As CCPA goes into effect this week, banks face new regulations on customer data

Fingerprint scan (Photo credit: Flickr / CPOA)

With the start of the new year, banks and fintech companies that do business in California will need to grapple with the new California Consumer Privacy Act (CCPA), which goes into effect Wednesday.

Although banks’ handling of consumer data is already covered by the federal Gramm-Leach-Bliley Act (GLBA), banks are scrambling to figure out what type of data is covered by what regulation.

“Most banks in the United States never successfully executed a full data classification program,” said Richard Bird, chief customer information officer at the identity security firm Ping Identity. “They’re being asked to protect data, and they haven’t even gone through the exercise of identifying that data and where it’s located within their banks.”

As was the case with the EU’s General Data Protection Regulation that went into force in 2018, the new regulation could present challenges for financial institutions that collect consumer data for marketing purposes. The CCPA has an exemption for data covered by the GLBA, or any consumer data an institution obtains to provide a financial service. As banks and fintechs continue to rely on consumer data for marketing, however, they will need to contend with compliance with the new CCPA regulations. 

The CCPA puts much more robust restrictions on the commercial use of consumer data than the GLBA. Under the CCPA, consumers can ask what personal information a business has on them, request to delete that information, and ask to stop businesses from selling that information to third parties.

While the GLBA only applies to data used to provide a financial product or service, the CCPA applies to “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This could mean anything from an email address to geolocation data.

An ABA Banking Journal article from August identifies marketing activities as major pain point for banks when it comes to CCPA. Consumer geolocation and social media information, for example, is used by many banks for marketing, and that data will now be subject to CCPA regulatory oversight. Bird said getting banks’ tech stacks to meet the new requirements could take years, and they will rely on manual processes from employees in the meantime, costing banks money and labor. The new regulations make consumers eligible to receive up to $750 for data breaches.

See also: Bankers prepare for GDPR-type regulations to take hold in the US

Bird said California lawmakers have made clear they won’t start regulating the law until the summer, but time is ticking and most banks are still figuring out what data falls under CCPA jurisdiction. Bird couldn’t disclose what banks Ping works with, but a company spokesperson said Ping works with “12 of the 12 largest U.S. banks.”

In a statement, Wells Fargo said it already allows customers to request and delete their data. Although the CCPA does not apply to non-California residents, Wells Fargo will handle data requests from U.S. residents outside of California in the same manner in which it handles requests from California residents, the bank said.

Bird said some banks will take a wait-and-see approach with the CCPA to evaluate how strict regulators act and whether it is worth overhauling tech stacks to meet requirements. “As we realized in 07-08, everything is dependent on [banks’ financial] health,” he said. “I don’t think taking the Vegas approach of shooting dice and hoping ‘it’s not me’ is the best way to mitigate risk.”

Bank Innovation Ignite, which will take place on March 2-3 in Seattle, is a must-attend industry event for professionals overseeing financial technologies, product experiences and services. This is an exclusive, invitation-only event for executives eager to learn about the latest innovations. Request your invitation.