Big data is the fuel that powers fintech. Fintechs use data to facilitate transactions, offer personalized recommendations to customers, make predictions that inform lending and risk decisions, target their marketing activities, and much more.
Which makes it critical that fintechs have a thorough understanding of the data privacy and cybersecurity laws governing, not just the country that hosts their operations, but also those jurisdictions in which their customers reside.
The massive uptick in the use of digital services driven by the global pandemic has led a number of countries to pass new legislation that aims to protect citizens’ private information from falling into the wrong hands.
Let’s take a look at some of the major reforms that have arisen over the last few years and what is coming down the line.
The EU was one of the first jurisdictions to tackle data protection on a mass scale, introducing the General Data Protection Regulation (GDPR) in May 2018. GDPR replaced previous data rules across Europe, some of which were almost 20 years old. The EU says GDPR was designed to "harmonize" data privacy laws across all of its member countries, as well as provide greater protection and rights to individuals. The rules specify actions that businesses must take if they collect personal information about citizens of the EU, including how to obtain consent, when to erase data and how to report security breaches to data subjects.
GDPR has unprecedented extra-territorial reach, and serves as a good example of how laws on data protection do not simply apply to businesses operating in a particular jurisdiction. If an organization offers goods or services to, or monitors the online behavior of, people in the EU, it may be subject to GDPR.
Four years on from the implementation of the world-leading data protection legislation, some experts believe that while GDPR has improved the privacy rights of EU citizens, there are still many problems to address, and there are reports that data regulators are struggling to keep up with the number of complaints made by data subjects.
When GDPR came into force in 2018, countries within Europe were given the ability to make small changes to suit their own needs. This flexibility led to the creation of the UK’s Data Protection Act, which controls how the personal information of UK citizens is used by organizations and governments.
This means that, since 2018, most UK businesses have had to comply with two sets of privacy regulations, and there are differences between the two regimes. For example, the minimum age of consent for processing a person’s data in the UK is 13 years, while under the GDPR, the minimum age is 16.
In December 2020, the UK Department for Digital, Culture, Media & Sport announced it was pursuing a National Data Strategy, to set out a framework for not only the protection of data, but ways big data could be used to create new economic opportunities for the country post-Brexit. The strategy began with a period of public consultation, following which, on 17 June, 2022, the UK government published its response, proposing a number of reforms to “empower citizens through the responsible use of personal data.”
In the US, businesses and regulators have been grappling with the fact that there is no overarching privacy law that applies broadly to all businesses. Instead, each sector is subject to its own targeted laws, at both a state and federal level. Currently, the Gramm-Leach-Bliley Act (GLB) is the primary federal privacy law that regulates the activities of fintech companies. The GLB has two primary rules: 1) that financial businesses must notify consumers about data collection and give them an opportunity to opt out; and 2) that financial institutions must develop a written information security program.
In addition to this, other federal and state privacy and data protection laws may need to be adhered to, based on the type of security processes, procedures and tools that fintechs deploy in their product offerings. For example, a fintech that utilizes biometric recognition or verification tools through a mobile device must comply with state-specific laws on biometric identification and information.
In what could be a game-changer for companies operating in the US, draft legislation that would enact a comprehensive federal privacy framework was recently circulated for review. The American Data Privacy and Protection Act has bipartisan support, which makes it closer to becoming law than any other federal privacy legislation introduced in the US in the past.
Similar moves are underway in Canada, where the government has proposed the Digital Charter Implementation Act, 2022, which would modernize the country’s cybersecurity framework, as well as cover a wide range of operational areas including control and consent over data, ethical use of data, and data portability.
Despite its position as the leading sector for fintech adoption, Asia has been slower off the regulatory mark than most other jurisdictions.
According to the latest National Cyber Security Index (NCSI), ASEAN member states scored an average score of 44.02 out of 100 in the overall index rating. In particular, the index found a glaring gap in the indicator of “protection of personal data”, where five out of 10 countries still had low ratings.
China, which ranked 63rd on the NCSI, enacted its first cybersecurity legislation in late 2016, with the goal of establishing a uniform regulatory regime for data protection and cybersecurity across the country.
In 2021, the Chinese government flagged reforms to its existing regulatory framework, aimed at preventing data leaks and protecting personal information from being shared without consent from the data subject. The new measures provide that if a network platform operator possesses personal information of more than one million users plans to be listed in foreign countries, it must apply for cybersecurity review.
While these measures only came into effect in February 2022, the Chinese government began leveraging its new powers six months earlier, when it announced it would be conducting its first cybersecurity review into Chinese ride-sharing provider, Didi. Under the terms of the review, Didi was ordered to suspend new user registration and to remove its application from app stores. The review has been running for nearly 12 months, and was launched just days after Didi launched an IPO in the US.
Like other parts of the Asia-Pacific region, Australia has been somewhat lagging in its regulatory approach to big data. This is perhaps because Australia has tried to position itself as a “fintech-friendly” jurisdiction, with regulators adopting the view that Australian legislative obligations and regulatory requirements are technology-neutral and apply irrespective of the mode of technology that is being used to provide a regulated service.
Currently, the Privacy Act 1988, which includes the 13 Australian Privacy Principles, governs the regulation of personal information in Australia. However, since 2020, the Attorney-General’s Department has been conducting a review into the Act, issuing a high-level issues paper for public consultation in October 2020.
A subsequent Discussion Paper, issued a year later, proposed a number of significant reforms to the Privacy Act, many of which are based on overseas regulations such as GDPR. Among the recommendations was a broadening of the concepts of personal information and data collection. While amending legislation is yet to be released, if the proposed changes are passed it will represent a significant reshaping of privacy laws in Australia.
In spite of the slow progress in reforming the Privacy Act, the Australian Securities and Investments Commission (ASIC) – which regulates the vast majority of financial services, consumer credit and financial market activity in Australia – has taken steps to protect consumers from cybersecurity risks.
Through its licensing powers, ASIC took legal action against a financial advice provider that was subject to a number of cyber attacks in 2017 and 2018. The Federal Court found in favor of ASIC, agreeing that the advice provider had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks. The firm was fined AU$750,000.
As this summary shows, while advances in digital technology have removed many barriers to cross-border operations, data protection laws are still largely country-based. This means fintechs are likely to be subject to a number of different data protection requirements, depending on the location of their customers.
Failing to comply with data protection rules can mean steep penalties, including fines and bans on operating in a particular jurisdiction. And compliance with one set of regulations doesn't guarantee compliance with all laws. For this reason, experts recommend fintechs institute a data protection policy that complies with the most stringent set of business rules the company faces, while using a security and compliance framework that covers a broad set of requirements.
For more information on how Zai can help your fintech use paytech to succeed in global markets, get in touch here.
In the meantime, download our guide on how you can benefit from creating better experiences for your customers.