InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California regulator advises businesses to only collect needed data under CCPA
On April 2, The California Privacy Protection Agency issued Enforcement Advisory No. 2024-01 reminding businesses that data minimization is a foundational principle the California Consumer Privacy Act. The Advisory noted that the Agency has observed certain businesses collecting unnecessary and disproportionate amounts of personal information and emphasized that minimization principles would apply to processing consumer requests. As such, the Advisory highlighted the requirements of minimization, including the concept that the collection, use, sharing, and retention of personal information must be reasonable and proportionate to the purposes identified, considering the minimum personal information required, the potential negative impacts on consumers, and the existence of additional safeguards that addressed the applicable negative impacts. As part of the discussion, the Advisory also discussed two scenarios: one described an opt-out procedure, and the other described verification in connection with a consumer request. For the opt-out procedure, the Advisory reminded businesses that businesses may not verify a consumer’s identity to process an opt-out (it may, however, ask the consumer for the information necessary to complete the request). For the verification procedures, the Advisory outlined a possible process for analyzing whether additional verification information would be required, such as whether the business stores driver license information.
FinCEN discusses digital identity threats
On January 25, FinCEN's acting Deputy Director, Jimmy Kirby, spoke before the Identity Policy Forum regarding digital identity threats, stating that FinCEN is “pragmatically focused” on protecting the U.S. financial system from illicit finance threats. According to Kirby, financial institutions must establish with confidence who their customers are on the front end and throughout the customer relationship. He noted that a failure or security compromise in any step of that process compromises the integrity of customer identity. Kirby also pointed out that security breaches have led to data hacks of centralized repositories of identity-related information, exposing personally identifiable information, and making those data sources less reliable, and that identity-related suspicious activity reports are increasing. Observing such threats, Kirby said that FinCEN designed the Identity Project to achieve three goals, to: (i) learn about financial institutions’ customer identification processes; (ii) quantify process breakdowns, vulnerabilities, and threats; and (iii) identify solutions, including digital identity. Kirby also discussed responsible innovation and emphasized the need to “foster development of infrastructure, information sharing, and standards that will safeguard the future of identity and the financial system.” Regarding expanding partnerships and feedback loops, Kirby said that the public sector must learn from each other, and that FinCEN is “also engaging with other domestic Federal agencies and regulators on digital identity, at FedID and throughout the year.”
FinCEN stresses importance of reliable digital interactions
On September 7, speaking before the 2022 Federal Identity Forum & Exposition in Atlanta, Georgia, acting Deputy Director of FinCEN Jimmy Kirby addressed the importance digital identity plays in FinCEN’s mission as it relates to privacy and cybersecurity, particularly with respect to protecting the U.S. financial system from illicit finance. This includes helping financial institutions comply with various reporting requirements, such as filing suspicious activity reports and currency transaction reports and ensuring that recordkeeping requirements under the Customer Identification Program and Customer Due Diligence rules are met. While Kirby recognized that digital identity frameworks have the potential to “spur innovation in financial products and services across the legacy financial system, as well as digital assets and emerging central bank digital currencies,” he stressed it is vital that digital identity is handled correctly through the implementation of “identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system.” Focusing on topics related to emerging threats and responsible innovation, Kirby emphasized the need for financial institutions to implement measures for knowing who their customers are, both on the front end and throughout the customer relationship, and to take steps to prevent identity theft and fraud. Kirby also discussed the importance of fostering responsible innovation and developing infrastructure, information sharing, and standards that mitigate the risks associated with digital identities.