Happy June, friends. Summer officially kicks off on June 20th. Who is excited? I started my summer early by traveling to Ambergris Caye, Belize at the end of May. I highly recommend Belize as a future vacation destination. Where is everyone traveling to during the summer vacation season?
Miriah’s Take: What is the Cost of Compliance?
At the end of last month, UBS’s (a Swiss bank) Chief Compliance Officer stated that it expects regulatory costs to remain significant in the future but believes regulatory costs have peaked. So, let’s dive into the regulatory compliance landscape and explore that statement.
For credit unions, the regulatory burden costs are more than $6 billion to adhere to all rules on a collective, industry basis, according to a report commission by the Credit Union National Association. Based on other studies, compliance with financial services regulations may cost an individual company up to $30.9 million.
Thomson Reuters issues a “Cost of Compliance” report annually, which surveys 800 financial services firms across the world to provide the industry a snapshot of the compliance landscape. During 2017, Thomson Reuters captured 56,321 regulatory alerts from over 900 global regulatory bodies, averaging 216 updates a day (That is a lot for compliance staff to keep up with.). Financial services entities reported spending more than 10 hours a week tracking and analyzing regulatory developments. Additionally, trends illustrate that financial institutions and entities will spend more time liaising and communicating with regulatory bodies. According to Thomson Reuters, the top three reported reasons why there is an increased expectation to communicate with a regulator include: 1. more onerous regulatory and reporting requirements; 2. increased information requests from regulators; and 3. need to understand changing regulatory expectations. Respondents identified data privacy as the largest compliance challenge for 2018, which is logical, considering 2018 was the year the EU General Data Protection Regulation (GDPR) became effective.
We are essentially one year into the EU GDPR being effective and reaching its jurisdictional tentacles across the Atlantic Ocean. Since its enactment in May 2018, the EU Data Protection Commission has received 6,624 complaints. 54 investigations were opened into the past year, and 19 of those investigations are cross-border involving multinational companies, like Facebook, Twitter, and LinkedIn. In April, this blog specifically took a look at the Federal Trade Commission and actions it has taken in relation to the EU GDPR. The FTC settled with four companies after the agency alleged companies falsely claimed to be certified under the EU-U.S. Privacy Shield Framework.
Since the EU GDPR became effective; it has been an active piece of conversation among many corporations, including financial institutions. State legislatures have also been paying attention to the EU GDPR. Recall, the California Consumer Privacy Act (CCPA) was passed in response to the EU GDPR during the summer of 2018. The CCPA is set to take effect in January 2020. At a high level, the CCPA affects businesses buying, selling, or otherwise in the trade of the “personal information” of California residents-approximately 40 million individuals. Entities covered under Graham-Leach-Bliley are generally exempted (as of right now). Currently, the California Legislature is introducing, considering, and debating amendments to the CCPA. Check out a full overview on JD Supra.
California isn’t the only state where the U.S. privacy legal landscape continues to evolve. Similar CCPA bills were proposed in Washington, Texas, New York, and Nevada. On May 29, 2019, Nevada enacted an amendment to its privacy law, which requires businesses to offer consumers a right to opt out of the sale of their personal information. Despite the latter passage, Nevada law becomes effective on October 1, 2019.
Returning to our original question, do you think the cost of compliance has peaked? This blog would love to receive your feedback!
Miriah’s Hot Topic: Are you selling your data?
With all of the attention on the EU GDPR and data privacy as a whole, it makes sense to explore the ownership of the data (which ultimately a company may be liable for). Data ownership is addressed in the contract terms.
When negotiating a data contract with a vendor, what the financial institution does not pay in $USD, it pays in PII (isn’t that how the phrase goes?). It begs the question whether the entity is essentially “selling” data to the vendor.
That is a huge cause for concern, especially as the regulatory focus on data privacy continues to grow. If a financial institution is transferring private customer information to a third party, the onus is on the financial institution to keep it safe (We have seen the hit to reputation risk as it relates to merchant-data breaches and payment cards over the years, which is always something to be mindful of.).
For financial institutions, folks are generally well-versed in the protection of PII. However, we are seeing an emergence of contract clauses which seek to aggregate data into a collective, non-PII form, because data ownership is covered by the contract terms. The non-PII aggregate data is cropping up in many contracts. Vendors are seeking the right to use, own, and sell the aggregate data from your consumers. Generally speaking, the best case scenario is to negotiate a limited use license for the data and restrict the vendor from utilizing any data (PII or aggregate) outside the scope of the limited license. Certain entities report utilizing a request for proposal (RFP) process, sending out the RFPs with specific questions on data ownership. What contract trends do you see as it relates to data ownership and how do you navigate the situation?
This blog is going to put more of a focus on privacy moving forward. What privacy issues are you interested in exploring with On Miriah’s Mind?
Miriah’s Tip :
Send your funny regulatory stories, reader feedback, and future topics ideas to firstname.lastname@example.org.