WP Top Security and Data Privacy Regulations for Financial Services | Imperva

Top Security and Data Privacy Regulations for Financial Services

Top Security and Data Privacy Regulations for Financial Services

Regulatory compliance has become an increasingly more important part of the financial services industry in recent years. And it’s a trend that’s likely to continue due to the upsurge in cloud computing, the use of mobile applications, and a shift to IoT devices, all of which are driving exponential data growth. Here are just some of the most significant regulatory mandates that affect financial services:


The PSD2 Payment Services Directive came into effect in January 2018 with a deadline to comply by September 2019. Introduced to improve the internal market for electronic payment services within the EU,. the directive puts in place a comprehensive set of rules for payment services with the objective of making international payments across the EU as easy and as secure as possible. PSD2 also promotes innovation and increases competition by opening up the market to non-bank players and fintechs.

A key component of the PSD2 directive is the inclusion of regulatory technical standards for strong customer authentication (SCA). Payment services providers are obliged to apply SCA for customers making electronic payments to guarantee the safe authentication of the user and to reduce the risk of fraud.


PCI DSS is the global Payment Card Industry Data Security Standard and establishes the policies, tools, and controls needed to protect cardholder data. The standard has been around since 2004 and is the result of a combined effort by the principal credit card organizations to better protect payment card data. It applies to any merchant accepting or processing payment cards and offers a comprehensive framework and specific and practical guidance on how to secure cardholder data by complying with a set of security requirements. PCI-DSS is administered by the Payment Card Industry Security Standards Council (PCI SSC). With 12 high-level requirements and over 200 sub-requirements, meeting PCI-DSS compliance can be a challenge for organizations.

Gramm-Leach-Bliley Act – US

The Gramm-Leach-Bliley Act (GLBA) is a US Act of Congress also known as the Financial Services Modernization Act, and was introduced in 1999 to remove barriers which prohibited commercial banks, investment banks, securities firms, and insurance companies from consolidating. The justification was that individuals could manage both ‘savings’ and ‘investments’ at the same financial institution, enabling those combined organizations to do well in times of economic turbulence. Compliance with GLBA for financial institutions is mandatory, and firms must have a policy in place, whether or not they disclose nonpublic information. The main components of GLBA compliance are:

Financial Privacy Rule – requires financial institutions to provide each consumer with a privacy notice which must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected.

Safeguard Rule – requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.

Pretexting Protection – Pretexting is also known as ‘social engineering’, where a target is manipulated to give up personal or nonpublic information. The GLBA encourages the organizations covered by GLBA to implement safeguards against this type of activity.


The European General Data Protection Regulation (GDPR) is a legal framework for the collection and processing of personal data which came into effect in May 2018. The mandate gives data subjects greater rights and control over their personal information and requires that businesses meet stringent data privacy protection measures.
It requires compliance by all organizations that do business in the EU or that collect or process personal data originating in the EU. Not having a physical office in the region or not processing personal data in an EU member country does not make you exempt from the GDPR.


Introduced in 2017, The New York Department of Financial Services regulation (NYDFS) addresses the growing threat posed by cyber-criminality to financial firms, requiring them to protect their customer’s data and maintain security of operations within the industry. The regulation applies to all firms regulated by the DFS including their out of state and overseas branches, and requires that they assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk.


In June 2013 The Monetary Authority of Singapore (MAS) published an updated version of its Technology Risk Management (TRM) guidelines for financial services. The guidelines set out technology risk management best practice for financial services and were intended to ensure that financial institutions implemented adequate and robust risk management systems and operating processes. The guidelines provide best practice standards for financial institutions to adhere to in the following areas;

  • Establishing a sound and robust technology risk management framework.
  • Strengthening system security, reliability, resiliency, and recoverability.
  • Deploying strong authentication to protect customer data, transactions, and systems.

In August 2019, following a period of consultation with the industry, MAS issued a set of legally binding requirements to further raise the cyber security standards and strengthen the cyber resilience of the financial sector.

Consumer Data Right (Australia)

Following a review commissioned by the country’s Treasurer in 2017 to recommend the most appropriate model for Open Banking, the Australian government decided to implement a Consumer Data Right (CDR) to give Australians great control over their data. Introducing the CDR to financial services means consumers can grant permission to share their financial data with trusted third parties. The CDR is being introduced into the banking sector in phases, the first of which, applicable to the sharing of data relating to credit and debit cards, deposit accounts and transaction accounts, was launched on 1 July 2020. In a second phase, mortgage and personal loan data will be sharable after 1 November 2020. Following the introduction of CDR to financial services it will be rolled out to the energy sector and, eventually, other industries.

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley Act (SOX) was passed in 2002 to protect investors from fraudulent financial reporting by corporations. It came about in response to a number of financial scandals involving huge conglomerates and obliges companies to establish internal controls to prevent fraud and abuse, holding senior managers accountable for the accuracy of financial reporting. The act created strict new rules for accountants, auditors, and corporate officers and added new criminal penalties for violating securities laws. The nature of SOX is to build public trust and protect sensitive data for stakeholders so, while SOX applies to all publicly-listed and privately-held companies doing business in the United States, it is particularly relevant for financial services known for managing large volumes of highly sensitive data.

The last two decades have seen a rise in the number of new data protection laws and privacy regulations, and oftentimes organizations need to comply with more than one regulation spanning different geographies and focusing on different capabilities. This Is especially true for financial services where SOX compliance, for example, focuses on the integrity of auditing and reporting, whereas the requirements for the NYDFS and MAS-TRM relate to the security of industry operations and the protection of customer data. With such a long list of regulations to comply with it would be easy to let compliance get in the way of progress and innovation. That’s where Imperva can help.

Imperva offers a range of data security solutions to help organizations meet data privacy and protection compliance obligations, whether in the cloud or on-premises, to let you focus on your business.

Find out more here.

More on this topic: Key Compliance Concepts for Financial Services