Regulatory divergence—variations in financial regulations around the world—inevitably creates stress for financial companies that neglect to keep close track of their clients’ data. Many companies cannot even identify where their customer data is stored, nor can they fathom the extent of the data they’ve collected. And the practice of employees using multiple tools to compile and store data only adds to the stress.
The implementation of the General Data Protection Regulation (GDPR) across the European Union (EU) has been a game-changer for the finance world. According to research from Sia Partners, the cost for financial institutions to become GDPR-compliant dwarfs the investment for organizations in other sectors. While technology firms and media organizations in the United Kingdom might spend 20 million pounds or 7 million pounds, respectively, the average bank in the UK needs to fork over about 66 million pounds to reach full compliance.
GDPR has also heightened regulatory uncertainty everywhere in the world. Combining that with the patchwork of federal and state regulations for data-management systems in the US financial industry, firms here are feeling the weight of divergence more than ever.
Regulations such as those implemented with GDPR give customers greater control and agency over their own information, which means businesses cannot afford to spread data across disparate systems that make it difficult or impossible to track. Such gaps create compliance liabilities, and in the event of a security breach, the consequences of mismanaged content could be catastrophic.
Considering the divergences between not only financial regulations but also systems and processes, compliance can be costly and time-consuming. To ease widespread concerns and address operational flaws, companies need to streamline processes and resources to clarify where and how client data should be stored.
GDPR’s cascading effects
The implementation of GDPR has compelled the largest Silicon Valley firms to make it easier for users to amend or delete their own data and prevent personal information from being collected and shared without consent. These changes will soon be required, not optional, domestically—and some US states are already enhancing their individual regulations.
California, for example, is trying to be proactive on data security, and New York in 2017 implemented what one analyst called “the most stringent rules” in cybersecurity outside of the military. Those new rules, called 23 NYCRR 500, require that a chief information security officer oversee and maintain a cybersecurity policy, perform periodic testing of a company’s vulnerability, establish limits to data access and retention, and keep the state informed in the case of a cyber-event.
As for the states without regulations, individual companies and associations are taking matters into their own hands before waiting for more restrictive regulations. Many are treating the European policy changes as a chance to improve their data privacy and security systems.
Apple CEO Tim Cook, for example, argues in favor of privacy online and has called for Congress to pass federal legislation to make it more attainable. He argues that this would give consumers control of their data and shed light on those who are currently using it in such a way that undermines trust and abuses sensitive information. Cook believes that technology and privacy do not have to be mutually exclusive.
But the lack of consistency among state and federal regulations in the United States adds layers of difficulty to financial businesses that are already developing responsive policies. Fragmented regulations also conservatively place a $780-billion economic drag on the industry, according to a recent study conducted by the International Federation of Accountants (IFAC) and Business at OECD (BIAC).
Firms hiring data-protection officers (DPOs)—team members who keep companies compliant in employee culture, policy implementation and disaster training—should manage to stay ahead of moderate or elevated regulatory litigation. GDPR mandates the appointment of a DPO if a company acts as a public authority, engages in the systematic monitoring of people or processes sensitive personal information on a large scale.
Preparing for tougher regulations
Unfortunately, the adoption of heightened regulations has hit many companies where it hurts: square in the pocketbook. A PricewaterhouseCoopers (PwC) survey of 300 executives in the United States, the United Kingdom and Japan found that 88 percent of those companies had spent more than $1 million to make changes because of GDPR; of those same companies, 40 percent said they had spent in excess of $10 million to get ready for GDPR.
As with any security measure, policies widely considered to be the most restrictive eventually become standard for the industry. Whether it happens in 2019 or over the next few years, compliance with regulations such as GDPR will ultimately be mandatory.
This means financial firms must be ready to handle massive amounts of personal information by increasing their bandwidth and investing in new information technology (IT) products. Another complication is the fact that financial institutions must find ways to navigate “special category data” that is similar in some ways to health data. This particularly sensitive information is subject to a higher level of protection—and rightfully so—requiring firms to store and use this data with increased discretion.
As time passes, increasingly restrictive global standards and penalties—hefty fines and pressure from clients as they gain greater control of their data—will be a part of any broad-sweeping policies adopted in the US. Companies should be aware of a higher chance of increased government restrictions and expect the companies they patronize to practice more stringent data-security measures. Businesses that fail to enact long-overdue changes will not be tolerated.
From a practical standpoint, failing to meet regulations increases the likelihood of data theft. A survey commissioned by VIPRE states that 23 percent of respondents report daily cyberattacks, and two-thirds said their businesses would suffer a short-term or long-term shutdown if their systems or data were compromised.
And to what do breaches always boil down? The improper and insecure storage of customer data. Developments such as GDPR highlight the same concern: how client data is handled. The only difference this time around is that the timeframe has been condensed, and affected customers are demanding to be heard.
That shift might seem small, but the steep regulatory fines for GDPR violations are nothing to scoff at. Serious errors, including failure to receive consent to process data or any sort of privacy breach, could result in fines of up to 20 million euros or 4 percent of a company’s annual global revenue. Google learned this lesson the hard way, as the company recently was fined 50 million euros for allegedly failing to provide consumers with enough information about how it would use their information and for not disclosing its data-consent policies in accordance with GDPR standards. With consequences that harsh, it wouldn’t be surprising to see a large number of businesses that remain non-GDPR-compliant go out of business in the event of a breach.
Regardless of the confusing nature of compliance, the most significant disruption to the status quo in privacy laws in at least two decades is transforming the financial industry. To continue to grow and thrive, US organizations must recognize the importance of data security and take steps to streamline their operations now. Those that start the process sooner will lessen their risk of noncompliance and come out ahead in the eyes of consumers and competitors alike.