Identity-Centric Bank & Finance Regulations -
North America

The regulatory landscape of identity-centric laws differs between the US, Canada, and individual states and provinces in either country. However, both nations share an overarching goal to protect consumer identities and keep sensitive data secure while upholding safe and fair financial markets.

Today, identity-centric regulations are highly important to the financial industry in North America, ensuring compliance and the security of private data. As a result, financial service providers can establish and maintain trust in the industry, preventing the risk of fraud, stolen identities, and other cybersecurity incidents that negatively impact both consumers and institutions.

In this blog, we’ll review the major identity and access management (IAM)-related regulations in the United States and Canada that dictate how financial service providers must handle customer identities.

Financial service providers in the United States are subject to regulations at both the federal and state levels. Certain pieces of legislation were created specifically to target user privacy and identity management across all industries. However, other regulations have evolved over time to address the unique emerging challenges in the financial industry, with implications for how providers manage digital identities.

The following are the key pieces of legislation in the United States that are relevant to IAM in financial services.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX) was passed by Congress in 2002 to strengthen disclosure and auditing requirements for publicly traded companies. It was written in response to a string of high-profile corporate accounting scandals and aims to protect investors from similar incidents in the future. Organizations that do not comply with the SOX Act are subject to fines, penalties, and sanctions.

There are some key implications for customer digital identity protection from the SOX Act. For one, Section 404 of the Act requires companies to establish and maintain stringent internal controls over financial reporting. In turn, this ensures that only authorized users are granted the ability to access and modify financial information.

One positive takeaway from this is that companies have strengthened their authentication methods and keep regular tabs on which accounts are accessing financial information. Not only does this uphold the data integrity of the organization, but it verifies that users are who they claim to be before accessing sensitive financial information.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), sometimes referred to as the Financial Modernization Act of 1999, is a federal law that specifically mandates consumer data protection in the financial industry. It requires financial service providers to disclose how they use, share, and protect their customers’ private information.

As part of the GLBA, the Safeguards Rule requires financial services providers to have reasonable physical, administrative, and technical safeguards in place to protect consumer data. This might include conducting regular risk assessments, disposing of data when it’s no longer needed, encrypting data when in transit or storage, and enabling multi-factor authentication for any individual who attempts to access one of the company’s information systems.

Under the GLBA, financial service providers must write and implement an information security plan to ensure consumer data security and confidentiality, protect against known security threats, and prevent unauthorized access to sensitive data. They must designate a qualified individual to oversee the implementation and maintenance of such a program.

The GLBA is enforced by a number of agencies and governing bodies, including the United States Federal Trade Commission (FTC), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), state insurance authorities, and others. Noncompliance with the GBLA may result in fines for the institution in violation, as well as criminal prosecution and fines for involved individuals.

NIST Regulations

The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce. It was established by Congress in 1901 and provides the technology and standards that guide countless products and services in the United States. For instance, the NIST provides a framework for Zero Trust architecture with its Special Publication (SP) 800-207, in addition to other guidelines that we’ll explore in further detail below.

The overall mission of the NIST is to encourage innovation and foster the competitive edge of U.S. companies, with hopes that it will build economic security and improve quality of life for the country’s citizens.

National Institute of Standards and Technology (NIST) SP 800-53

SP 800-53 from NIST is a framework for security controls to help reduce the risk of cybersecurity attacks on federal information systems.

SP 800-53 stems from a directive of the Federal Information Security Management Act (FISMA) of 2002, which tasked the NIST with creating standards to guide federal agency compliance with its requirements. The first edition of NIST SP 800-53 was published in 2005, and it has undergone several revisions over the years to evolve as new cybersecurity threats emerge.

Though NIST SP 800-53 is mainly directed at federal agencies and contractors, it has influenced security control frameworks for local governments and private businesses, such as banks and other financial service providers.

Specific NIST SP 800-53 guidelines include 18 operational, technical, and management controls to help ensure the integrity and confidentiality of information systems. Such controls include access controls, identity authentication, incident response plans, employee awareness and training, and continuous monitoring.

National Institute of Standards and Technology (NIST) SP 800-63

NIST SP 800-63, Digital Identity Guidelines, provides the processes and technical requirements that federal agencies must meet to ensure the security, fairness, and usability of digital identity solutions.

The NIST released Revision 4 of the Special Publication in 2023 in response to the growth of online services. This new version offers guidance on identity proofing and user authentication standards for any employee, contractor, or citizen interacting with a government information system.  

Specifically, Revision 4 calls on agencies to include the potential impact on individuals and communities in their risk management practices. It also provides guidance on using biometric-based systems responsibly and expands the list of permitted identity proofing mechanisms to accommodate more consumers. The draft explicitly states the need for agencies to use digital identity services that support multiple authentication methods.

NIST SP 800-63 does not have direct regulatory power over financial services providers. However, its guidelines and best practices for digital identity management, authentication, and access controls can help providers enhance their security posture in a way that aligns with these standards.

California Consumer Privacy Act (CCPA)

One of the only state-specific regulations of its kind, the California Consumer Privacy Act (CCPA) is a landmark piece of legislation in the United States. This law was enacted to provide California consumers with more control over their data and encourage transparency and trust regarding how businesses use their personal information.

The CCPA went into effect in January 2020 and imposes strict privacy requirements on all for-profit businesses operating in California. There are some exemptions to the data that the CCPA protects, which may impact enforcement for financial service providers. Notably, data that is already covered by the GBLA is generally not subject to the CCPA.

The CCPA still applies to any personal consumer data financial service providers collect that is not subject to GBLA requirements, such as nonpublic personally identifiable financial information. This might include a consumer’s IP address, cookies, and other data that a provider collects for promotional purposes.

Under the CCPA, consumers have the right to opt out of the sale of their information to third parties. They can request to see the specific personal information that a business collects and stores and request the deletion of such data, subject to exceptions.

Thus, financial service providers must have the appropriate systems in place to manage user consent and maintain robust data access controls. To comply with the CCPA, they need to implement and maintain reasonable security measures to prevent unauthorized access to consumer data. The California attorney general enforces the CCPA, and noncompliance may result in fees and penalties.

Other identity-centric regulations in the North American market originate from Canada. There are several pieces of federal legislation in the country that govern identity management for financial service providers, which we will explore in more detail below.

Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act, better known as PIPEDA, provides a framework for protecting personal information. It applies to private-sector companies in Canada that collect, use, and disclose personal information pursuant to business activities.

Under PIPEDA, businesses like financial services providers must follow the ten fair information principles defined in Schedule 1 of the legislation. This includes requesting consent from individuals before collecting, using, or disclosing their personal information, deleting data when it’s no longer necessary, and implementing the proper security safeguards to protect data privacy.

Data protected under PIPEDA include a person’s age, name, income, and credit records. Some of the common PIPEDA exemptions include any personal data that’s already protected under the Privacy Act and business contact information that’s collected and shared for employment purposes.

Canada Open Banking

Earlier this year, Canadian regulators announced a plan to launch open banking in the country. While not yet in place, Canada would join other countries, like Australia and the United Kingdom, where this is already available.

The idea of open banking is to allow consumers to securely share their financial data with providers of their choice through an application programming interface (API). Open banking allows for a more convenient and personalized customer experience, helping them secure better financial services and products tailored to their unique identity and needs.

The Financial Consumer Agency of Canada (FCAC) will oversee the Framework. The government is expected to introduce legislation implementing the new Framework and defining its elements, governance, scope, and criteria throughout 2024. Thus, the specifics of the Framework have not yet been finalized.

Early details outline the accreditation process that entities will need to complete to participate in open banking, which will be evaluated by the FCAC. This process will ensure that only trusted providers can access consumer financial information. Accreditation criteria will include the security and privacy controls the provider has in place to protect consumer data. Providers must also implement robust consent management systems and provide transparency for consumers regarding who has access to their data, where it’s coming from, and provide them the ability to revoke access as they wish.

In both the United States and Canada, regulatory requirements surrounding consumer data protection and digital identities continue to evolve. While such regulations in the region may not be as stringent as in other areas, like the European Union (EU), legislators and regulators in either country continue to evolve their scope and governance to combat emerging threats to digital identities and online data security.

Such changes positively benefit consumers, private businesses, and the overall economy to varying degrees, though they also put a growing compliance burden on financial service providers. This is especially true for companies that operate in Canada and the United States, which must navigate the overlapping and unique requirements of both jurisdictions.

The solution is to adopt an identity-centric security approach with an IAM solution, helping providers meet compliance requirements across different jurisdictions and update their mechanisms as new regulations are enacted.

Navigating the complex regulatory landscape in North America can be challenging. Luckily, financial service providers that implement robust identity and access management (IAM) solutions, like that offered by the Ping Identity Platform, find it easier to achieve compliance with identity-centric laws and quickly adapt their security framework to emerging regulations.

IAM solutions help providers implement granular access controls, consent management, strong user authentication measures, continuous monitoring and audit trails. Thus, these solutions support compliance with regulations like the SOX Act, the GLBA, the NIST SP 800-53, the CCPA, PIPEDA, and the proposed Canadian Open Banking Framework.