bobsguide were delighted to host a webinar with Kevin Taylor, Partner at Schnader Harrison Segal & Lewis LLP and author of FinTech Law: A Guide to Technology Law in the Financial Services Industry earlier this week. During his presentation, Taylor addressed some of the hot topics in financial technology law including mobile financial services, cloud computing, information governance and cybersecurity, and explained how these topics relate to the use of technology in the highly regulated financial services industry.
Mobile Financial Services
Taylor predicted that in the near future, around 50 million consumers will be using mobile phones or personal digital assistants as their primary choice of payment. He spoke about the impact of Near Field Communication (NFC) technology, which is currently providing customers with the ability to make contactless payments and how this infrastructure is better than Bluetooth because it works when the device is turned off and has a shorter range which makes it more secure and suitable for crowded areas where signal strength may be low.
Taylor explained that data theft is a subject that is crucial in FinTech law, as vendors need to be aware of how to authenticate consumer information and mentioned how under the Gramm-Leach-Bliley Act (GLB), both the security and privacy of a consumer’s non-public information (NPI) are protected. Also, Section 404 of the Sarbanes-Oxley Act (SOX) requires companies to have controls in place to increase financial data and systems security.
One of the questions that Taylor asked during the webinar was how a bank or a mobile service provider could be held liable for any data loss or tampering when they are complying with regulation, and this question was applied to the topics that followed.
Taylor outlined the risks of cloud computing which included how data security breaches could go unnoticed by the provider, it could leave jurisdiction data without adequate protection and noncompliance with privacy and data protection laws could be present. He also mentioned that accountability for these problems lie in a chain of subcontractors and it is difficult for companies to monitor their cloud service provider and therefore, their data.
Taylor compared the regulations which are already in place between the US and the EU and the impact they have on negotiation and liability. He also referenced recent case laws to reiterate how businesses have utilised these.
According to Taylor, it is important to note how service levels and “knowing what you’re getting” is more difficult with cloud computing, as your data is controlled by a third party and termination rights can get complicated. However, organisations like the Cloud Security Alliance (CSA) provide more information on cloud computing and suggest ways for companies to decrease security breaches in future.
Taylor said there are different types of information and it is important to distinguish between these when using a third party provider. Companies should also take a more holistic view of how data is treated because third party providers occasionally run their own analytics on the information to create statistical data. According to Taylor, the same types of data could have different record keeping regulations but because data processing is now done electronically this also needs to be tracked.
Data breach liability was also a topic explored by Taylor, and the issues it has caused major companies such as like JP Morgan Chase and Target, where a lack of compliance meant they were vulnerable to hacking.
Cybersecurity affects people on all levels and Taylor talked about how countries, businesses and individuals are all vunerable to threats from hackers who can obtain both information and identities. According to Taylor, businesses should have solutions in place, but it is the government's responsibility to provide this. An example of this is the Comprehensive National Cyber Security Initiative launched by George W. Bush and is supported by Barack Obama to this day, which helps to educate those new to technology about cyber security risks and also helps companies to establish a stronger defence against cyber threats.
Taylor said there is always a human element when data security is breached and liability issues will always come to the surface as everyone makes mistakes. However, someone must be held accountable and under vendor management, third parties are required to handle personal data but to make this work regulations should be overseen by service providers.
Taylor also said that even though these laws were written before the time of Bitcoin, mobile payments and wearables, they still apply to new technologies and operate under the same regulations.
Listen to the full webinar here.