Cyber and data: Regulatory challenges

Increases in data transfer sophistication have widened the array of entry points to a financial services company’s assets and consumer data, widening the number of attack vectors for malicious actors. Weak access management and authentication controls provide opportunity for cyber attackers to leverage compromised credentials to access the same resources and data that legitimate users can.

New FFIEC guidance outlines effective risk management principles and practices for access and authentication, including:

• Monitoring, logging, and reporting of activities to identify, track, respond, and investigate attempted or realized unauthorized activities.
  
• Layered security and multiple controls to compensate for the weakness of a single control; multi-factor authentication may protect accounts from being compromised by threats, such as credential stuffing, phishing attacks, and spear-fishing attacks
• Access and transaction controls including account maintenance; transaction value, frequency, and timing; rate limits on log-in attempts; and application timeouts.
• Authentication solutions employed before system access, including solutions such as device-based public key infrastructure (PKI) authentication, one-time passwords (OTP), behavioral biometrics software, and device identification and enrollment.

Identify, manage and protect the organization’s information assets (throughout the data management lifecycle) by embedding “privacy by design” and automating data protection.

Businesses are collecting increasing amounts of customer data to feed predictive analytics, personalize marketing campaigns, and introduce/improve products and services. Consumers, for the most part, are increasingly concerned about how their information is being collected, used, and protected – focusing regulatory attention on customer data privacy and protection. “Privacy by design” principles set a baseline for robust data protection by embedding privacy into the design, operation, and management of new applications, including IT systems, AI platforms, and digital business practices, with the goal of preventing privacy vulnerabilities. 

Forthcoming regulatory attentions on data and privacy are expected to include: 

• A CFPB proposed rulemaking to facilitate the portability of consumer financial transaction data.
• An FTC rulemaking addressing unfair data collection and surveillance practices impacting competition, consumer autonomy, and consumer privacy.
• A CFPB review of Big Tech practices related to consumer data capture, use, and restrictions in the context of their payments systems.
• SEC focus on investor protections, predictive data analytics, and digital engagement practices.
• Expansion of state data privacy and protection laws. Notably, the California Privacy Rights Act (CPRA) will be taking the place of the California Consumer Privacy Act (CCPA) beginning January 2023, bringing into scope a host of changes around new GDPR-like rights as well as a focus on areas such as records retention, business purpose limitations on data collection, data storage and processing, disclosure of predictive AI model details, and cyber audits.

Ten Key Regulatory Challenges of 2022

The year 2022 brings high levels of risk and regulatory supervision and enforcement. Regulatory “perimeters” continue to expand, and regulatory expectations are rapidly increasing. All financial services companies should expect high levels of supervision and enforcement activity across ten key challenge areas. Read the full report to learn more.