Both governments and financial organizations are finally in mutual agreement regarding something: data security is not to be taken lightly. For obvious reasons, data security is all the more important within financial services. With potential access to life savings, financial products, investments and personal information, financial service regulators are having to keep up with the constantly evolving threats of data breaches.
On top of this, money laundering and fraud is usually inherently financial. Meaning, at some point, most crimes resort back to monetization or processing money. With the threat of this being done on innocent account holders, it’s important to maximize data security.
This highlights the importance when dealing with financial companies that are regulated by top-tier financial bodies. For example, any company authorized to operate by the FCA will certainly be monitored to ensure customer data is safe. Generally, regulators around the world have a long checklist of what not to do, and they of course heavily overlap with each other.
The FCA claim that customer data can be comprised in a few ways:
The physical safety of the business premise
Having a sign-in book with security or supervision
Conduct through recruitment checks
Conduct credit and criminal checks on those who have access to data
As we can see, keeping data is not a purely IT problem. Whilst secure systems with safe backups, encryption and keys are vital, they’re far from the only issue. A large emphasis is placed on the way the employees are handling the data, and who they are.
For example, if employees are storing data on CDs or USBs, these must never be taken out of the office unless they’re encrypted. Likewise, passwords and such shouldn’t be written down on papers, as this could be a risk regarding any visitors into the office.
It’s also important that when outsourcing work to a third party, you’re still responsible for their handling of customer data. These obligations can never be outsourced. Thus, it’s up to your business to vet their procedures and ensure they comply with your own (and the regulator’s) security measures.
Preventing fraud in the financial service industry
Fraud is extremely prevalent in the financial service industry, and the consequences can be devastating. For this reason, there are a lot of methods in mitigating the possibility of financial fraud.
This involves being able to weigh up, impartially, what areas of the company are most vulnerable to fraudsters, and the controls adapt to new fraud threats. After all, fraudsters are constantly evolving their methods, and so fraud-prevention measures need to keep up with them.
Instances of fraud need to be accurately reported, understood, and taken into consideration regarding prevention techniques. These techniques should be taught to all members of relevant staff, and the basic data security practices should be taught to all members of staff regardless of their role.
It’s also important that financial companies are engaged with cross-industry collaboration in combating fraud. Or better yet, the bodies are in collaboration, such as data-sharing initiatives.
The FCA have collated a long list of good and bad practices. For example, having a comprehensive risk assessment that’s a continuous process.
GDPR: Coordinating data security for financial services
The General Data Protection Act is a European Union initiative that aims to empower every EU citizen to have data protection rights. With the Cambridge Analytica-Facebook scandal, we saw the damage that can be done.
The impact on the financial service industry from these new laws was significant. For example, customers have to consent to a business storing their data. This includes the customers name, address, IP address, social security number and so on. Thus, with no automatic opt-in option, customers have more power to opt-out of companies using their data.
Citizens also have a right to data privacy within the EU, meaning that they can request data erasure. Being a financial service company, it’s vitally important to comply with such wishes, and to “forget” the data.
The rest of the world
USA lacks any centralized laws in place that protect citizens of their data to the extent of GDPR. This means that states individually make up for this, such as the California Consumer Privacy Act, which came into effect at the beginning of 2020. This provides friction for financial companies operating across multiple states of course, as compliance needs to be divided up with attention split.
Australia on the other hand is a mixture in between. Data privacy is regulated on both a federal and state level, with the Privacy Act and the Australian Privacy Principles. Many of the laws overlap between states, but it nevertheless becomes more costly when operating nationwide.
Of course, the Coronavrius pandemic is also putting more pressure on the industry. Behemoth investment banks and firms across the entire industry have had to switch to working predominantly from home. This means that data is being accessed by remote workers who must have sufficient security training, who may be using unsecured public WiFi, or leaving their screens on in public places.