Regulatory Technology

Introduction

RegTech, or “regulatory technology”, refers to the technologies that enhance and streamline compliance by financial institutions with federal and state legally mandated regulations. The development of RegTech procedures for use by financial institutions and their regulators has been driven by the implementation of digital technology by regulated financial institutions (“Financial Institutions”).

By way of background, prior to the widespread use of digital technology by Financial Institutions (ie, the practice of digitising and possibly also encrypting data, and then storing the digital data in various locations such as on site, in the cloud, in secure data centres for core systems and in separate disaster recovery centres), data and records were maintained based on analogue technology (ie, the process of taking data and recording it on a physical medium such as paper). Minimal encryption or no encryption may be applied to physical data, and the physical record was maintained by the Financial Institution, typically in a location believed to be secure. Utilisation of digital technology typically results in improved security, precision and accuracy of recorded data, significantly increases storage capacity of records, and allows for the adoption of modifications to facilitate third-party and government interaction. In addition, all modern digital payment systems require digital data format for transaction initiation, authentication, processing and settlement (ie, payment methods other than cash or cheques require digital data).

The technologies frequently employed to create compliance programmes will include:

• Artificial intelligence (AI): A computer program to perform tasks that normally require human intelligence, such as learning, problem solving and decision-making, by accessing large amounts of data and analysing the data to identify problems and make predictions;
• Blockchain: A decentralised, distributed digital ledger that is shared across a network of computers that creates batches of transactions, linked together chronologically using cryptography;
• Cloud-based data storage: A cloud computing model that enables the storing of data and files on the internet through a third-party cloud computing provider to save data for various regulatory and commercial purposes;
• Big data processing: An exceptional volume of data (both from internal transaction records and from third-party information, such as sanctions lists) that is stored in a manner that can facilitate real-time data processing; and
• Robotic process automation: The use of software robots to automate repetitive, rules-based tasks,

(referred to herein collectively as the “Digital Technologies”).

The absence of a unified set of US banking regulations applicable to Digital Technologies has resulted in multiple overlapping regulations, particularly with respect to data privacy and cybersecurity. The issue is further complicated by the need to create two separate data pools – one containing the data reportable to US government agencies (which is extensive and subject to its own privacy guidelines) and one containing the data otherwise retained by the Financial Institution in the ordinary course of its business (which is subject to different privacy guidelines). As discussed in further detail below, the CCPA Regulations (defined below) and similar state regulations present overlapping and inconsistent privacy standards with respect to which there is no clear resolution.

Applicable law and regulations

The use of Digital Technologies in connection with regulatory compliance by Financial Institutions raises legal issues in the realm of data privacy, cybersecurity, intellectual property, allocation of rights with respect to components of the digital data, and allocation of liabilities arising from the use of the digital data. The operation of Digital Technologies in a cross-border setting may also raise jurisdictional issues and the need to comply with multiple legal regimes. This review does not discuss the extensive intellectual property issues associated with Digital Technologies and does not include a discussion of the more extensive privacy and security laws that have been enacted in Europe and the UK. We have focused on the data privacy and cybersecurity regulations currently applicable to Financial Institutions in the USA.

Data privacy

We begin with an overview of the federal regulations specifically applicable to any customer information collected by Financial Institutions and the guidelines with respect to third-party access to such information. None of the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC) or the Board of Governors of the Federal Reserve System (“Federal Reserve” and, together with the OCC and the FDIC, collectively, the “Principal US Bank Regulators”) has issued detailed regulations as to how Digital Technologies should be implemented by regulated banks. Instead, the Principal US Bank Regulators address the use of digital technology as a component of safety and soundness standards (a majority of the applicable regulations were implemented pursuant to the Gramm-Leach-Bliley Act (5 USC §§ 6801–6809, §§ 6821–6827)).

The Interagency Guidelines Establishing Information Security Standards set forth at 12 CFR Part 30, Appendix A set out the “safety and soundness” guidelines generally adopted by the Principal US Bank Regulators. In essence, the “safety and soundness” criterion is evaluated by an examination of (i) internal controls and information systems, (ii) internal audit systems, (iii) loan documentation practices, (iv) credit underwriting practices, (v) interest rate exposure, (vi) asset quality and (vii) earnings. The guidelines focus on the federal regulations that mandate collection and maintenance of a significant amount of information on each customer, and the information disclosure requirements that arise under the Anti-Money Laundering Act (AMLA), the Bank Secrecy Act (BSA), the reporting requirements of the Financial Crimes Enforcement Network (FinCEN), and the reporting and sanctions regulations issued by the Office of Financial Asset Control (OFAC).

Pursuant to 12 CFR 208.63(b)(2), 211.5(m)(2) and 211.24(j)(2) (Federal Reserve); 12 CFR 326.8(b)(2) (FDIC); 12 CFR 21.21(c)(2) (OCC); and 31 CFR 1020.220 (FinCEN), all Financial Institutions must have a Customer Identification Program (CIP) which is incorporated into the institution’s BSA and AMLA compliance programme. CIPs require the institution to collect base-line identification of any account holder (such as name, address and federal identification number (social security number for individuals, and tax identification numbers for all other account holders)), with few exceptions. Additional information is required for customers in certain lines of business. The CIP data collected must be verified by the Financial Institution.

The CIP process must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organisations issued by any federal government agency and designated as such by the US Treasury Department in consultation with the Principal US Bank Regulators. For example, the procedures must require the Financial Institution to review the CIP data in accordance with the identification and reporting procedures mandated under or by the ALMA, BSA, FinCEN and OFAC and to follow all federal directives issued in connection with such lists (31 CFR § 1020.220).

As a result of the above-referenced reporting requirements, prior to the opening of an account at a Financial Institution, the customer data collected for an account holder may have been disclosed to the US Treasury Department (pursuant to ALMA and BSA regulations) as well as FinCEN and OFAC (such data referred to herein as “Government Regulatory Data”). Disclosure of Government Regulatory Data to third parties requires the submission of an application pursuant to the Freedom of Information Act (5 USC § 552), which grants the public the right to request access to agency records unless they fall under specific exemptions. The exemptions include: (i) information required to be withheld pursuant to other federal statutes (see below regarding privacy rights of consumers pursuant to other federal laws); (ii) foreign policy that has been classified; (iii) records that are “related solely to the internal personnel rules and practices of an agency”; (iv) information that would reveal “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential”; (v) “inter-agency or intra-agency memorandums or letters which would not be available by law to a party other than an agency in litigation with the agency”; (vi) personal privacy interests in records contained in personnel, medical and similar files when disclosure of such records would constitute “a clearly unwarranted invasion of personal privacy”, such as access to information such as home addresses, third-party names, phone and social security numbers, and medical information contained in personnel files; (vii) “records or information compiled for law enforcement purposes”; (viii) matters that are “contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions”; and (ix) geological and geophysical information and data, including maps, concerning wells.

Information that is not Government Regulatory Data is subject to federal privacy laws and, in certain cases, state privacy laws (such data referred to herein as “Generic Customer Data”). With respect to Generic Customer Data, all Financial Institutions are subject to the consumer privacy regulations issued by the Federal Trade Commission (FTC) (16 CFR Part 313) and the Consumer Financial Protection Bureau (CFPB) (12 CFR Part 1016). For the purposes of the FTC and CFPB regulations, a “consumer” is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family or household purposes. The term “consumer” does not apply to commercial clients.

The FTC and CFPB regulations protect a consumer’s “nonpublic personal information” (NPI) (15 USC 6809(4)(A)). NPI is any “personally identifiable financial information” that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available”. Financial Institutions must give consumers a “clear and conspicuous” written notice describing their privacy policies and practices (known as a “Privacy Notice”). If a Financial Institution wishes to share NPI with non-affiliated third parties, the consumer must be given (i) an “opt-out” notice explaining the individual’s right to direct the Financial Institution not to share their NPI with non-affiliated third parties; (ii) a reasonable way to opt out; and (iii) a reasonable amount of time to opt out before the Financial Institution discloses their NPI. The Privacy Notice must be given to consumers on an annual basis.

State-based consumer privacy regulations generally exempt large banks for data and activities already regulated by federal law, and many state consumer privacy laws have exemptions relating to Financial Institutions or data otherwise covered by federal law. However, California’s consumer privacy laws (the California Privacy Rights Act (CPRA) (Cal. Civ. Code § 1798.100 et seq) and the California Consumer Privacy Act Regulations (“CCPA Regulations”)) have a narrower, data-level exemption (meaning that while NPI collected or processed pursuant to applicable federal law is exempt, any other data a bank collects would be subject to state regulation). As a result, the CCPA Regulations present overlapping and inconsistent privacy standards with respect to which there is no clear resolution (potentially requiring a review of all data, whether initially classified as Government Regulatory Data or Generic Customer Data, for compliance with the CCPA Regulations).

Cybersecurity

As noted above, the Principal US Bank Regulators have not issued detailed regulations as to how cybersecurity should be implemented by regulated banks. The federal information security guidelines applicable to Financial Institutions are set forth in 16 CFR § 314.3, which requires each Financial Institution to develop, implement and maintain a comprehensive information security system that contains administrative, technical and physical safeguards that are appropriate to the Financial Institution’s size and complexity, the nature and scope of the Financial Institution’s activities, and the sensitivity of any customer information at issue. In 2022, the Federal Financial Institutions Examination Council (FFIEC) issued an updated Cybersecurity Resource Guide for Financial Institutions. This guide outlines resources to assist Financial Institutions in strengthening their resilience to cyber threats, but the use of the guidelines and resources is voluntary.

Financial Institutions that have issued publicly traded securities are also subject to regulations issued by the Securities Exchange Commission (SEC) that require registered companies to implement robust cybersecurity risk management and governance, conduct regular risk assessments, have an incident response plan, and report significant cyber incidents within 72 hours (see SEC Press Release 2023-139). In the context of credit and payment cards, the PCI Security Standards Council has adopted various guidelines as to standards for the maintenance of firewalls, the use of encryption and strong authentication practices such as multifactor authentication (www.pcisecuritystandards.org/standards/).

Accordingly, the cybersecurity guidelines applicable to Financial Institutions arise from the FFIEC, the SEC (with respect to issues of public securities) and the PCI Security Standards Council (with respect to credit and payment cards).

Conclusions and recommendations

A single regulation (addressing both privacy and cybersecurity issues) should be issued to cover all Government Regulatory Data, and the consolidated regulations should clarify the cases in which the Government Regulatory Data may also be subject to the FTC and CFPB regulations applicable to Generic Customer Data.

With respect to cybersecurity regulations, the Principal US Bank Regulators should issue one set of standards applicable to all Financial Institutions and clearly identify exceptions to the general rule. In light of the number of states that have different views on this issue, it is likely that consolidated cybersecurity regulations may take quite a while.

The drafting of consolidated privacy and cybersecurity regulations should begin with the formation of a banking industry panel (“Industry Panel”) to present data collection and distribution issues to the Principal US Bank Regulators. The drafting of the final regulations (and any necessary laws that must be passed by Congress to permit such regulations) should include the direct involvement of the Industry Panel and the Principal US Bank Regulators. To facilitate cross-border compliance, consideration should be given to alignment (or at least clear cross-referencing) of the US regulations with those already issued by the European Union, referred to as the General Data Protection Regulation (Regulation (EU) 2016/679).

We look forward to any questions or comments you may have.