves and fraudsters. The importance of winning over
key customer segments can’t be understated when it comes to ongoing success.
Millennial Fast Facts21
High-Value Customer Fast Facts
Millennials alone will control
nearly $2 trillion in liquid assets by
2020
Elite households control 41 percent of
deposits22
33 percent of millennials believe
they won’t need a bank in five years
$5.8 trillion in investable assets23
33 percent would have no issues
with switching banks in the next few
months
Are 3.5 times more likely to consider
switching financial institutions than
other consumers.24
THE NEED FOR MOBILITY AND DIGITAL ENGAGEMENT
Today’s customers expect cutting-edge engagement options with financial institutions. Easy access to
their accounts and products through their smart phones is especially important. The expectations are
only increasing with “fit tech” companies from Silicon Valley entering the mix with the expectation that
their technical chops can better meet customers’ evolving needs.25 The new competition means that
established financial institutions need to ensure that they are providing cutting-edge services.
THE NEED FOR ANALYTICS FOR BETTER UNDERSTANDING OF CONSUMER BEHAVIORS
AND DECISION-MAKING
Analytics technologies have opened up new frontiers in understanding and serving customers, as well
as compliance dangers. The ability to better see and analyze customer behaviors to stay ahead of the
curve in meeting their requirements could provide tremendous values to financial institutions and their
customers alike. Yet, if not managed correctly, could also present dangerous data exposure points.
21 “There’s No Slowing Down Millennials,” First Data, 2015.
22 “Top Trends for Digital Financial Services in 2015,” Javelin Strategy & Research, March 2015.
23 “ ‘New’ Moneyhawks: Highly Profitable and Engaged Customers Defining the Future of Banking,” Javelin Strategy & Research, 2014.
24 “Top Trends for Digital Financial Services in 2015,” Javelin Strategy & Research, 2015.
25 “2016 Trends in Banking and Payments,” Javelin Strategy, January 2016.
5
TECHNOLOGY INTEGRATION AND CHANGES IN INTERNAL PROCESSES
Financial institutions need integrated systems that can securely share data in real time to support
mobility, analytics and other key capabilities and technologies. The importance of technology integration
will only increase as new players enter the competitive landscape and the requirements to keep
customers loyal continues to grow.
GETTING ON THE RIGHT TRACK
Figuring out how to respond to this mix of industry trends and challenges is no small feat. Unfortunately,
there is no silver bullet. One thing is clear: Data protection strategies that consider what should be done
after a data breach or loss can help:
• Improve standing with regulators
• Foster customer trust and loyalty.
Most consumers contact their financial institution after they discover identity theft. That means financial
institutions that partner with identity protection services can generate significant value for their
customers. How? By easing the pain and cost of responding to fraud.26 For example, with new account
fraud, which drives the most damage to victims over any other type of fraud, victims spend an average
of 15 hours trying to resolve the fraud. With expert support, the time and stresses can be reduced
significantly.
Ultimately, even regulators understand that no data security plan is foolproof. That’s why the ability to
show due diligence on post-breach response, in addition to enhancing security, is important. It underpins
a stronger case for avoiding regulatory actions and fines. It’s not enough to simply make a post-breach
response offering or program available, however. To satisfy customers and regulators, you need to
ensure that:
• Sign-up is easy
• The services do not mislead or misdirect your customers in any way
• The offer blends almost seamlessly with other services.
THE 5 THINGS TO LOOK FOR IN A PARTNER
In today’s financial world, identity and data breach defense solutions make a lot of business sense. A good
solution provider can help your institution, employees and customers to recover from data breaches or
fraud much faster and with much less frustration, expense and pain. The best-in-class solutions can even
26 “Small Business Fraud Report,” Javelin Strategy & Research, 2016.
6
help enhance your portfolio and brand reputation by providing 24/7 top-quality care for customers
through channels that work virtually seamlessly as an extension of your brand from the initial call through
to resolution.
As with any type of service, provider choice can have a dramatic influence on the actual value of an
identity and data breach defense solution. So what are some key things you should consider as you
evaluate provider options? Here are five things that should be at the top of your list.
1. INDUSTRY KNOWLEDGE
Compliance takes more than basic identity and data protections. Given the constantly evolving regulatory
complexities, it’s critical to choose a provider that:
• Focuses on the financial service industry
• Knows the regulatory requirements for every state you operate in and has the ability to help you
respond in each of those states
• Understands how to help you meet the requirements of key agencies, including the CFPB.
2. BRAND EXTENSION
A provider capable of providing a personalized touch to service can help you increase customer loyalty
and grow your bottom line. A good identity and data breach defense solutions provider should be a true
partner, from onboarding through to implementation, training and ongoing account management.
3. REPUTATION
A trusted provider with a longstanding and outstanding reputation in financial services is critical. After all,
your identity and data breach defense solutions provider will be so closely associated with your brand.
Carefully consider:
• The other clients a provider works with
• Customer satisfaction ratings
• The average experience of the fraud specialists who will be handling
your customers’ calls.
FAST FACT:
Consumers rank
reputation and
low-cost as the most
important attributes
of a solution
provider.27
Red flag: Providers who want to direct sell or upsell your customers.
4. ADDED VALUE
The right solution should contribute to your institution’s compliance posture
27 “2016 Identity Protection Services Scorecard,” Javelin Advisory Services, June 2016.
7
and brand reputation. It should also deliver significant value relative to the cost. Look for a provider
capable of providing:
• Consistent, proactive service in resolving all of your customers’ identity theft concerns
• Clear terms and easy enrollment (this is a must for a successful program that regulatory bodies
will view favorably).
5. SOLUTION DEPTH AND SCALABILITY
A good identity and data breach defense solution isn’t just reactive—it’s proactive. Look for a:
• Product delivery team with a proven ability to stay ahead of the curve with solutions that meet
customers’ evolving requirements.
• Solution that engage and help educate your customers. This not only promotes better information
protection practices and peace of mind; it can improve customer loyalty.
• Provider capable of keeping up with fast-evolving threats and regulations by updating policies and
products as the landscape shifts.
CONCLUSION
Chances are, there will never be a time when it’s totally clear what your institution needs to do to comply
with federal and state regulations. However, the fact that you don’t want to get robbed and you want to
protect your customers’ best interests will never change, so there will always be motivation to do the right
thing from a security standpoint when it comes to securing data. If there was a “sure thing” when it comes
to data security, this would be enough. Since there are no sure things in data security, and since your
customers will turn to you for help if and when their data is compromised, reputable identity and breach
defense services can be a smart investment. n
7580 N DOBSON RD, SUITE 201 · SCOTTSDALE, AZ 85256
PHONE (480) 355 8500 · FAX (480) 355 8470 · WWW.IDT911.COM
8