How security pros can prepare for a tsunami of new financial industry regs in 2021

January 14, 2021
Financial sector companies can expect to see a wave of new regulations and the restoration of Obama-era regs as the Biden administration takes office next week. Today’s columnist, Michael Magrath of OneSpan, pinpoints which regs security pros should focus on in the months ahead. GageSkidmore CreativeCommons (Credit: CC BY-SA 2.0)
  • The Consumer Financial Protection Bureau (CFPB) issued advance notice of a proposed rule-making that would implement Section 1033 of the Dodd-Frank Act, considered the first step in setting standards in the U.S. around Open Banking. If passed, this would create a standardized approach for banks and financial institutions to work from.
  • Issued in 2019 and still evolving, the Federal Trade Commission announced proposed amendments to the Safeguards and Privacy Rules under the Graham-Leach-Bliley Act. The proposal includes several changes. Among them, financial institutions and applicable businesses are required to encrypt customer data, implement access controls to prevent unauthorized users from accessing customer information, and use multi-factor authentication to access customer data. The rule would apply to banks and businesses providing financial services.
  • Banks are also focused on fraud prevention and the Federal Financial Institutions Examination Council (FFIEC) will probably update its guidance on Internet Banking Authentication. The guidance was last updated in 2011 and will take into account a decade of technology innovation across authentication solutions. We consider this important given the Financial Crimes Enforcement Network (FinCen) recently presented that more than $1 billion per month is lost to identity-related cybercrimes, including $350 million per month lost to Account Takeover Fraud.
  • Follow closely the Advance Notice of Proposed Rulemaking (ANPRM) from the Consumer Financial Protection Bureau on Open Banking in the coming months. If Open Banking becomes the norm in the U.S., we’ll see banks and payment service providers also leverage biometrics for various authentication approaches.
  • Implement API’s to share customer data, as its unlikely a U.S. Open Banking policy will permit screen scraping, which provides credential-based access to bank customers.
  • Modernize authentication approaches to combine multi-factor authentication with biometric modalities such as face, fingerprint, voice and iris scan to protect customer data and provide a frictionless, secure user experience for customers under the pending new regulations.
  • Combine AI with machine learning (ML) to detect the likelihood of an action being anomalous, or the likelihood of fraud, in real-time. Banks should also leverage ML to adapt biometric authentication types to the level of risk through continuous risk monitoring.
prestitial ad