FinTech Security and Regulation

May 28, 2022

As a FinTech consultant, I’m conducting a study into the security and regulation of virtual banking in the US financial sector. The federal and state governments in the United States have a number of agencies that regulate and oversee financial markets and businesses. Each of these agencies has a distinct set of tasks and obligations that allow them to operate independently of one another while pursuing comparable goals.

The United States has a “dual banking system,” which means that banks can be authorized by either one of the 50 states or the federal government. Regardless of whether the bank is chartered by the state or the federal government, it will have at least one federal supervisor. The following is a list of US banking rules that Virtual banks must follow.

To begin, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that provide consumers with financial products or services such as loans, financial or investment advice, or insurance – to inform their customers about their information-sharing practices and to protect sensitive data.

The GLBA’s principal data protection implications are stated in the Safeguards Rule, with the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule), which was formed under the GLBA to drive the implementation of GLBA obligations, issuing additional privacy and security requirements. The FTC, federal banking agencies, other federal regulatory authorities, and state insurance supervision agencies all enforce the GLBA.

Safeguards Rule -16 CFR 314, for example, requires financial institutions subject to FTC jurisdiction to have safeguards in place to protect client information. Companies subject to the Rule must take steps to guarantee that their affiliates and service providers preserve customer information in their care and adopt their own safeguards.

Furthermore, the Financial Privacy Rule - 16 CFR Part 313 requires financial institutions to publish specific notices and to adhere to certain restrictions on nonpublic personal information dissemination. If the disclosure is outside of the exceptions, a financial institution must provide a notice of its privacy policies and practices to both affiliated and non-affiliated third parties, and allow the consumer to opt out of the disclosure of the consumer’s nonpublic personal information to a nonaffiliated third party.

Second, the California Consumer Privacy Act of 2018 (CCPA) allows customers more control over the personal data collected by organizations. Consumers in California now have new privacy rights, including the right to know what personal information a business collects about them and how it is used and shared; the right to have personal information collected about them deleted (with some exceptions); the right to opt-out of the sale of their personal information; and the right to be treated fairly if they exercise their CCPA rights.

In November 2020, they voted to enact the California Privacy Rights Act (CPRA), which, when it goes into effect on January 1, 2023, will mark a significant expansion of California’s existing privacy rules.

Businesses should also keep in mind that the present “business-to-business” and “HR” exceptions will expire on January 1, 2023, necessitating the application of the entire range of CPRA standards to these categories of personal information, which are currently mainly outside of the CCPA’s reach.

Thirdly, the NYDFS Cybersecurity Regulation (23 NYCRR 500) is a series of New York Department of Financial Services regulations that impose new cybersecurity standards on financial organizations. Covered organizations, such as banks, mortgage businesses, and insurance companies, are subject to severe cybersecurity standards under this regulation. Financial institutions must implement a detailed cybersecurity plan, create a comprehensive cybersecurity policy, and establish and maintain an ongoing reporting system for cybersecurity events, according to the regulation. All entities operating under DFS licensure, registration, charter, or who are otherwise DFS regulated are subject to the NYDFS Cybersecurity Regulation. Unregulated third-party service providers who engage with regulated organizations are likewise subject to the rule.

Fourth, the Information Technology Examination Handbook (IT Handbook) “Outsourcing Technology Services Booklet” (booklet) of the Federal Financial Institutions Examination Council (FFIEC) provides guidance and examination procedures to assist examiners and bankers in evaluating a financial institution’s risk management processes to establish, manage, and monitor IT outsourcing relationships.

The services provided by TSPs are regulated and examined to assist guarantee that financial institutions operate safely and securely. The federal financial regulators have statutory jurisdiction to oversee all of the financial institution’s activities and records, whether performed or maintained by the institution or by a third party on or off the financial institution’s premises. The brochure discusses how an institution should manage the risks associated with outsourced IT services.

The federal financial regulators have statutory jurisdiction to oversee all of the financial institution’s activities and records, whether performed or maintained by the institution or by a third party on or off the financial institution’s premises. As a result, a transfer of a financial institution’s records to another organization or having another organization carry out all or part of the financial institution’s responsibilities shall not obstruct the examination and supervision of the institution.

Fifth, the Information Technology Examination Handbook (IT Handbook) “Information Security” (booklet) of the Federal Financial Institutions Examination Council (FFIEC) provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems. It also aids examiners in determining the level of integration of the information security program into overall risk management.

Institutions should maintain robust information security programs that are proportional to the complexity of their operations. Information security plans should have a strong board and senior management support, encourage the integration of security activities and controls into the institution’s business processes, and establish unambiguous accountability for security tasks. Furthermore, due to the rising frequency and severity of cyber assaults, the institution should place a greater emphasis on cybersecurity measures, which are an important component of information security.

Sixth, the Consumer Financial Protection Bureau (CFPB) has published recommendations for its Information Technology Examination Procedures under Compliance Management Review.

The Bureau’s supervisory expectations for an institution’s compliance program include connections with service providers that the institution has entered. Institutions that form ties with service providers may reap a variety of benefits, including increased operational efficiencies and the opportunity to supply more products and services. However, if not adequately managed, such agreements might expose institutions to hazards. While an institution’s management may choose to outsource some or all of a product’s or service’s operational features, it cannot delegate responsibility for ensuring compliance with federal consumer financial regulations or managing the risks connected with service provider agreements.

Overall, virtual banks must meet all of the above-mentioned US compliance criteria. It would necessitate the banks to interpret the rules, clarify them, and prepare the necessary documentation. For compliance in the United States, virtual banks will need to analyze all of these requirements and comply with them.

Some of the bank regulations in the United States are as follows: Regulation B is designed to ensure that applicants are not discriminated against in any way during the credit application process. The regulations that lenders must follow when obtaining and processing credit information are outlined in Regulation B. Lenders are prohibited from discriminating on the basis of age, gender, race, nationality, or marital status under the regulation.

The Community Reinvestment Act of 1977 is implemented via Rule BB, a Federal Reserve regulation. It establishes guidelines to encourage banks to lend to low- and moderate-income borrowers while also requiring institutions to disclose certain information to the public. Banks are required to disclose to the public the communities they will serve and the types of credit they are willing to issue there under Regulation BB. It also mandates that they make public any public comments they have on their Community Reinvestment Act (CRA) statement.

The Home Mortgage Disclosure Act of 1975 is implemented through Regulation C. Many financial institutions are required by Regulation C to provide loan data about the communities to which they offered residential mortgages on an annual basis.

Regulation CC mandates that depository institutions make monies placed into transaction accounts available on specified time periods and that they inform their customers about their funds’ availability practices. In addition, the regulation creates measures to expedite the collection and return of unpaid checks. Consumer disclosures and faster recredit procedures are described in the Check 21 portion of the rule, which affects banks that issue or receives substitute checks.

Regulation D imposes reserve requirements on certain depository institution deposits and other liabilities only to conduct monetary policy. It lays forth how depository institutions must classify various types of deposit accounts in order to meet reserve requirements. The Fed suspended Reg D on April 24, 2020, however, the rule still permits banks to keep it if they desire.

Financial institutions are required by Regulation DD to educate customers about annual percentage yields, interest rates, minimum balance requirements, account opening disclosures, and fee schedules. Regulation DD only applies to personal accounts, not corporate or other organizational accounts. With the exception of credit unions, this legislation applies to depository institutions.

In the context of electronic funds transfers, Regulation E establishes norms for consumers and banks or other financial organizations. Regulation E lays forth the actions consumers must take to report EFT issues, as well as the steps a bank must take to give remedies. Consumer obligation for reporting illicit EFT activity, which often involves a lost or missing card, is also outlined in Regulation E. Regulation E oversees debit card issuance but not credit card issuance; nevertheless, it does govern EFT characteristics of credit usage.

According to Regulation H, Member banks must implement security measures to combat specific offences as defined by the Bank Protection Act. 4 Member banks are required to report suspicious activities under Regulation H. Members must also record and disclose foreign transactions in accordance with the Bank Secrecy Act (BSA).

The Servicemembers Civil Relief Act (SCRA) is a federal statute that protects military personnel while they prepare to enter active service. Rental agreements, security deposits, prepaid rent, evictions, instalment contracts, credit card interest rates, mortgage interest rates, mortgage foreclosures, civil judicial processes, automotive leases, life insurance, health insurance, and income tax payments are among the topics covered.

When their clients deal with suspected cash transactions above $10,000, the Bank Secrecy Act (BSA), also known as the Currency and Foreign Transactions Reporting Act, mandates banks and other financial institutions to produce paperwork to regulators, such as currency transaction reports.

The Unlawful Gambling Enforcement Act (UIGEA/Regulation GG) forbids anyone in the betting or wagering business, including businesses, from knowingly receiving funds in conjunction with another person’s participation in illegal Internet gambling. “Restricted transactions” are the phrase for such transactions. The UIGEA requires the Secretary of the Treasury and the Board of Governors of the Federal Reserve System (collectively, the “Agencies”) to designate payment methods that could be used in connection with or to facilitate prohibited transactions, in cooperation with the US Department of Justice. As a result of this designation, the payment system, as well as the financial transaction providers who participate in it, are subject to the rule’s obligations.

Regulation M, commonly known as Subchapter M, is an IRS regulation that authorizes regulated investment companies to transfer capital gains, dividends, and interest distribution taxes to individual investors. Regulation M follows the conduit hypothesis, which holds that in order to prevent double taxation, investment enterprises should convey capital gains, interest, and dividends to shareholders.

The credit extensions that a member bank can issue to its executive officers, significant shareholders, and directors are limited and regulated by Regulation O. The rule is intended to keep bank directors, trustees, executive officers, and significant shareholders (“insiders”) from reaping the benefits of favourable loan extensions.

Regulation T is a set of rules that control the cash accounts of investors and the amount of credit that brokerage firms and dealers can issue to consumers for the purchase of securities. Regulation T allows an investor to borrow up to 50% of the purchase price of securities that can be purchased with a broker or dealer’s loan. The remaining 50% of the purchase price must be paid in cash.

Regulation U is a Federal Reserve Board regulation that oversees the use of securities as collateral in loans and the acquisition of securities on margin by organizations. Regulation U restricts the amount of leverage that can be used to buy more securities with loans secured by securities. Stocks, mutual funds, and other market-traded instruments are frequently involved.

All entities providing information to a consumer reporting agency are required under Regulation V to ensure that the information is accurate. The data must be explicit, providing a full record of the customer’s payment history, including whether or not they met their payment due dates on time. The amount paid toward the outstanding balance of obligations, as well as the length of time those debts have been owed, are also taken into consideration.

Regulation W is a regulation of the Federal Reserve System of the United States that restricts certain transactions between depository institutions, such as banks, and their affiliates. It imposes quantitative restrictions on covered transactions and demands collateral for some of them. Banks that are Fed members, insured state non-member banks, and insured savings associations are all subject to the regulation. Regulation W was created to bring together decades of interpretations and rulemaking under the Federal Reserve Act’s Sections 23A and 23B.

Regulation X is a rule set forth by the Board of Governors of the Federal Reserve System (FRS) that sets credit limits granted to foreign people or organizations for the purchase of US Treasury securities such as T-bonds.

Regulation Y is a Federal Reserve action that governs the conduct of corporate bank holding companies and some state-member banks. The establishment of minimum capital reserves (ratio of reserves to assets) for bank holding companies, certain bank holding company transactions and the definition of non-banking activities for bank holding companies, state member banks, and foreign banks operating in the United States are all covered by Regulation Y governance.

The Truth in Lending Act is also known as Regulation Z. Regulation Z aims to guarantee that loan terms are communicated in a meaningful way so that consumers can more easily and accurately compare credit arrangements. All creditors are required to use the same credit vocabulary and rate terms.

In conclusion, the preceding presented an outline of the US banking authorities as well as some of the US banking regulations that virtual banks must follow.


Profile picture

Experience in software development, application architecture, and deploying cloud solutions for enterprise customers. Strong hands-on skills with a Master's degree in Computer Science and business acumen with a master of business administration (MBA) in Finance. Certified in Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Kubernetes (CKA, CKAD, CKS, KCNA) and Scrum (PSM, PSPO) with experience in building banking products from scratch. Connect on Linkedin

© 2022, @victorleungtw