A Bank’s Biggest Challenge: Data Security Compliance

There have been more than 500 bank failures in the past decade. 

More than 500 failures.

Of them, most were smaller community banks that couldn’t recover from the effects of the Great Recession. Since the economic downturn, the surviving banks are regaining strength and financial stability, but many are still struggling with operational and financial challenges.

And what are these challenges?

Bank Challenges

1) Technology 

As technology develops and customers become more accustomed to ease in transactions and quick service delivery, banks are constantly forced to adopt new ways to keep up. That means constantly investing in development and design and trying to roll out new digital products quickly and consistently.  

2) Profits

Despite the popular caricature of the evil, greedy banker and the idea that banks are raking in record profits at the expense of the public, many banks are struggling financially. These days, it’s harder for banks to make the profits necessary to please investors and keep up with customer expectations.

Those are big issues for banks, and in many ways they’re connected. Banks are trying to keep up with evolving customer expectations and the push toward greater banking UX design. At the same time, they are having to justify costs and account for every penny in an effort to increase (and sometimes maintain) profits. 

But banks are resilient. They’re evolving and adjusting operations to deal with those issues. 

There is one challenge, however, that banks have yet to get a handle on. This issue is the one that is most likely to plague the back office and add fuel to any fires with other struggles. 

That issue?

Regulatory Compliance 

Specifically, data privacy compliance.

In many ways, GDPR opened the door to the growing data protection movement facing many industries. Now, there are over 350 laws and regulations addressing data privacy in the United States. These regulations exist at local, state, and federal levels and impact most aspects of business operations. 

But as you can guess, the financial industry is most impacted by these ever-growing regulatory requirements. 

Biggest Challenge

Without a doubt, data privacy compliance is a bank’s biggest challenge. And in today’s climate of data liability, large fines, and compliance checks – it’s also the most likely to spark the fire that leads to bank failure.

Though banks grapple with profitability, increased competition, and meeting the needs of increasingly mobile and connected customers; meeting and maintaining data privacy compliance is the biggest feat. 

Complaints about the high costs and operational burdens of achieving regulatory compliance are nothing new. Even for large banks, keeping up with increasingly stringent regulations and newly enacted laws can cause operational nightmares leading to decreased customer service and profits. 

So how bad is it?

Governance and risk compliance can account for nearly 10% of bank cost. And at least one estimate ranks that total up to 40%.

So what are some of the major regulations?

Data Privacy Regulations

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act, or GLBA, is essentially the veteran of existing financial data privacy regulations. It requires that financial institutions protect customers’ personally identifiable financial information.

Specifically, GLBA mandates that financial institutions ensure the security and confidentiality of customer information at all times. So, banks are charged with safeguarding information everywhere it’s stored and while the information is in transit; including file, message, and email transfers.

Furthermore, under GLBA financial institutions have to proactively protect information against any anticipated threats and pretexting.

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard, or PCI DSS, is designed to ensure the security of the payment card system. There are twelve basic compliance measures within PCI DSS, including the need to protect stored cardholder data and the requirement to encrypt cardholder data while in transit.

Financial Industry Regulatory Authority

The Financial Industry Regulatory Authority, or FINRA, regulates brokerage firms and oversees the stock market. Therefore, any bank that operates as a securities brokerage or investment advisory is also subject to FINRA compliance. 

And though FINRA is not a federal agency, they are overseen by the SEC and responsible for enforcing SEC data privacy rules.

As such, FINRA ensures that institutions demonstrate the ability to protect sensitive customer information. That includes enforcing the Securities Exchange Act whereas it requires the preservation and integrity of electronically stored records.

Local, State, and Federal Regulations

Currently there are more than 350 regulations relating to data privacy across the country. And while that number might already seem massive, it’s growing. Furthermore, existing regulations continue to increase in stringency and detail. Which laws apply to any single bank depends on where the bank conducts business, but overwhelmingly, these laws mandate that businesses protect sensitive consumer data and levy stiff penalties when those businesses fail.

Regulatory Compliance Connection

There is a common thread amongst financial institution compliance standards. All require protection of customer data while at rest, in transit, or both. 

Generally, banks are diligent in their efforts to protect customer data and take regulatory compliance very seriously. They invest heavily in protecting their network perimeter and ensure hackers have few opportunities to bust through. 

So, hackers are less likely to try and break directly into a banking system from the outside. Of course there are exceptions – like the recent Capital One attack. But more often, cyber criminals know their best chance at success is by gaining access from someone who is already inside the system. 

They probably don’t know the “inside man” personally. And he probably doesn’t even know he’s a gateway to the data breach.

Attack Pattern

Instead of hackers breaching the perimeter of a financial institution, most enter through the basic communications level: email.

Like most businesses, banks rely on email as a way to quickly transfer information and communicate amongst departments and, sometimes, with customers. Email is known to increase efficiency and productivity.

Unfortunately, email is also known to facilitate 91% of all cyber breaches.

For banks, cyber criminals target a bank employee with access to customer data. The criminals develop a malicious email and send it to the employee’s work or personal email address. Often, simply opening the email is enough to jump start malware on the employee’s system in turn providing the thief a path to sensitive customer data.

Regulatory Compliance Consequences

Even when banks reimburse customers for any direct losses as a result of a data breach, they still face review from regulatory bodies. 

If any of the regulatory bodies determine the financial institution acted outside of compliance, those banks could be subject to massive fines, further regulatory oversight, or even jail time for their executives.

Failure to comply with GLBA can cost a financial institution up to $100,000 per infraction. Bank executives face up to $10,000 and 5 years imprisonment. 

In 2018, FINRA fines saw an average of $107,000 per case.

Imagine a breach that exposed the information of 100 customers. At $100,000 per infraction, that’s $10,000,000.

Now, consider that the average size of a data breach affects more than 24,000 records. The regulatory fines alone could be enough to cripple a bank.

Email Alternatives

The business advantages of email are obvious. But, bank executives can’t neglect the glaring security risks that email presents. Bank spam filters and firewalls won’t always stop malicious messages and certainly can’t protect employees who are targeted on their personal accounts. 

Furthermore, solutions that claim to provide secure email have serious flaws and can’t stop all phishing schemes. 

Instead, to truly avoid risks associated with the communications layer, banks should look to secure messaging and file sharing services. An effective platform must have automatic end-to-end encryption, password-less authentication, and user identity management. 

While there are several messaging platforms that claim to provide secure messaging, HighSide is the only one designed with regulatory compliance in mind.

With HighSide, sensitive information is encrypted at rest and in transit, preventing access from unintended recipients. HighSide also enables remote-wipe functionality and industry specific compliance solutions.

It’s the only way to completely avoid the risk of phishing and overwhelmingly achieve regulatory compliance in protecting customer data. 

And with the stakes continuing the grow with every passing legislation, banks can’t afford not to secure their communications and file transfers with HighSide.

Cecilia Clark

First introduced to information security while serving as a Signal Officer in the US Army. During my time in the military, I managed information security from all sides of the discipline - as a user, service provider, and culture change agent.

Leave a Reply

Your email address will not be published. Required fields are marked *