As the FinTech industry continues to grow, the demand for tougher regulations and compliance with them is much higher. What regulations are applicable to financial services and what do they actually mean to the users of those services? Here’s a short overview:
KYC - Know Your Customer
Know Your Customer is a standard banking policy adopted by banks and financial services companies to prevent identity theft, financial fraud, money laundering and funding for terrorism.
This policy allows banks to manage risks on your behalf and provide a better quality of services. It requires banks to identify customers, monitor their transactions and analyze risks. The policy also controls how the bank interacts with you.
What are the implications of KYC on users?
KYC can be best defined as the process of verifying a customer’s identity. KYC requires banks to verify your identity prior to doing business with you, so you will be asked for documents required under the law (such as your proof of identity and confirmation of your address). If you apply for a loan or a credit card or want to invest in a mutual fund, you will be asked for other documentation as well. All of these are required for your financial safety. KYC procedures are part of Anti-Money Laundering laws.
AML - Anti-Money Laundering
Anti-Money Laundering entails a set of laws, regulations, and procedures that banks and other financial institutions must follow to deter entities and persons attempting to disguise illegally obtained funds as legitimate income and to prevent fraud. AML is much broader than KYC. A lot of different laws regulate AML practices globally to ensure that these institutions do not partake in money-laundering activities.
The most important regulations that cover the United States AML Policy include:
- The Financial Action Task Force (FATF) - comprised of 36 member states and 2 regional organizations, it represents most of the major financial centers in the world, including the United States.
- The United States’ Bank Secrecy Act (BSA) and the USA Patriot Act - these assist U.S. government agencies in detecting and preventing money laundering and funding terrorist activities.
What are the implications of AML for users?
Similarly to KYC, your bank will be asking you to verify your identity in order to use its services.
CIP - Customer Identification Program
Customer Identification Program is a United States requirement applicable to financial institutions, provisioned by the USA Patriot Act. Similarly to the laws described so far, it mandates that companies identify individuals wishing to conduct financial transactions with them. CIP compliance requires US financial institutions to develop a CIP proportionate to the size and type of its business. The CIP must be incorporated into the bank's Bank Secrecy Act and Anti-money laundering Compliance Program.
What are the implications of CIP for users?
Customer Identification Program (CIP) rules require that each new account opening must be accompanied by a series of verification measures to determine and identify the true identity of the account opener, which means you will be asked for proof of your identity. Financial institutions must also conduct a risk assessment of their customers and keep accurate and detailed records of the information used to collect and verify the individual’s identity. They also perform a cross-check of ID records against government lists to see if any known or suspected terrorists or terrorist organizations appear on their records.
GDPR - General Data Protection Regulation
The EU's General Data Protection Regulation replaced the 1995 Data Protection Directive, which set the minimum standards for processing data in the EU. the GDPR limits what companies can do with people’s data. It gives them precise guidelines on how the data can be processed and gives users clarity over the kind of data that are being used and how companies will use it. For GDPR, data such as sexual orientation, healthcare data, and political opinion, is considered personal data.
What are the implications of GDPR for users?
GDPR significantly strengthened a number of rights for individuals. Under GDPR they have more power to demand that companies reveal or delete the personal data they hold. It also means that users will be asked to opt-in to use a company’s services (opting-out means you will not be able to use a company’s service). You can also request to have your data deleted.
CCPA - California Consumer Privacy Act
This regulation aims to limit unauthorized disclosures and losses of personal information, give consumers control of their personal information and reinforce penalties for businesses in case of violation. According to this regulation, businesses must include new processes and set up new organizations to manage access to personal information, deletion of personal information, consent, disclosure of information and discrimination of prohibition.
What are the implications of CCPA for users?
The act implies new rights for California consumers:
- The right to know what data has been captured
- The right to delete data
- The right to access data
- The right to equal service and price
- The right to opt-in and opt-out
- The right to seek damages but also new requirements for businesses (access to personal information, deletion of personal information, consent management, disclosure of information, discrimination of prohibition) which include new processes and organization to be set up
PSD2 - Payment Services Directive 2
It is the second Payment Services Directive set by the European Union which entered into force in 2015. Its objective is to secure e-payments and to expand the financial services ecosystem. The directive requires payment service providers to monitor against fraud and find evidence when it occurs. At the same time, these institutions are required to secure the confidentiality of user credentials. It also opens bank data to third parties.
What are the implications of PSD2 for users?
The regulation gave users unprecedented power when it comes to their personal data. Under this regulation, you can withhold consent for certain uses of data, request access to their personal information from data brokers, or delete your information from sites altogether.
PSD2 demands that strong authentication is implemented on payment services, so you will be asked to set and protect your passwords to your personal accounts.