Top banking compliance regulations & requirements 2024
From adversarial AI to quantum computing, the pace of tech development is driving banks, insurance companies, government agencies, and businesses to invest in expanding their digital transformation efforts. But these advancements bring with them new cybersecurity risks and threats that organizations need to be mindful of.
Policymakers and regulators are doing their part to emphasize how critical cybersecurity is. In fact, we expect cybersecurity to drive a significant amount of regulatory activity for the foreseeable future.
The latest regulatory changes affect authentication, digital identity, and digital agreements. To keep you informed, we've compiled an update on key regulations, policies, and laws. These updates will impact financial institutions, the banking industry, insurance companies, and more.
- Authentication and cybersecurity
- Digital identity
- Electronic signature, digital notarization, and electronic wills
Authentication and cybersecurity
EUROPEAN UNION
For years, the European Union (EU) has demonstrated regulatory leadership with regard to enhancing cybersecurity in its governments and businesses. As of publication of this blog, the three most newsworthy updates are:
The Digital Operational Resilience Act (DORA), which explicitly addresses cybersecurity concerns in the financial services sector. This regulation aims to increase the digital operational resilience of the financial industry.
It sets rules for risk management in information and communication technology (ICT). This includes handling incidents, reporting them, and testing operational resilience. It also covers managing risks from third-party ICT providers. It applies directly in all EU member states without the need for transposition into domestic legislation.
DORA requires financial institutions and their tech providers to authenticate employees with strong authentication by 17 January 2025. The legislation’s strong authentication requirements are crucial to fortify cybersecurity in the financial sector. By embracing multi-factor authentication (MFA) and phishing-resistant methods, financial organizations can enhance their resilience against cyber threats and achieve compliance requirements.
NIS2, the Second Network and Information Security Directive, is legislation adopted by the European Union to strengthen cybersecurity in critical sectors. It expands the scope of the original directive, NIS1, to cover industries such as banking, energy, transportation, chemicals, and digital infrastructure providers.
NIS2 focuses on management liability, supply chain security, cybersecurity controls, and incident reporting. Enterprises must enhance cybersecurity governance, define security responsibilities, and audit their supply chains. Non-compliance can result in penalties of up to 10 million euros. NIS2 also considers multi-factor authentication as a key security control for in-scope entities.
- The proposed Payment Services Directive 3 (PSD3) is the anticipated update to the existing PSD2 regulation that seeks to further strengthen authentication and payment security. While PSD2 successfully curbed account takeover fraud through strong customer authentication, threats like authorized push payment (APP) fraud have surfaced. PSD3 requires financial institutions to adopt security controls to counter APP fraud, such as confirmation of payee and transaction monitoring.
In addition, PSD3 pays close attention to the usability aspects of strong customer authentication. This requires financial institutions to provide authentication mechanisms that all of their customers can use. “Mobile-only” approaches to authentication, in particular, are not allowed under PSD3.
The legislative process is ongoing. Payment service providers should prepare for PSD3 by assessing proposed regulatory requirements and developing a strategic plan.
AUSTRALIA
The Australian Signals Directorate (ASD) has developed the Essential Eight, a recommended strategy to enhance cybersecurity resilience. These measures, established by the Australian Cyber Security Centre (ACSC), aim to mitigate cyberattacks by implementing practical controls.
The ASD updated the Essential Eight Maturity Model in 2023, focusing on MFA. Changes include standardizing authentication factors, enforcing MFA for web portals storing sensitive data (e.g., customer data), adopting phishing-resistant MFA, and requiring workstation authentication with phishing-resistant methods. These updates emphasize the importance of strong authentication and highlight its role in strengthening cybersecurity against various threats.
UNITED STATES
In October 2021, the Federal Trade Commission published an update to the "Safeguards Rule" under the Gramm-Leach-Bliley Act. It outlines how non-bank financial institutions under FTC jurisdiction should protect customers' financial information. The updated rule requires MFA whenever any individual — employee, customer, or otherwise — accesses an information system. Institutions involved in financial system activities, such as auto dealers, real estate appraisers, tax preparers, investment advisors, and colleges and universities are subject to the regulations.
Another update is from the Federal Financial Institutions Examination Council (FFIEC). The FFIEC has highlighted identity verification as a critical component of Know Your Customer (KYC) regulations. The FFIEC stresses that "reliable verification methods generally do not depend solely on knowledge-based questions to verify identity." We recommend digital identity verification methods like ID document verification and facial comparison.
Digital identity
DENMARK
MitID, Denmark's advanced digital identity system, replaced NemID. It offers enhanced flexibility and security features. Designed as a comprehensive app for authenticating logins and payments, MitID aims to streamline digital interactions for users across Denmark.
Following extensive testing to ensure robust security and user-friendly functionality, MitID's deployment included a six-month transition phase, culminating in NemID's discontinuation. The rollout, finalized in November 2023, achieved widespread adoption, with 98% of Danish citizens over 15 switching to MitID. This transition marks a significant milestone in Denmark's digital infrastructure, promoting a more secure online banking sector.
CANADA
The Digital Identity and Authentication Council of Canada (DIACC) organized the creation of the Pan-Canadian Trust Framework (PCTF) and the Voilà Verified Trustmark Program to establish a unified and secure digital identity ecosystem in Canada. The PCTF aims to verify the trustworthiness of digital services by putting an emphasis on user-centric design, privacy, and security across both public and private sectors.
The introduction of the Voilà Verified Trustmark Program is a significant advancement. Offering certification to organizations that comply with the PCTF's standards, the program promotes a secure, reliable, and efficient digital identity infrastructure. It also builds trust among users and fosters a robust digital economy by managing digital identities securely and conveniently.
EUROPEAN UNION
EU member states must provide a digital identity wallet to any citizen who requests one. They will likely need to do so 24 months after the adoption of the eIDAS 2.0 Implementing Acts, which is expected to happen later in 2024. This wallet aims to simplify digital identification and transaction processes across the EU, allowing for seamless cross-border authentication and secure storage and exchange of personal data.
Enabling EU citizens to access a range of services online and offline with complete control over their personal information enhances digital convenience and security. This initiative is part of a broader effort that aims to standardize digital identity verification across the EU. This ensures a unified digital market and equal rights for all citizens. Large-scale pilot projects and an online consultation platform are underway to refine and implement digital identity wallets effectively.
SWITZERLAND
Switzerland is gearing up for the 2026 launch of its E-ID. The E-ID is a government-managed digital identity system. The Federal Council has adopted the E-ID Act, ensuring the digital ID will be state-run, prioritizing privacy and data protection with features like self-sovereign identity and decentralized data storage. Aimed at Swiss citizens and foreign residents, the E-ID will be free and voluntary, supporting all identification needs.
UNITED STATES
The National Institute of Standards and Technology (NIST) has been updating its Digital Identity Guidelines, NIST SP 800-63-4. This revision addresses the changing digital landscape and enhances digital identity solutions' security, privacy, and usability. The guidelines cover various topics, including identity proofing, authentication, federation, and privacy considerations. The public comment period for the draft closed on April 14, 2023. These guidelines will supersede the previous publication, SP 800-63-3.
Electronic signature, digital notarization, and electronic wills
Digital transformation is accelerating for documents and agreements requiring notarization. This includes not only financial transactions such as mortgages, but also real estate, insurance, and government transactions. Electronic and remote online notarization methods are gradually replacing traditional paper-based notarization, while electronic wills are also gaining traction across the US. This section explores these emerging trends from a regulatory standpoint across four key jurisdictions: the United States, Canada, the United Kingdom, and Ireland.
UNITED STATES
For over 20 years, the ESIGN Act and Uniform Electronic Transactions Act (UETA), have facilitated digital transformation initiatives by US business and government organizations.
They also underpin the modernization of notary practices and related guidelines across the different US states. Across all forms of electronic notarization, the digital transformation of the notarial process has resulted in higher efficiency, better accessibility, and cost savings for businesses and individuals.
In-person electronic notarization (IPEN)
For in-person electronic notarization (IPEN), the notary and signer still physically meet face-to-face. Instead of wet ink signatures and paper documents, the notary and signer use eSignatures on the electronic document.
A conventional notarization method, used by most notaries, involves:
- Meeting face-to-face with the signer
- Notarizing the paper document with pen and paper
- Applying a traditional notary seal
Approximately 48 states in the US, including the District of Columbia, permit IPEN. The Uniform Electronic Transactions Act (UETA) widely accepts and allows the IPEN option.
Not all states, however, have explicitly enacted legislation to regulate electronic notarization. New York State still needs to adopt UETA. However, it has a similar NY Electronic Signature and Records Act (ESRA) that permits using electronic signatures and records for digital transactions.
This means that IPEN is legally allowed throughout the United States.
Remote online notarization (RON)
Remote online notarization (RON) has gained traction in various US states. For RON, the notary and signer meet via audio-video communication technology to perform the notarization. There is no need to meet in person. Electronic signatures and records enable remote notarization, eliminating the requirement for physical presence.
As of January 2024, approximately 42 states have passed laws for RON.
In 2023, California passed the much-awaited Bill SB 696 and joined other states embracing remote online notarization. The implementation date for these statutes still needs to be determined. California is planning to allow out-of-state vendors starting in January 2025.
However, California notaries may still have to wait six years to perform RON, as the bill's implementation could be as far off as 2030. California's Secretary of State explained that the state is working on a significant technology project first. This project is needed to make the new law work.
Additional noteworthy clarifications:
- North Carolina and California have passed RON laws, but they have yet to be in effect
- North Carolina plans to finalize a rule for remote online notarization by July 2024
- Georgia, Connecticut, South Dakota, Mississippi, Alabama, and South Carolina do not have RON laws yet
Future of RON
The US House of Representatives passed a nationwide remote online notarization act, the Securing and Enabling Commerce Using Remote Electronic Notarization (SECURE) Act. The act would allow the use of RON in all 50 US states. HR 1059 passed the House in February 2023, but it still needs the Senate's approval and the President's signature to become law.
The House of Representatives also passed the Securing and Enabling Commerce Using Remote Electronic Notarization (SECURE) Act 2022. This nationwide remote online notarization act could revolutionize notarization processes. If passed by the Senate and signed by the President, this act would allow RON in all 50 states. If enacted, it would streamline and standardize the notarization process across different states, requiring states to recognize out-of-state notarizations. This would facilitate faster and more efficient RON technology and allow the notary public to use RON with signers outside the US.
Overall, this is a promising advancement for RON. It will make it easier and more consistent for individuals and businesses to notarize documents regardless of location.
CANADA
Each province and territory in Canada regulates online notarization through their respective legislation. All provinces and territories have adopted the Uniform Law Conference of Canada's Online Notarization Model Act. This act outlines the methods and guidance for remote electronic signature authentication and document certification.
Generally, this law requires that people sign documents electronically before a commissioner or other authorized individual. The commissioner or authorized individual verifies the identity of all parties involved in the electronic transaction. They also remotely witness the signing ceremony using audio-visual technology such as video conferencing.
The exact rules governing Canadian notaries vary slightly between provinces and territories. For example:
- In Ontario, the Notaries Act was amended in May 2020 under Bill 190, Response and Reform to Modernize Ontario Act. This amendment allows notaries to exercise their powers without being physically present, a process known as remote commissioning, using audio-visual technology.
- In British Columbia, the Notaries Society set guidelines in August 2020 for remote notarization under temporary validity. Remote notarization is only valid for certain eligible documents, such as affidavits, statutory declarations, and land title documents.
- Alberta has temporarily allowed remote notarization during the pandemic times. This process requires the commissioner and the deponent to have a paper copy of the affidavit, including all exhibits. They must be connected via video technology.
- Quebec introduced Bill 34 in October 2023, which became Law 23 once adopted. This law allows the signing of notarial deeds to be remote under certain circumstances. Law 23 now formalizes this process permanently and defines rules for greater security for users. The law favors in-person meetings between a notary and their client. However, remote signing remains possible in exceptional circumstances, provided all parties' rights and interests are respected.
UNITED KINGDOM
In the UK, the electronic notarization process is similar to that in other countries. People can notarize documents remotely anywhere in the world, eliminating the need to meet in person with a notary. During electronic notarization, the notary public can verify the authenticity of the electronic transaction and documents.
eIDAS regulates electronic notarization, making it legally binding and recognized across all EU member states. Unlike the US electronic signature regulations, eIDAS establishes three types of electronic signatures: simple, advanced, and qualified.
The Faculty Office of the Archbishop of Canterbury oversees the regulation of the notarial profession in the UK. They first issued “Guidance on remote notarization” in May 2020 and revised it in January 2023. These guidelines include the requirement for the physical presence of a notary for notarizing certain types of documents. People may notarize documents with remote technology under certain circumstances.
Remote notarization excludes documents like wills, deeds, and affidavits. It's best to consult with a notary public to determine whether they can notarize your documents remotely.
IRELAND
In Ireland, certain transactions require individuals to use a Qualified Electronic Signature (QES). An approved certification body must independently accredit these signatures. While QES is only mandatory for specific transactions, Ireland adheres to European Telecommunications Standards Institute (ETSI) standards for defining the technical requirements of a QES.
According to the eIDAS Regulation, Ireland is obligated to maintain a publicly available list of supervisory bodies. This list is for qualified certificate providers, similar to other EU countries. Currently, only one certification service provider has notified the Minister for Communications, Energy, and Natural Resources. They say their qualified certificates, related to a timestamp service, meet the Electronic Commerce Act 2000 requirements.
Given the limitations, Ireland does not eSigning for documents like wills and codicils. Therefore, electronic signatures are not widely used in Ireland for documents under seal or those requiring witnessing. The adoption of the eNotarial concept has enjoyed minimal application as of early 2024.
Regulatory compliance and opportunity
Regulatory changes present an opportunity to take bold steps forward with your organization’s digital transformation and cybersecurity initiatives. By fostering a culture of compliance, organizations not only meet legal requirements but also drive innovation and resilience via risk assessment and management.
We can help you achieve compliance through authentication, digital identity, and electronic signature technology. Talk to a OneSpan expert for best practices and advice on improving your digital customer experience without sacrificing security.