RadaR / 21

The Effects of GDPR on US Financial Institutions

In May 2018, the European Union General Data Pro-tection Regulation (GDPR) finally went into effect. While GDPR is generally more evolution than revolution for EU businesses, the reach of the new regulation means sub-stantial new compliance burdens for many US businesses. In particular, even though the financial services industry is one of the most heavily regulated under US law, GDPR means significant changes for data protection compliance at US financial institutions that trigger GDPR’s expansive extra-territorial scope (which we discuss below).

This article addresses some key issues for US financial institutions as they adapt to GDPR. It focuses on the dif-ferences from, and interaction with, the US data protec-tion laws that apply to the financial services sector, espe-cially the Gramm-Leach Bliley Act and its implementing regulations (GLBA).

overview of gdpr and exTra-TerriTori-aliTy

The EU and US take fundamentally different approaches to data protection. The EU views personal privacy as a fun-damental right of the individual and applies a comprehen-sive, cross-sector approach to data protection. In contrast, the US follows a sectoral approach, with laws tailored to specific industries. That said, multiple proposed bills in Congress seek to move the US to a more European-style approach. While these bills are unlikely to become law in the short-term, it is possible that the US and EU approaches may converge in the future. In the meantime, along with the health care and marketing sectors, financial institutions are subject to some of the strictest regulations in the US.

GDPR changes a number of the obligations that apply to data controllers and processors. Financial institutions are usually controllers of personal data, and their service

Carlo Kostka and Sam AdrianceCovington & Burling

Carlo Kostka, of Covington & Burling.

Sam Adriance, of Covington & Burling.

22 / RadaR

providers are processors. Some of the provisions under GDPR that will impose obligations on US financial insti-tutions, not otherwise imposed by US law, include quicker data breach notification obligations, increased consent requirements for data sharing and use, and much larger penalties, which for certain violations can reach up to four percent of a business’s global annual revenue.

The most significant change from a US perspective is GDPR’s extra-territorial scope. GDPR applies both to: (1) entities having establishments in the EU and process-ing data “in the context of ” these establishments, and: (2) entities that do not have establishments in EU, if their pro-cessing activities relate either to offering goods or services to data subjects in the EU, or monitoring the behavior of data subjects in the EU. For example, a US financial insti-tution that advertises and provides products and services to EU customers is likely to be subject to GDPR.

This does not mean that GDPR applies to all EU citizens’ or residents’ data, or that an organization is subject to GDPR simply by virtue of hosting a website accessible in the EU. Further, GDPR only applies to the extent that the process-

ing is “related to” the activity that triggered extra-territo-rial application. In other words, a US financial institution does not need to revamp its privacy program for US cus-tomers just because some of its activity is subject to GDPR. Nonetheless, many US financial institutions will need to make changes in light of GDPR’s extra-territorial scope.

coMparison of gdpr To us financial in-sTiTuTion privacy requireMenTs

In the US, financial privacy is regulated primarily under GLBA and the Fair Credit Reporting Act (FCRA). GLBA generally requires financial institutions to provide consum-ers with notice and an opportunity to opt out before they share personal information with non-affiliated third par-ties, particularly for marketing purposes.

That said, in practice, most of financial institutions’ data sharing is made pursuant to the exceptions to GLBA’s pri-vacy restrictions, such as sharing with other financial insti-tutions to process a payment, or with an information tech-

Sharing may not be caring: How does GDPR stack up for US firms operating overseas?

RadaR / 23

nology service provider. Financial institutions are also subject to the FCRA as both users and furnishers of con-sumer report information. Among other things, the FCRA requires financial institutions to conduct reinvestigations when consumers dispute the accuracy of information fur-nished to consumer reporting agencies, and imposes certain restrictions on the sharing of information between affiliates.

noTice requireMenTs

GLBA requires financial institutions to provide custom-ers with a privacy notice. Many financial institutions use the model privacy notice found in GLBA’s implementing regulations, which provide a legal safe harbor to claims that the presentation is not “clear and conspicuous” as required under GLBA.

GDPR imposes more prescriptive notice requirements on controllers. Controllers must provide, for example, information about how long data will be stored, whether the controller uses automated decision-making with respect to that data, and, if so, “meaningful information about the logic involved” and the significance of such automated pro-cessing. It is not clear that notice tailored to GDPR will meet the GLBA safe harbor requirements.

consenT for sharing

As noted above, GLBA and FCRA generally allow shar-ing with third parties if consumers have consented to such sharing, including by not opting out, though California’s Financial Information Privacy Act (or S.B. 1) requires opt-in consent for California residents.

GDPR imposes stricter consent requirement for pro-cessing data, which includes sharing with third parties for marketing purposes. While, as discussed below, many forms of processing may be conducted without obtaining explicit consent, in general a US financial institution dealing with an EU data subject will likely need to obtain “clear affirma-tive” consent before sharing with third parties, especially for advertising purposes. In addition, a service must not be made conditional on such consent unless the process-ing is essential to the service.

legiTiMaTe bases for processing

When information is shared or used for a US financial institution’s everyday business purposes, a broadly similar analysis applies under both GLBA and GDPR. As already noted, GLBA permits financial institutions to share per-sonal information without providing notice and opt-out

rights for most legitimate purposes other than marketing. US financial institutions generally understand these excep-tions to permit them to share for many purposes, including payment processing, furnishing information to consumer reporting agencies, and aggregation by personal financial management services, such as Mint or Yodlee through APIs.

GDPR permits the processing of data without specific consent (but with notice) for reasons such as when nec-essary: (a) to perform a contract with the data subject; (b) to comply with a legal obligation or task carried out in the public interest; (c) to protect the vital interests of an indi-vidual; or (d) to further the legitimate interests of the data controller or another third party so long as there is no con-tradiction with the data subject’s fundamental rights. For the most part, financial institutions’ sharing under GLBA exceptions, such as for processing payments, should also be permissible under GDPR, unless the data subject has asked to restrict such processing or financial service laws that explicitly impose additional consent requirements, such as, for example, under the EU PSD2 Directive.

correcTion and access righTs

The FCRA requires US financial institutions that fur-nish information to consumer reporting agencies to con-duct reasonable reinvestigations if a consumer disputes the accuracy of the information. GDPR similarly provides data subjects with the right to have inaccurate information corrected by data controllers, though GDPR has different timeline and notification requirements.

The FCRA further gives consumers access to the infor-mation in their consumer reports, and the right to restrict the use of such reports, such as, for example, with a “credit freeze.” These latter provisions, however, only apply to consumer reporting agencies, not to most financial insti-

New dawn: The EU General Data Protection Regulation went live on May 25, 2018.

24 / RadaR

tutions. By contrast, GDPR requires all data controllers to provide data subjects with access to information about any personal data they process. It also gives data subjects broad rights to restrict or oppose processing of their data, and to withdraw consent.

coMparison To us cybersecuriTy re-quireMenTs

CyberseCurity Programs

US financial institutions are also subject to cybersecu-rity requirements under GLBA’s Safeguards Rule, as imple-mented either by the Federal Trade Commission (FTC) or the relevant federal prudential regulator (such as the Office of the Comptroller of the Currency), depending on the nature of the financial institution. The Safeguards Rule generally eschews detailed requirements, but follows a tech-nology-neutral approach that requires financial institutions to implement “reasonable” or “appropriate” cybersecurity programs. In addition, financial institutions subject to the jurisdiction of the New York Department of Financial Ser-vices (NYDFS), now must comply with the NYDFS Cyber-security Rule, which imposes somewhat more prescriptive cybersecurity requirements.

GDPR also requires both data controllers and proces-sors to implement appropriate technical and organizational measures to protect the data. While it describes some exam-ples of such appropriate measures – such as pseudonymiza-tion and encryption – it does follow a similar approach to US federal regulators in not imposing prescriptive techni-cal requirements. That said, more prescriptive rules can be found in EU financial service regulations.

daTa breach response

US financial institutions regulated by the federal pru-dential regulators are subject to general breach response guidance issued by those agencies. This guidance requires regulated institutions to develop appropriate breach response programs, and to notify their regulator “as soon as possible” upon the discovery of unauthorized access or use of sensitive customer information. Further, if the institution discovers that misuse of this information “has occurred or is reasonably possible”, they should notify the affected consumers “as soon as possible.” This is a flex-ible standard that allows for the financial institution to exercise judgment about when it must notify its regulator, based on the circumstances. Financial institutions within the FTC’s jurisdiction, by contrast, are not subject to any federal breach response requirements. All US financial

institutions, however, must also comply with many state data breach laws.

GDPR creates a more rigid standard. In the case of a personal data breach, GDPR requires notification to the institution’s supervisory authority unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals.” This notification must generally be made within 72 hours of becoming aware of the breach. In addi-tion, consumers must be notified of the breach if it is “likely to result in a high risk to the rights and freedoms of the natural person.” In addition, dedicated financial service regulations may impose additional reporting obligations, as do regulations on so-called “essential facilities,” which includes certain financial services.

conclusion

In summary, financial data protection laws in the US follow many of the same broad principles as GDPR, even though GDPR is more restrictive in several circumstances. Further, while many US financial institutions will need to adapt to GDPR, they already comply with substantial reg-ulatory requirements in the US. •

carlo kostka is a member of covington’s global cor-porate finance practice in london, focusing especially on the financial services sector. in advising clients, Mr. kostka draws on a career spanning over twenty years in the finance sector in both private practice, and subse-quently in-house, at one of europe’s leading banks.

sam adriance is an associate in covington’s wash-ington office where he assists clients with financial reg-ulatory and data protection issues, including financial privacy, consumer financial services, safety and sound-ness, and anti-money laundering.

***This article is for general information purposes and is not

intended to be taken as legal advice.