KT Fintech Blog

The KT Fintech Blog provides insights into how the emergence of fintech is fundamentally changing virtually every aspect of the financial services landscape and how traditional businesses navigate this rapidly evolving industry.

Category: Privacy & Data Governance

Posted on Thursday, October 19 2017 at 9:00 am by
CFPB Outlines Principles for Consumer-Authorized Financial Data Sharing and Aggregation

Written By Eamonn Moran

The Consumer Financial Protection Bureau (CFPB or Bureau) recently released a set of consumer protection principles for protecting consumers when they authorize third party companies to access their financial data to provide certain financial products and services. The Bureau states that these principles, which all stakeholders that provide, use, or aggregate consumer-authorized financial data should consider, “are intended to help foster the development of innovative financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives.”

Many companies, including fintech firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide a variety of products and services. Consumer-authorized access to consumer financial account data in electronic form may enable consumer-friendly innovation in financial services. Companies that consumers authorize to access their digital financial records can aggregate and use those records to offer new products and services aimed at making it easier, cheaper, or more efficient for consumers to manage their financial lives. Examples of such “data-aggregation” products and services include fraud screening and identity verification, personal financial management, and bill payment. At the same time, this kind of expanded access to consumer financial records raises a number of concerns, particularly with respect to data security, privacy, and unauthorized access. The Bureau “advocates strongly for consumer control of the consumer’s data and transparency,” while emphasizing the importance of data security and privacy.

The principles articulate the Bureau’s “vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value.” The principles, which are intended to be read together, relate to:

  • data access;
  • data scope and usability;
  • control of the data and informed consent;
  • payment authorizations;
  • data security;
  • transparency on data access rights;
  • data accuracy;
  • accountability for access and use; and
  • disputes and resolutions for unauthorized access.

These principles build upon the CFPB’s 2016 Request for Information (RFI) to gather feedback from a wide range of stakeholders concerning consumer-authorized data access. Based on the RFI, as well as other stakeholder outreach, the Bureau “understands that some key industry stakeholders are working on improvements to consumer-authorized data access. These improvements relate to the agreements, systems, and standards involved in consumer-authorized data access.”

The Bureau states that it “will continue to closely monitor developments in this market and will also continue to assess how these principles may best be realized.” The Bureau notes that these principles “do not establish binding requirements or obligations relevant to [the agency’s] exercise of its rulemaking, supervisory, or enforcement authority. In addition, they are not intended to alter, interpret, or otherwise provide guidance on existing statutes and regulations that apply in this market.” Lastly, the Bureau states that these principles “are not intended as a statement of [the agency’s] future enforcement or supervisory priorities.”

We will provide additional updates on this topic and related privacy and data governance issues as further developments occur.

Posted on Wednesday, October 4 2017 at 9:00 am by
6 Key Takeaways: FinTech and Financial Institutions — The Next Generation Strategy

Kilpatrick Townsend’s Michelle Tyde recently spoke at the 2017 President & CEO Georgia Bankers Conference on the topic of “FinTech and Financial Institutions — The Next Generation Strategy.”

Key takeaways from that presentation include:

  • The digital revolution has impacted virtually every area of business – telecommunications, logistics, travel, and retail. In the financial services industry, technology driven FinTech companies are transforming the way customers access and manage their money.
  • While financial institutions have been risk adverse since the 2008 financial crisis, focusing on regulatory and compliance issues, FinTechs have innovated the industry offering enhanced products and services in areas such as payments and lending, to emerging areas including robo-advisory and blockchain systems. According to PWC, more than 20% of financial services business is at risk to FinTechs by 2020.
  • Given the proliferation and impact of FinTechs on the industry, financial institutions can no longer afford to ignore the disruption caused by FinTechs. They must implement a strategy to adapt to and benefit from the FinTech-fueled changes to industry.
  • Both parties bring significant strengths to the table. Financial institutions manage risk and are optimized for security and regulatory compliance. FinTechs are agile and innovative. A partnership between financial institutions and FinTechs can maximum the parties’ strengths and assets. Hence, collaboration, FinTegration, is a necessary strategy for financial institutions in the FinTech era.
  • In collaborating with FinTechs, financial institutions must implement a new digital business model which focuses on self-directed services, customer experience, data analytics, and cybersecurity. Financial institutions can leverage a number of FinTech solutions including cloud services, APIs, and data analytics.
  • Outside counsel can assist financial institutions in structuring a collaborative partnership with FinTechs that maximums the benefits of technological innovations while minimizing the associated compliance and cybersecurity risks.
Posted on Tuesday, October 3 2017 at 9:00 am by
Cyber Winter is Here, and Coming to Regulation: New York Cybersecurity Rule Ice Dragon Heading for the Wall

Written by Jon Neiditz and Julie Grundman

The State of New York’s response to two large cybersecurity breaches may fuel the transformation of the state regulation of corporate cybersecurity in the U.S. Unlike typical state data breach statutes which focus on notification to individuals about breaches of some types of personal information, New York’s new cybersecurity rules impose minimum standards for protecting both critical business and individual nonpublic information, highlighting New York’s concern with both consumer protection and the health of the financial sector. In response to the highly-publicized Equifax breach, on September 18, 2017, New York’s Governor Andrew Cuomo directed New York’s Department of Financial Services (NYDFS) to issue a proposed new regulation1 requiring credit reporting agencies to comply with New York’s high-bar Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Rules”).2 Governor Cuomo’s action signals New York’s willingness to expand its new model of cybersecurity regulation, mandating company’s protect the confidentiality, integrity, and accessibility of not just individuals’ personal information, but also material business information, which we call a company’s “knowledge assets” or “crown jewels.” On September 25, 2017, the Guardian reported that Deloitte Touche Tohmatsu Limited, the Big Four professional services firm with its operational headquarters in New York City, experienced a cybersecurity breach that affected its email system and client records, among the most critical nonpublic business information of a professional services firm.3 What, aside from lobbying efforts, is to stop Governor Cuomo from proposing that the New York Cybersecurity Rules cover accounting firms as well? Read the rest of this entry »