As we embark on a new year, let’s look back and analyze the major shifts in the regulatory environment over the last one year, and what they mean for compliance professionals in 2019.
By any yardstick, 2018 was an eventful year; it was marked by quick and sweeping changes in regulations, which, consequently, fueled greater spending on regulatory technology (RegTech) – indeed, the RegTech sector grew by 23.5 percent in 2018.
Perhaps the most significant regulation on privacy protection in recent years, the EU’s General Data Protection Regulation (GDPR) enforces strict data handling procedures when it comes to data belonging to citizens of member states of the European Union. GDPR represents a shift in the individual’s right to privacy – it has major implications for how entities gather, use, manage and purge user data.
The possible fines for non-compliance are significant: Up to four percent of the non-compliant company’s annual revenue.
It has been more than six months since GDPR was enacted, yet the applicability of the regulation still remains mired in confusion. As late as November last year, 56 percent of privacy professionals admitted to not having complied with GDPR; 20% believed it may be impossible to be fully GDPR-compliant.
Despite the wave of anxiety that GDPR created amongst companies with businesses in Europe, there has been, till date, no significant action taken for non-compliance – although regulators did exert minor penalties against some companies and served ultimatums to others. However, these are still early days for the regulation, and, as such, the EU seems determined to uphold high standards for privacy protection.
As the EU is often at the forefront of privacy rights, the GDPR could prove to become an instructive template for other countries as they update their data protection laws.
The Payment Services Directive 2 (PSD2), another major European initiative, is intended to increase innovation and competition in the payments industry. The PSD2 requires that banks open up access to customer account data, allowing third-party providers to use that information.
These third-parties are divided into two categories:
- PISP (Payment Initiation Service Provider)
Providing bill payment, money transfer and other payment services
- AISP (Account Information Service Provider)
Providing aggregation and analytics over multiple accounts
Enabling the entities belonging to the aforementioned categories to access customer account data held by banks would create a slew of opportunities for fintech services.
Another important thing to consider are the upcoming Strong Customer Authentication (SCA) requirements – part of PSD2, they are designed for improving online and mobile fraud prevention measures. Ensuring that these SCA measures provide the necessary security while not hindering customer transactions will be a major theme for 2019.
Yet another European regulation that came into effect is the Electronic Identification, Authentication and Trust Services (eIDAS). In pre-eIDAS Europe, each member country had its own digital identity scheme. The problem, however, was that these identity schemes weren’t exactly compatible with each other; in other words, if a Polish national was moving to Spain, she couldn’t utilize her digital identity from Poland to access public services in Spain. Instead, she had to set up her digital identity from scratch in her new home — a time-consuming (and, ironically, analogue) process which required her to present physical documents, multiple pieces of government-issued ID, third-party notarizations, etc. in person.
eIDAS — the European Union’s (EU) ambitious project to create a truly portable identity — has the potential to be an effective correction to this problem by creating a standardized digital identity framework, and allowing digital identities to work across borders.
While it’s not mandatory for a member state to notify their eID scheme, it is obligated to accept another member state’s digital identity scheme if it (the scheme) has been notified.
While the roll-out is a work in progress seeing as only six member states have full notified status, the scope and ambition of eIDAS is striking. It represents one of the largest implementations of an interoperable digital identity framework.
While eIDAS is likely to ease and improve access to public services across Europe, its implementation could dramatically help the private sector adopt an interoperable digital identity framework. According to Zac Cohen, general manager at Trulioo, “The rules and infrastructure it puts into place will make it easier for private sector firms to accept and implement similar processes.”
FinCEN’s new rule
Meanwhile, across the pond, in the United States, some major new customer due diligence (CDD) requirements came into effect. Under the Financial Crimes Enforcement Network’s (FinCen) final CDD Rule, collecting, maintaining and reporting beneficial ownership information is now necessary for financial institutions. Making Know Your Business (KYB) processes more stringent are part of larger trend: Consider the Fourth Anti-Money Laundering Directive (4AMLD) and the upcoming 5AMLD in Europe.
While collecting customer identification information is standard practice, identifying ultimate beneficial ownership (UBO) information can be difficult. Typically, the process is manual-intensive, slow, expensive and prone to fraud and errors. The process may involve staff conducting complex searches and then importing, analyzing and reviewing the information across multiple databases.
The new requirements came into effect in 2016; however, regulators were aware that they would entail significant preparations and changes to existing processes – for that reason, obliged entities were given two-years to become complaint with the new rules.
Still, many institutions are having a hard time meeting the new requirements, even as some regulators are calling for stricter standards.
Sports betting in the US
Another major regulatory change in the US was the Supreme Court ruling which struck down the Professional and Amateur Sports Protection Act, opening the way for individual states to allow sports betting. The market potential for sports betting is huge – it’s between $150 to $400 billion annually, according to estimates.
Sports betting will be permitted in at least 26 states – six states already permit it, others have either passed a bill, or introduced legislation that is pending approval. However, bookies and other betting operators will need to tailor their compliance and risk mitigation strategies to each state’s unique requirements.
Of course, these were only a few of the regulations that impacted compliance in 2018. Here are some of the larger themes that can helps us better understand the context of these regulatory changes.
Frequent and regular change
Up to 300 million pages of regulatory documents will be published by 2020; more than ever, compliance teams would need to acquire more knowledge to stay abreast of changes and become more agile to adapt to such changes.
Creating numerous and increasingly complicated procedures is not a scalable approach. Rather, harmonizing workflows to simplify planning, operations, and oversight is a path to limiting the costs of compliance as well as improving its performance.
Ensuring security without creating friction
To avoid fines, decrease risk and protect the brand, compliance requires a high level of security. Customers, on the other hand, desire instant access and seamless onboarding experiences. Compliance should engage more actively with technology solutions so that it can ensure security and compliance without affecting the speed and convenience of customer onboarding.
Companies can meet these challenges by arming their compliance departments with RegTech solutions; enabling automation, improving workflows and reducing the burden of paperwork are essential needs as the compliance function undergoes rapid change.
Trulioo, which has been at the forefront of RegTech for years, is used by some of the world’s biggest tech companies, banks, payment processors, and money transfer companies, along with major online marketplaces, financial institutions, gaming companies and financial services.
Thanks for reading; we hope 2019 is a great year for you and your organization.