Regulatory measures regarding finances are very dynamic, meaning that you may not know which aspect of your finances is being impacted until it already has. As a financial service entity, businesses have a range of financial regulations and rules to follow, some of which affect you and your finances.
Here we will analyse the EU financial services regulations:
- Regulations and safety standards in Europe
- International data security standards
- European regulations on financial markets and data protection
Regulations and safety standards in Europe
If you have used any EU financial services, chances are you have come across various financial regulations when you accepted their terms and conditions. These financial regulations are not only for the financial company to comply with, but also for you to follow. These financial regulations influence everything - from creating an account on the financial institutions' websites to making transactions. The financial regulations range from preventing money laundering and supervision to data protection.
International data security standards
The purpose of standardised international security standards is to create legislation and/or outline best practises for data security that can be adopted globally. The implementation of international regulations for data security standardisation could take a variety of forms. Most companies will implement the minimum level of security, notify individuals affected when there is a data breach, and comply with data security laws of other jurisdictions when dealing with foreign customers' data. Such basic measures are also included in the ISO 27001, which specifies businesses to secure their information servers.
There are no standardised worldwide data security procedures at this time, but there are various examples of large-scale data security rules, such as:
- The Payment Card Industry (PCI): PCI is a global mandate implemented by credit card companies to prevent credit card fraud. Although such compliance is not required under law, it is still mandatory under common law (court precedent). PCI requires companies to keep and maintain their network, regulate user access, test their security systems, protect sensitive financial information and many more.
- General Data Protection Regulation (GDPR): A regulation meant to protect the data of EU citizens and residents regardless of where the data is stored and regardless of where the company is located. The GDPR mandates that any non-EU corporation with European Union clients must follow specific reporting procedures in the case of a data breach that affects those customers.
- SWIFT Customer Security Programme: SWIFT's Customer Security Programme assists financial institutions maintain the integrity of the wider financial network by ensuring that their cyber defences are up-to-date and effective. The SWIFT SCP standards must be met by any financial institution that uses SWIFT services.
European regulations on financial markets and data protection
To promote a more consistent trading environment, the European Union does not regulate directly, but rather aims to harmonise the legislation of its member states. The two important aspects of Europe's legislation concern the financial sector and payments, and the protection of customer data.
European regulation on finance, payment and anti-money laundering
The EU's financial markets and service providers are regulated in a divisive manner - not harmonised at the EU level. However, various rules and oversight systems have been preserved, with national parliaments, banks, and other institutions of oversight staying in charge. In the EU, there are a variety of financial rules, most of which often overlap with each other. The following are European laws that are closely related to customers and financial companies:
The AML Directive
Money laundering is a financial crime. It is the act of hiding the main source of the funds obtained illegally through financial transactions. Everyone agrees that money laundering harms the economy. However, it is very difficult to weed them out. Hence, firms are required to take steps to prevent money laundering. These steps include verifying their customers' transactions and monitoring further financial activities. Anti-money laundering is covered by the European Directive 2018/843 of the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, - AML Directive for short.
The list below explains the measures that financial services will implement on you as a customer:
Verifying you as a customer: The general rule is that every financial entity must verify your identity as a customer before establishing any business relationship with you. Verifying identity is enshrined in article 14 of the AML Directive. Article 13 explains that institutions must verify your identity by:
- Collecting your information, data, and documents
- Cross-checking the information and documents, you have provided through a reliable and independent source. For example, through national registries and portals, and
- Finally, they accept you as their customer and allow you to use their services
However, their responsibilities do not end here. Financial entities are required to continue monitoring you and your financial activities within their services. Hence, you will see that companies keep asking for confirmation for activities despite having your data. This is customer due diligence, which we will explain next.
Customer Due Diligence: Customer due diligence is crucial for financial companies to monitor their customers, evaluate the risks, and prevent illegal activities. Hence, you will notice the various forms of restrictive measures when making transactions, even if you have been their customer for a long time. Due diligence means taking specific measures to evaluate whether your financial activities are legal. In practise, they have implemented due diligence on transactions based on the amount of money. Article 11 of the AML Directive states that financial states must apply due diligence when:
- A transfer of funds from one bank account to another exceeds 1000 EUR
- A transaction of funds amounting to 15,000 EUR or more in single or multiple transactions
- Transactions relating to goods amount to 10,000 EUR or more in single or multiple operations
It means, for the transactions as mentioned above, the entity will ask for double confirmation before releasing the money or ask for further documents to support it.
Entities must also take additional steps based on your country transactions and the delivery channels (Article 8). Therefore, if you are making an international transaction to a country considered high-risk, you will be subject to further scrutiny. The same applies if you receive money from a country that is considered high-risk. The entity may ask for additional documents or may take more time to release or accept the money. It is essential to be aware of such situations because your transactions may be delayed or stopped completely.
Payment Services Directive 2
The EU has enacted PDS2 to regulate payment services and payment service providers throughout the EU/EEA. The main goals of the PSD2 Directive are to establish a more integrated European payment industry, to make payments more safe, and to better protect customers. PSD2 regulates and harmonises two services that were already regulated and harmonised by the original PSD and introduces additional measures to make payments smoother and more secure:
- Payment Initiation Services (PIS): Providers enable the use of online banking to pay for goods and services via electronic means. An interface is created to connect the consumer's account with a merchant's, and the necessary information is entered to conduct a bank transfer. As a result of these services, the store is informed of the transaction.
- Account Information Services (AIS): Information from a customer's bank accounts is collected and stored in a single location, allowing clients to have a worldwide perspective of their financial condition and quickly examine their expenditures and financial requirements in real time.
- Third Party Payment Services Providers (TPSP): It lets customers make payments via a bank app using any of their bank accounts to a third party.
- Strong Customer Authentication (SCA): Payments and account access via online or mobile apps will now require two forms of authentication in addition to the previously required one, and the definition of what constitutes an authentication element will be more stringent.
The Wire Transfer Regulation
Making financial transactions with another person requires you to share your information and the receiver’s data. This is legal practice mandated by the financial Regulation 2015/847. Regulation 2015/847, or the Wire Transfer Regulation, outlines the rules on the payers’ and payees’ information for fund transfers. Although a hassle, this inquiry is a preventive measure against money laundering. It is particularly so if the service provider is operating from within the European Union. Under article 4, you must provide the following information:
- Your name, account number, address, and the official personal document number, also known as the identification number, or date and place of birth
- The payee’s name and account number where the funds will go to
The financial company will verify the data that you provided before sending the money out. If they find any required information missing, they must reject the transfer and ask for further data. They can not release the funds until the information is acquired.
European regulation on data protection
A lot of attention has been paid to data protection and communication technology in the European finance sector in recent years. A smart and consistent regulatory strategy can help ensure the necessary baseline of security across the financial sector to reduce data breach rates, with compliance being one of the key drivers. The following are some examples of financial data security regulations:
- General Data Protection Regulation
- Financial Information Directive
- Network and Information Systems Directive
- AML Directive
- Wire Transfer Regulation
The General Data Protection Regulation (GDPR)
The increase in digitalisation has led to a rise in online crimes. The financial sector is the primary target because it is a lucrative area with lots to gain from exploitation. Hence, you may be worried, like everyone else, regarding protecting your data held by the financial entity. And you should be - breach of data security puts you and your money at risk of being digitally abused.
Fortunately, regulators take data privacy and protection seriously; hence they have passed new legal measures and included data protection in several laws related to financial services to provide adequate solutions to both sides:
The primary legislation on data privacy and protection is the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data - GDPR for short. The purpose of GDPR is to protect your data as a natural person regarding its processing, movement, and storage. GDPR for banks means looking at data protection from a more fundamental rights perspective, thus protecting you by:
- outlining the principles and the lawful processing of your data
- how entities should acquire consent regarding the processing of your data
- your right as a data subject regarding transparency, giving access to third parties, amendment and deletion
- the rights and responsibilities of the entities who are handling your data
It hands the right and control of data protection over to you while shifting the responsibility and accountability of protecting it to the processors. This law applies to every sector in the economy. GDPR and financial services are more closely related. This is the general law on data protection that applies to you in all aspects of life.
Financial information Directive
Directive (EU) 2019/1153 is another legislation supporting the AML Directive regarding the access to and the use of your financial data. That means any competent authority has the right to access your bank account and other financial information to investigate to prevent money laundering activities and other serious crimes if they suspect so. They can also exchange your information with other authorities, and if necessary, your member state may restrict your rights to access your personal data under this Directive.
This law is already subject to GDPR; therefore, data processing under this Directive is already considered compatible with your rights as a data subject.
Network and Information Systems Directive
The European Commission proposed the EU Network and Information Security Directive as part of the EU Cybersecurity policy (Directive 2016/1148). The end goal is to make the EU a safer place for online transactions. Because it is an EU regulation, every EU member state has begun to implement national legislation that follows or "transposes" the directive.
Data processing under AML Directive
AML Directive has included data protection in its provision to the extent necessary to uphold your fundamental rights. As such, the financial service provider must process your data only for purposes to prevent money laundering and terrorist financing and not for any other purposes under this Directive.
Financial companies must retain the documents and data you provided during customer due diligence measures for 5 years after terminating the services. After 5 years, the company must delete those data unless otherwise required by your national laws.
Data processing under Wire Transfer Regulation
Like the AML Directive, the Wire transfer Regulation requires payment service providers to process your personal data to prevent money laundering and terrorist financing. The company is prohibited from processing your data for any other purpose conflicting with the main one, especially commercial. The entity must also ensure confidentiality of the processing, and they cannot retain your information longer than 5 years.
To avoid rejection of your financial transaction, you need to comply with their verification procedures. Like banks, payment service providers, and investment companies, financial services companies have to inquire your information critically for internal and regulatory policies. Otherwise, the companies will be penalised. Refusing to comply will result in rejection, therefore, you have to follow them or stop using financial services altogether.
The finance industry is a vulnerable sector that gets exposed to new varieties of risks all the time. From financial crimes to digital crimes, financial products and services are constantly in need of upgrading to protect themselves. As such, states have passed mandatory laws and guidelines for the money industry to ensure that they keep their services/products and the servers that manage this data secure, updated, and maintained. Some of the laws apply to the financial and business aspects of it, some apply to information security, and some laws apply to both sectors. This articles discussed the international data security standards and European laws on finance and banking, information security and data protection. The article discussed how these laws and guidelines impact businesses and clients alike.
Because financial regulations are ever-changing,it will have a significant impact on your own finances. Some of these laws may have a direct or indirect impact on you. Some are established directly to safeguard your payments, transfers, data, and accounts, while others are implemented to protect the procedures through which the transfers and payments take place.