data security

A recent class action refiled in federal court against Shopify highlights a growing trend of lawsuits against companies related to the theft of cryptocurrency, particularly as a result of internal company threats. See Forsberg et al v. Shopify, Inc. et al, 1:22-cv-00436 (D. Del.). Despite not itself being a repository for or facilitating the

On February 26, 2020, the Consumer Financial Protection Bureau hosted a symposium titled “Consumer Access to Financial Records.”  Video of the Symposium is available here.  The agenda included discussion among panelists from large financial institutions, fintechs, consumer groups, policy centers, and the CFPB.  Director Kathleen L. Kraninger also delivered brief opening remarks describing the history of regulation of financial data access.

Much of the symposium’s discussion focused on Section 1033 of the Dodd-Frank Act, which governs consumers’ rights to access their financial data.  While the CFPB has the authority to issue rules interpreting Section 1033, it has not done so (although it has issued non-binding “Consumer Protection Principles” on financial data sharing and aggregation).

Continue Reading CFPB Hosts Symposium on Consumer Access to Financial Records

On November 19, the Basel Committee on Banking Supervision (the “BCBS”) released a report on open banking and application programming interfaces (“APIs”), focusing specifically on aspects of open banking related to customer-permissioned data sharing, including sharing between a customer’s bank and various third party firms. The report builds on the BCBS’ February 2018 paper (“Sound Practices: Implications of fintech developments for banks and bank supervisors”), which noted the increasing adoption of advanced technologies—including APIs—by banks, service providers, and fintech firms to deliver innovative financial products and services. The key findings from the report are outlined below.

Continue Reading Basel Committee on Banking Supervision Releases Report on Open Banking

On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”).  Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.

In addition, the FTC is proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.”  Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.

Proposed Revisions to the Safeguards Rule’s Information Security Program Requirements

The Safeguards Rule establishes requirements for the information security programs of all financial institutions subject to FTC jurisdiction.  The Rule, which first went into effect in 2003, requires financial institutions to develop, implement, and maintain a comprehensive information security program.  As currently drafted, the Safeguards Rule has few prescriptive requirements, but instead generally directs financial institutions to take reasonable steps to protect customer information.

The FTC’s proposed revisions would add substantially more detail to these requirements.  Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposed changes is “to better protect consumers and provide more certainty for business.”  The new requirements are primarily based on the cybersecurity regulations issued by New York Department of Financial Services (“NYSDFS”), and the insurance data security model law issued by the National Association of Insurance Commissioners.

Some of the specific proposed changes include:

Continue Reading FTC Proposes to Add Detailed Cybersecurity Requirements to the GLBA Safeguards Rule

In response to questions from a Member of the European Parliament, the European Data Protection Board (EDPB) has provided much needed clarification on the overlap between the General Data Protection Regulation (GDPR) and the EU Payment Services Directive (PSD2) in an open letter.  As we identified in a previous blog post on this topic, the interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns.  The EDPB’s letter aims to clarify some of these difficult compliance questions.

Continue Reading European Data Protection Board Provides Clarification On PSD2

The Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly consents to such disclosure. The new legislation is intended to improve competition and innovation in the EU market for payment services. The General Data Protection Regulation (GDPR), which is due to take effect from May 25, 2018, enhances individuals’ rights when it comes to protecting their personal data. The interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns.

For example, where banks refrain from providing TPPs access to customer payment data for fear of breaching the privacy rights of their customers under the GDPR, competition authorities may consider this a breach of competition law. This concern is already becoming a reality for banks – on October 3, 2017, the European Commission carried out dawn raids on banking associations in Poland and the Netherlands following complaints from fintech rivals that the associations were not providing them with what they considered legitimate access to customer payment data.

Continue Reading Overlap Between the GDPR and PSD2