Financial sector cyber laws and regulations

Financial Sector Cyber Laws and Regulations

by John Bandler

The financial sector is heavily regulated and for good reason. Instability or a collapse could cripple our economy and affect public safety and national security. Financial regulations cover a wide swath of topics to ensure the safety and soundness of a financial institution, protect consumers (including their deposits, investments, rights, and privacy), and ensure good information security and privacy practices. There are also rules to ensure financial records are kept secret but also available for proper government review, and to ensure financial institutions monitor for and report on financial crime, money laundering, and terrorist financing.

This regulation is through many federal laws, regulations, and regulators, and every state has their rules too. Being from New York (where we call ourselves the financial capital of the world), that is the only state's rules I cover.

There are a variety of federal and state laws and regulators.

As always, compliance should start with good cybersecurity, cybercrime protection, and privacy practices. Then, organizations can analyze details of these requirements.

This short article focuses on financial sector requirements. Organizations should also consider general principles of law and other cybersecurity and privacy requirements. To zoom out a little and see the larger legal landscape, read my other article Cybersecurity Laws and Regulations Part 1 (general legal overview), and other articles.

Why financial regulation?

Financial regulation is needed for a lot of reasons. Here's a quick list:

• Protect consumers
• Protect financial industry in general
• Protect the individual financial institution (safety and soundness)
• Reduce financial crime
• Reduce identity theft
• Reduce money laundering -- Anti-money laundering (AML)
• Privacy

Consumers and investors need to be protected from a host of harms. Their deposits need to be safe, they need some protection from fraud, deception, and mismanagement. Their investments should be on a reasonably level playing field, with relatively accurate information. Their privacy needs to be protected.

Financial institutions need to protect themselves. The government provides certain backstops and insurance in case of a bank failure, it is only reasonable that government should exercise some oversight to try prevent such a bank failure.

Criminals need to be deterred and slowed. We cannot allow criminals unchecked use of the financial system to steal, transfer funds, and launder illicit funds. We need some oversight. That's what anti-money laundering (AML) regulation is for.

Our financial system is critical to the health of our country. If our financial system collapsed, the consequences would be staggering. People would die. The economy and government could collapse.

Reasonable people can debate about how much regulation and oversight there should be, but clearly there's got to be some.

Rest assured, hostile nation states are looking for ways to damage our country including our financial system. Criminals and terrorists are looking to move funds through the financial system. Natural disasters could damage the financial system and information technology infrastructure. So regulation and protection is necessary.

The financial sector needs to protect funds, identify and report on crime and money laundering, protect consumer private and financial information, and ensure the safety and soundness of the individual financial institutions and the financial sector itself from a host of harms, including cyberattack and natural disaster.

Reminder on law vs. regulation

Financial sector legal requirements remind us of the difference between a law and a regulation, which I touch on in my law outline.

Congress (or a state legislature) passes laws (statutes) which are signed into effect by the executive (President or Governor).

These laws may empower a regulator to put forth (promulgate) rules or regulations in accordance with these laws. Federal rules and regulations are in the Code of Federal Regulations (CFR).

So that's why we refer to laws and regulations, and I provide citations to both.

Consider this also: the regulator may issue and renew licenses, such as a license to a bank or money transmitter to do their business. With the power to issue a license comes the power to revoke it, and insist upon compliance with various rules in order to maintain that license.

Financial cyber regulation in a minute

The financial sector is regulated on a host of matters, small surprise that those regulations now encompass information technology, cybersecurity, cybercrime, and privacy.

A financial sector organization should first think about traditional bodies of law such as negligence, contract, and criminal laws. Then think about federal and state laws of general applicability, and then think about sector specific laws and regulations.

Here we focus on those financial sector specific laws and regulations.

GLBA

The Gramm-Leach-Bliley Act (GLBA) (also known as the Financial Services Modernization Act of 1999) is a federal law that created privacy and information security requirements for financial institutions. GLBA’s implementation rules include the Safeguards Rule (to protect consumer information) and the Privacy Rule (regarding disclosure of consumers’ personal information).

• GLBA references
• GLBA: The Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley” or GLBA)
• 15 U.S. Code Chapter 94, Privacy, https://www.law.cornell.edu/uscode/text/15/chapter-94
  • 15 USC 6801-6809, 15 U.S. Code Subchapter I - Disclosure of Nonpublic Personal Information, https://www.law.cornell.edu/uscode/text/15/chapter-94/subchapter-I
  • 15 USC 6821-6827, 15 U.S. Code Subchapter II - Fraudulent Access to Financial Information, https://www.law.cornell.edu/uscode/text/15/chapter-94/subchapter-II
• GLBA Regulations
• GLBA "Privacy Rule": 16 CFR Part 313 - Privacy of Consumer Financial Information, https://www.law.cornell.edu/cfr/text/16/part-313
• GLBA "Safeguards Rule": 16 CFR Part 314 - Standards for Safeguarding Customer Information, https://www.law.cornell.edu/cfr/text/16/part-314
• FTC on GLBA, https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
• Wikipedia on GLBA: https://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley_Act

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 (SOX) is a federal law for publicly traded companies – companies listed on a stock exchange. SOX requires publicly traded companies to have proper internal control structures in place to validate that their financial statements accurately reflect their financial results, thus requiring controls over information systems. SOX is overseen by the Securities and Exchange Commission (SEC). SOX also created the Public Company Accounting Oversight Board (PCAOB).

• SOX references
• SEC on SOX, https://www.investor.gov/introduction-investing/investing-basics/role-sec/laws-govern-securities-industry#sox2002
• SEC on SOX (note this is an archived page) https://www.sec.gov/spotlight/sarbanes-oxley.htm
• Sarbanes-Oxley Act of 2002 (SOX), https://www.govinfo.gov/content/pkg/COMPS-1883/pdf/COMPS-1883.pdf
• 15. U.S.C. Chapter 98, Public Company Accounting Reform and Corporate Responsibility, https://www.law.cornell.edu/uscode/text/15/chapter-98
• Cornell LII on SOX, https://www.law.cornell.edu/wex/sarbanes-oxley_act
• Wikipedia, https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act

FCRA

Another rule relates to credit reports, The Fair Credit Reporting Act of 1970 (FCRA), as amended periodically including by The Fair and Accurate Credit Transactions Act of 2003 (FACTA). This provides privacy rights to consumers and seeks to ensure accuracy of credit reports.

• FCRA references
• The Fair Credit Reporting Act of 1970 (FCRA), including The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
• 15 USC 1681 et seq, https://www.law.cornell.edu/uscode/text/15/chapter-41
• FTC on FACTA, https://www.ftc.gov/legal-library/browse/statutes/fair-accurate-credit-transactions-act-2003
• FTC on FCRA, https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act
• Wikipedia, https://en.wikipedia.org/wiki/Fair_Credit_Reporting_Act
• FFIEC on FCRA, https://www.ffiec.gov/exam/InfoBase/documents/02-con-fair_credit_reporting_act-000799.pdf
• CFPB Summary of Rights Under FCRA, https://files.consumerfinance.gov/f/documents/bcfp_consumer-rights-summary_2018-09.pdf

Red Flags Rule

The Red Flags Rule is intended to protect consumers from identity theft, originally found in the 2003 FACTA, then the Red Flag Program Clarification Act of 2010, and there is a 2013 ID Theft Red Flags Rule from the SEC & CFTC

• Red Flags references
• The Red Flags Rule published at 16 C.F.R. § 681.1, Duties regarding the detection, prevention, and mitigation of identity theft, https://www.law.cornell.edu/cfr/text/16/681.1
• FTC on Red Flags Rule, https://www.ftc.gov/business-guidance/privacy-security/red-flags-rule
• FTC on Identity Theft, https://consumer.ftc.gov/features/identity-theft

BSA, AML, CTF: Anti-Money Laundering requirements

Also consider the Bank Secrecy Act (BSA) of 1970 and various amendments, including the USA PATRIOT Act of 2001. The principle of BSA is anti-money laundering (AML) and counter terrorist financing (CTF) which effectively requires financial institutions to monitor and report on potential criminal activity using the financial system.

AML requirements may also mandate investigation and reporting of certain cybercrime through AML channels, including the filing of suspicious activity reports (SARs). Guidance from the primary AML regulator (FinCEN, the Financial Crimes Enforcement Network) suggests financial institutions leverage all departments (AML, cybersecurity, etc.) to investigate and report this cybercrime.

Cybercrime is typically for-profit, and involves stealing both money and consumer data, so it is logical to fight cybercrime with AML investigation and action.

Financial regulators

There are a lot of financial regulators. If you are researching a law or regulation and how to comply with it, one of your first steps should be seeing what the regulator says about it.

• Federal regulators
  • Federal Reserve Board (FRB or “the Fed”), https://www.federalreserve.gov/
  • Office of Comptroller of the Currency (OCC), https://www.occ.treas.gov/
  • Federal Deposit Insurance Corporation (FDIC), https://www.fdic.gov/
  • Consumer Financial Protection Bureau (CFPB), https://www.consumerfinance.gov/
  • Securities and Exchange Commission (SEC) (for publicly held companies, securities, stocks, etc.)
    • Public Company Accounting Oversight Board (PCAOB), https://pcaobus.org/
  • Federal Trade Commission (FTC), https://www.ftc.gov/
    • https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches
    • 16 CFR Part 314, https://www.law.cornell.edu/cfr/text/16/part-314
    • https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement
  • National Credit Union Administration (NCUA)
  • Financial Industry Regulatory Authority (FINRA)
  • Federal Financial Institutions Examination Council (FFIEC), https://www.ffiec.gov/  (not a regulator per se, but a body of federal financial regulators that establishes common federal standards)
  • Financial Crimes Enforcement Network (FinCEN), https://www.fincen.gov/
  • More
• Each state
  • NYS Department of Financial Services (DFS), https://www.dfs.ny.gov/  (see later section)

Federal Financial Institutions Examination Council (FFIEC)

The Federal Financial Institutions Examination Council (FFIEC) is a body of federal financial regulators that establishes common federal standards for many financial sector regulators, including requirements for cybersecurity. Some of these rules may arise from GLBA, others from broader regulatory authority over safety, soundness, and consumer protection. Among the FFIEC rules and guidance are the FFIEC Audit IT Examination Handbook and Cyber Assessments Tool (CAT).

• https://www.ffiec.gov/cyberassessmenttool.htm
• https://www.ffiec.gov/press/pdf/FFIEC%20Cybersecurity%20Resource%20Guide%20for%20Financial%20Institutions.pdf
• https://ithandbook.ffiec.gov/it-booklets/audit.aspx
• https://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx

NYS Department of Financial Services (DFS) and Rule 500

Financial institutions doing business in New York state need to consider state laws of general application and rules specific to the financial industry. The New York State Department of Financial Services (DFS) issued a rule pursuant to it’s rulemaking authority requiring certain cybersecurity measures by financial services companies within NY. This is DFS Rule 500, Cybersecurity Requirements for Financial Services Companies, 23 NY Codes, Rules and Regulations (NYCRR) Part 500.

• https://www.dfs.ny.gov/industry_guidance/cybersecurity
• View 23 NYCRR Part 500 on Westlaw
• 23 NYCRR Part 500 at Cornell LII, https://www.law.cornell.edu/regulations/new-york/title-23/chapter-I/part-500

Definitions matter

As with any law or regulation, we need to be mindful of definitions and what and who is covered. What organizations fall under these rules, and what data falls under these rules?

Where to find the current laws and regulations

And here is where to find some current laws and regulations and information about them.

If you are researching the laws, the usual starting points apply: (i) identify the laws and regulations (ii) see what the regulators say about them, (iii) continue your research.

Conclusion and disclaimer

How does an organization comply with these complex laws and regulations?

My main takeaway -- as always -- is that organizations must first focus on protecting themselves and the data they hold, and prevent cybercrime and other incidents. In so doing, they comply with the spirit of laws and regulations. Then, organizations should analyze the legal requirements and ensure compliance.  All of this requires a comprehensive cybersecurity program.

Hopefully this short article simply explains some of the basics. This is a brief summary with many simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. It is not legal advice nor consulting advice, and is not tailored to your circumstances. The research is preliminary.

If your organization needs help with improving cybersecurity and protecting from cybercrime, creating or improving policies, and complying with cybersecurity related laws and regulations, contact me.

Additional reading

See all the links above for references and reading to the laws, regulations, regulators, and more.

• Law
• Cyberlaw
• Cybersecurity Laws and Regulations Part 1 (general legal overview)
• Cybersecurity Laws and Regulations Part 2 (listing and brief summary of some laws and regulations)
• Health sector laws and regulations
• Financial sector cyber laws and regulations (This article)
• New York Cybersecurity Requirements and the SHIELD Act
• Bandler's Cybersecurity Tips
• My services page
• My books

This article is hosted at https://johnbandler.com/financial-sector-cyber-laws-regulations, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at NOT YET POSTED THERE (though perhaps not updated as frequently).

Originally posted 01/21/2024. Last updated 2/2/2024.