FinTech Security and Regulation

As a FinTech consultant, I am conducting a study on the security and regulation of virtual banking in the US financial sector. The federal and state governments in the United States have various agencies that regulate and oversee financial markets and businesses. Each of these agencies has a distinct set of tasks and responsibilities, allowing them to operate independently while pursuing similar objectives.

The United States operates under a "dual banking system," meaning that banks can be chartered by either one of the 50 states or by the federal government. Regardless of who charters the bank, it will have at least one federal supervisor. Below is a list of US banking regulations that virtual banks must adhere to.

Firstly, the Gramm-Leach-Bliley Act (GLBA) mandates that financial institutions—companies providing financial products or services like loans, financial or investment advice, or insurance—inform their customers about their information-sharing practices and protect sensitive data.

The principal data protection elements of the GLBA are outlined in the Safeguards Rule. The FTC's Privacy of Consumer Financial Information Rule (Privacy Rule) supplements the GLBA by providing additional privacy and security requirements. The GLBA is enforced by the FTC, federal banking agencies, other federal regulatory bodies, and state insurance oversight agencies.

For instance, the Safeguards Rule (16 CFR 314) requires financial institutions under FTC jurisdiction to have safeguards for protecting client information. Companies subject to this rule must ensure that their affiliates and service providers maintain customer data securely and implement their own protective measures.

Additionally, the Financial Privacy Rule (16 CFR Part 313) requires financial institutions to issue specific notices and adhere to certain limitations on the dissemination of nonpublic personal information. Unless an exception applies, financial institutions must inform both affiliated and non-affiliated third parties about their privacy policies and practices and allow consumers to opt out of sharing their nonpublic personal information with nonaffiliated third parties.

Secondly, the California Consumer Privacy Act of 2018 (CCPA) grants consumers more control over personal data collected by organizations. California consumers now have new privacy rights, including the right to know what personal information a business collects and how it is used and shared; the right to request the deletion of collected personal information (with some exceptions); the right to opt out of the sale of their personal information; and the right to non-discriminatory treatment for exercising their CCPA rights.

In November 2020, Californians voted to enact the California Privacy Rights Act (CPRA), which significantly expands existing privacy rules and will take effect on January 1, 2023. It's worth noting that the current "business-to-business" and "HR" exceptions will expire on the same date, making the full range of CPRA standards applicable to these types of personal information, which are currently largely exempt from the CCPA.

Thirdly, the NYDFS Cybersecurity Regulation (23 NYCRR 500) imposes strict cybersecurity standards on financial institutions in New York. Under this regulation, entities like banks, mortgage companies, and insurance providers must implement comprehensive cybersecurity plans and policies and maintain ongoing reporting systems for cybersecurity events.

Fourthly, the Information Technology Examination Handbook's "Outsourcing Technology Services Booklet" offers guidelines to help examiners and bankers evaluate the risk management processes involved in establishing, managing, and monitoring IT outsourcing relationships. Federal financial regulators have the authority to oversee all activities and records of a financial institution, whether performed by the institution itself or by a third party.

Fifthly, another section of the Information Technology Examination Handbook, the "Information Security" booklet, provides guidance on assessing the level of security risks to a financial institution's information systems. It encourages institutions to maintain robust information security programs that are supported by board and senior management, integrated into business processes, and clearly accountable for security tasks.

Sixthly, the Consumer Financial Protection Bureau (CFPB) has issued guidelines for its Information Technology Examination Procedures under Compliance Management Review. While institutions can outsource operational aspects of a product or service, they cannot delegate the responsibility for ensuring compliance with federal consumer financial regulations or managing the risks associated with service provider agreements.

In summary, virtual banks operating in the United States must comply with all the aforementioned regulations. This involves interpreting the rules, clarifying them, and preparing the necessary documentation. To achieve compliance, virtual banks will need to thoroughly analyze these requirements and take the appropriate steps to meet them.

Some of the key bank regulations in the United States include the following:

1. Regulation B: This regulation aims to prevent discrimination in the credit application process. It outlines the procedures lenders must follow when obtaining and processing credit information. Under this regulation, lenders are prohibited from discriminating based on age, gender, race, nationality, or marital status.

2. Community Reinvestment Act of 1977 via Rule BB: This Federal Reserve regulation encourages banks to lend to low- and moderate-income borrowers. It also requires institutions to disclose the communities they intend to serve and the types of credit they are willing to offer there.

3. Home Mortgage Disclosure Act of 1975 via Regulation C: This regulation mandates that many financial institutions annually provide loan data about the communities to which they have offered residential mortgages.

4. Regulation CC: This rule requires depository institutions to make funds available within specified time periods and inform customers about their funds' availability practices. It also includes measures to expedite the collection and return of unpaid checks.

5. Regulation D: This regulation imposes reserve requirements on certain deposits and other liabilities of depository institutions for monetary policy purposes.

6. Regulation DD: Financial institutions are obligated to inform customers about annual percentage yields, interest rates, minimum balance requirements, account opening disclosures, and fee schedules. This regulation applies to personal accounts, not corporate or organizational accounts.

7. Regulation E: This regulation establishes standards for electronic funds transfers, specifying the responsibilities of both consumers and financial institutions. It covers actions consumers must take to report issues and the steps banks must follow to offer remedies.

8. Regulation H: This rule requires member banks to implement security measures against specific offenses, as outlined by the Bank Protection Act. Member banks are also required to report suspicious activities under this regulation.

9. Servicemembers Civil Relief Act (SCRA): This federal law protects military personnel as they prepare to enter active service, covering a range of topics such as rental agreements, evictions, and interest rates on various forms of credit.

10. Bank Secrecy Act (BSA): Also known as the Currency and Foreign Transactions Reporting Act, this regulation mandates that financial institutions report certain cash transactions exceeding $10,000.

11. Unlawful Gambling Enforcement Act (UIGEA/Regulation GG): This regulation prohibits transactions related to illegal internet gambling.

12. Regulation M: Known as Subchapter M, this IRS regulation allows investment companies to pass on capital gains, dividends, and interest to individual investors without double taxation.

13. Regulation O: This rule limits the credit extensions that a member bank can offer to its executive officers, major shareholders, and directors.

14. Regulation T: This regulation governs investor cash accounts and the credit that brokerages may extend for the purchase of securities.

15. Regulation U: This regulation restricts the leverage that can be used in buying securities with loans secured by those securities.

16. Regulation V: This rule requires all entities that provide information to consumer reporting agencies to ensure the information is accurate.

17. Regulation W: This Federal Reserve regulation restricts certain transactions between banks and their affiliates.

18. Regulation X: This sets credit limits for foreign individuals or organizations purchasing U.S. Treasury securities.

19. Regulation Y: This governs the conduct of corporate bank holding companies and some state-member banks.

20. Regulation Z: Also known as the Truth in Lending Act, this regulation aims to ensure that loan terms are communicated clearly, enabling consumers to easily compare credit arrangements.

In conclusion, the above overview outlines the U.S. banking authorities and regulations that virtual banks must comply with.