The global regulations shaping the future of financial security
Eve Goode
Share this content
Digitalisation has accelerated regulatory framework evolution, leaving financial institutions scrambling to keep up, writes Devin Partida, Editor in Chief, ReHack.
It also puts information security professionals in a tough position by requiring them to continuously adapt. There is virtually no room for error.
Key regulations reshaping the financial security landscape
Countless rules and laws apply to banks, loan associations, credit unions and financial technology companies.
However, only a handful of major regulatory frameworks are reshaping the financial security landscape.
General Data Protection Regulation (GDPR)
The European Union’s GDPR mandates businesses request consent before collecting or processing consumer data.
They have to record how, when and what they tell each person. In addition, they must provide a straightforward way to withdraw consent and erase information.
Since it covers all EU citizens, even financial institutions in other countries must comply.
Gramm-Leach-Bliley Act (GLBA)
The GLBA is a federal law enacted by the United States Federal Trade Commission (FTC) in 1999. It requires financial institutions to notify consumers about privacy policies at least once annually.
Additionally, they must provide notice before sharing data with unaffiliated third parties, giving people a chance to opt out.
An amendment — the Standards for Safeguarding Customer Information — went into effect in October 2023.
However, the FTC provided a six-month grace period, so there were no penalties for noncompliance until May 2024.
This amendment requires companies in the financial sector to report cybersecurity incidents, including data breaches.
Personal Financial Data Rights
In October 2024, the Consumer Financial Protection Bureau released the final rule on Personal Financial Data Rights.
Credit unions, banks and similar service providers must make consumer data available upon request in electronic form without charging fees.
They must also comply with security measures regarding information collection, use and retention.
Payment Services Directive 3 (PSD3) The European Commission published the PSD3 proposal in June 2023 and it has yet to be enacted or go into effect.
The proposed measures include enabling financial service providers to share fraud-related data, improving obstacles to open banking and enacting standardised payment rule enforcement.
How these regulations will impact financial institutions
These global regulations impact every firm, from banks to investing applications.
As they become increasingly strict, decision-makers will have to invest more in data security, privacy and incident response.
Projections suggest the global data security market will soon experience exponential growth. It’s projected to increase from $5.98 billion in 2023 to $10.78 by 2028, an 80% increase in just five years.
A higher dollar amount is arguably essential since evolving regulatory frameworks like the GDPR and PSD3 are enforcing increasingly harsh financial penalties.
In addition to updating notification and data-sharing policies, most banks will have to revisit their protection measures.
Since some regulations require information to be stored and shared electronically, this responsibility falls to security professionals.
How security professionals can stay ahead of new rules
Since security professionals’ actions are impactful, they must stay on top of evolving regulatory frameworks. There are two main ways to do this.
Proactive compliance strategies
Compliance is rapidly evolving. While many existing frameworks seek to remove barriers to open banking, some in development focus on regulating digitalisation.
Given that 75% of large banks have already incorporated artificial intelligence into their operations, the latter is not far off.
Security professionals should follow all relevant updates and enact proactive changes.
Enhanced cybersecurity measures
Most security strategies have gaps. Whether a company relies on a combination of legacy and modern technology or leaves test accounts with administrative privileges open, they create holes for cybercriminals to slip through.
Enhancing cybersecurity does not necessarily mean investing in the latest solutions. Rather, it involves making existing methods more robust.
Staying ahead of evolving financial security frameworks
As online banking and investment applications become widespread, regulatory frameworks will likely evolve.
Security professionals can stay ahead by closely following changes and proactively updating strategies. Management should support them fully to enhance compliance.
Devin Partida is a technology writer and the Editor-in-Chief of the digital magazine, ReHack.com. To read more from Devin, check out the site.
