The law went into effect January 1, 2019, and has broad-reaching protections, just like GDPR and CCPA. The Vermont law protects the citizens of Vermont, US citizens, and non-US citizens. The goal of the fraud and compliance solution is to stop criminals from using consumer information and making the data trade more transparent.

Why the Vermont Law is an Important Fraud and Compliance Solution

Many US consumers are not aware of how this law serves as a fraud prevention solution. They are also not aware that companies use the data they collect about them from social media visits or website traffic.

Many companies use the data to create “shadow” profiles of consumers. These profiles help determine creditworthiness, favorability of offers from financial institutions, and even which job openings to show people online. For the most part, these “shadow” profiles are unregulated in the US. The Vermont law changes this.

What the Vermont Law Does

Under the guidelines of the new bill, data brokers must register with the Vermont Secretary of State and pay an annual $100 fee. Registering with the state presents new scrutiny for data brokers. Vermont requires brokers to better inform consumers about the data they collect about them. It requires them to provide clear instructions for opting out of data collection. Brokers must be transparent and report information about how they collect, store and sell consumer data to the state. They must also implement a comprehensive data security system that builds a fraud prevention solution. Plus, they must create safeguards to protect consumers’ personal data.

How the Law Defines a Data Broker

The new law in Vermont changes the definition of what a data broker is. It takes a broad approach and defines a data broker as a business or collection of businesses that knowingly collects and sells or licenses personal information from consumers to third parties with whom they do not have a relationship.

Businesses that collect, sell and license their own consumer’s data are not affected by the law, as long as they have a direct relationship with those consumers and the sale of data is merely incidental. This means that companies like Google, who collects data directly from consumers that use their search engine, are not affected by the law while data brokers, who collects data through indirect means, are affected.

Noncompliance is Costly

Data brokers are forbidden from acquiring consumer personally identifiable information (PII) through illegal means. It also prohibits them from using PII to harass, stalk, commit fraud or perform any other illegal activity. If a data broker fails to meet the standards set forth by Vermont or suffers a data breach, they will have to notify authorities about the incident. Previously, they were not required to do so. Regulators within the state will be able to keep tabs on companies through this law. This will allow them to penalize a data broker through legal enforcement actions if they find out they are using consumer data for unethical purposes, such as in the Cambridge Analytica scandal where Facebook users were unaware that their PII was being accessed and used to manipulate the 2016 US election.

Additional Consumer Protections

The Vermont bill adds some benefits to its residents. It waives the $10 fee for freezing a credit report and $5 fee for lifting the freeze. Credit reporting bureaus like Equifax, Experian and Transunion will have to allow Vermont residents to control their accounts without charging those fees. If a consumer feels that their data was sold and led to illegal discrimination, they can now take a data broker to court and hold them responsible for the injustice. This gives Vermont residents the ability to monitor and safeguard their own credit. It will empower them in a way unavailable to most US consumers.

How Does it Compare to GDPR

Overall, GDPR is still a stricter fraud and compliance solution than the Vermont law. Nevertheless, Vermont is paving the way for future consumer privacy legislation in the US. Clearly, the support for consumer data protection is there, especially given the amount of data breaches plaguing US citizens in 2018. California has also followed suit and created their own consumer privacy laws, called CCPA, creating more of a demand for consumer data protection. It seems likely that many more states will follow Vermont and California’s lead and introduce privacy laws to protect consumers in the near future. This could pave the way for federal legislation concerning consumer privacy in the US.

The post Vermont Consumer Privacy Law as a Fraud and Compliance Solution appeared first on IDMERIT.

AML Compliance Around the World

Between 2007 and 2015,  8 billion dollars was laundered illegally on behalf of Russian, Azerbaijani, and Moldovan in Denmark’s largest bank, Danske Bank. This is a staggering amount of money being laundered. Because of situations like this one, many regulators have allocated their resources toward fighting money laundering schemes in the large banking sector. The global scope of these banks along with their size makes them targets for heavy regulation.

Regulators have limited resources to ensure anti-money laundering (AML) compliance, so this has left smaller banks largely neglected. Smaller banks, with moderate assets and modest banking operations, are often not overseen and scrutinized for AML compliance as closely as large banks are by global financial regulators.

Why Small Banks are at Risk

The specific factors that cause small banks to be taken advantage of for money laundering activities include:

• Regulatory anonymity: small banks are not as closely regulated for AML compliance
• Lax banking regulations toward AML compliance
• Shortage of funds to allocate toward compliance measures

Money launderers are aware of the gap in regulatory AML surveillance between large and small banks. This gap gives them the opportunity to perform money laundering activities in small bank branches with little fear of getting caught.

Money launderers also take advantage of staff in small banks who are often not familiar with AML compliance standards. Small banks have lax policies toward AML compliance because their customer base typically does not require them to be vigilant about criminal activities in their operations. Plus, small banks generally do not have enough money to fully fund AML compliance departments leaving them as open targets for financial fraudsters.

Fines for AML Noncompliance

Since 2009, the United States and European regulators have imposed over $342 billion dollars in fines toward banks for failing to meet AML standards. These fines are expected to continue rising upwards of $400 billion dollars by 2020.

Several banks have been fined for failing to meet AML compliance standards in 2017:

• The Deutsche Bank was fined $41 million dollars
• BNP Paribas was fined $246 million dollars

Other banks are being investigated and could face billions of dollars in fines for AML noncompliance:

• The Commonwealth Bank of Australia
• The Commercial Bank of China

Not complying with AML rules is taken seriously by regulators. Whether a small bank has the resources to meet AML compliance or not, this is not a sufficient excuse. If a small bank is found to be an accessory to a money laundering crime, they risk being fined millions in penalties by regulators. This would likely be a death blow for small banks and their operations.

GDPR Compliance Around the World

GDPR is a set of consumer privacy regulations set forth by the European Union. It dictates that any European Union (EU) citizens and residents are protected under its jurisdiction. This suggests that any EU citizen living in the United States does not fall under GDPR regulations. In contrast, a US citizen living in Spain, an EU country, would fall under GDPR.

For banks, these regulations can be quite tricky to maneuver.

How Small Banks are at Risk

Large banks are generally global understand that GDPR regulations apply to them. This has caused many of them to spend millions of dollars to meet these standards and apply a broad compliance approach to its customer base.

Small banks, in contrast, are at risk for not meeting GDPR compliance because:

• Lack of understanding about GDPR
• Inadequate resources available to perform user research
• Shortage of funds to put toward compliance measures

Small banks are not fully aware if they need to follow GDPR. Since they have more targeted markets, they do not always know if it is necessary for them to follow international regulations.

In order to determine if GDPR compliance is necessary for a small bank, the first step a bank must take is to perform a privacy risk assessment. Small banks need to look at data from their users and determine how many of their customers are from the EU. If they find that they are regularly doing business or marketing to EU consumers, then at that point they know that GDPR applies to them and measures need to be taken to comply with GDPR.

Having the ability to perform this test can be burdensome and expensive for small banking operations. Regardless of this, they must comply or risk large fines from regulators. If a small bank assumes they do not need to comply with GDPR and they actually do, it can get costly if they are found guilty of not complying with regulations.

Fines for GDPR Noncompliance

GDPR fines can range as high as 20 million euros or 4% of the total global annual turnover of the previous financial year. Within hours of GDPR taking effect this May, Facebook and Google were hit with consumer privacy complaints from users. This could cost them $9.3 billion total in fines.

Fines this high could put any small banking operation at risk of failure. It could severely hurt the institution and force them to shut down. While meeting GDPR compliance seems like a hassle, dealing with bank closure is even worse. This makes it is a worthwhile investment for small banks to meet GDPR standards.

The post Noncompliance with AML and GDPR could Ruin Small Banks appeared first on IDMERIT.

The bill, AB 375, was passed June 29^th by the California state legislature and signed by Governor Jerry Brown. The law was the result of a last-minute attempt to circumvent a stricter citizen initiative that was destined for the November ballot. This was done because ballot initiatives are extremely difficult to amend once approved. On the other hand, the legislative process is built to handle comments and improvements for legislation.

The CCPA affects all companies that do business in California and collect data. According to AB 375, consumers will now have the right to request from businesses the types of data being collected about them. Consumers can request that the data not be sold to third parties, the data be given to them in a portable format, and the data be deleted. Consumers can also initiate civil action if they believe an organization has failed to protect their personal data under the new law. All these mandates mirror similar requirements under GDPR.

Nevertheless, there are key differences between CCPA and GDPR. Businesses will be able to offer financial incentives for the ability to collect consumer data in California, which is not mandated in GDPR. CCPA safeguards consumers—a natural person who is a California resident—while GDPR safeguards persons. GDPR also speaks to Data Controllers and Data Processors while CCPA targets businesses. CCPA forces businesses to add a link to their homepage that says, “Do Not Sell My Personal Information,” and takes them to a page where consumers can opt in or out of the sale of their personal information. GDPR, in contrast, states that subjects must be provided with a clear and understandable explanation about how their data will be used. Regardless of these differences, CCPA, along with GDPR, will have a lasting effect on many businesses.

The CCPA will dramatically change how businesses handle consumer data in California. Big tech companies such as Google and Facebook will have to make major adjustments to how they handle their consumer’s data; otherwise, they risk facing sizable penalties for noncompliance. Many in the tech industry worry that the law will impact their ability to innovate on the behalf of consumers. Others argue that they should be able to without collecting massive amounts of consumer data.

Over the next 18 months, many tech companies will have to change their protocols to meet AB 375 requirements. Since some of these requirements are similar to those required by GDPR, many companies will not have to start their compliance measures from scratch. Microsoft, for example, has promised to comply with GDPR everywhere in the world they do business. This means GDPR is already having a global impact on business operations.

Other organizations have responded to GDPR much differently. Some media outlets, for example, blocked European Union consumers from viewing their websites in response to GDPR. This means they will have to either do the same in California or find a suitable response to comply with consumer data privacy laws.

Consumer privacy is here to stay. GDPR started it all and is already having a lasting effect on the global economy after being in effect for a little over a month. It is clear with GDPR and CCPA that governments are taking data privacy very seriously. Companies either must get on board with privacy measures, or risk huge fines. Even worse, they could risk destroying their businesses by not cooperating with these consumer-minded initiatives.

Click here to find out more about how IDMERIT meets GDPR compliance.

The post Consumer Privacy is Here to Stay appeared first on IDMERIT.

1. Block European Visitors

The Los Angeles Times has taken a direct approach to compliance. It’s simply blocked all visitors from countries within the European Union. This ensures they remain compliant, but at what cost?

This approach demonstrates to users that the publication didn’t properly prepare for the new regulations, leading to a loss of trust in the Los Angeles Times. Furthermore, according to the Colombia Journalism Review, European regulators have criticized this approach because they claim publishers had plenty of notice to conform to the new rules. Blocking users may work as a temporary solution to complying with effects of GDPR. In the long run though, it’s going to have a negative impact on the publication.

2. Charge European Visitors

vThe Washington Post is taking a bold approach to compliance. Instead of blocking European citizens from viewing their website, they have decided to charge them for an ad-free and tracking free experience.

This approach has many wondering if it meets compliance standards. Some say private companies can make access to their services conditional upon the consent of data subjects while others say that GDPR forbids this type of behavior.

At this point, it is unclear how regulators will respond to such an approach to compliance. The effects of GDPR enforcement is underway, the Washington Post will serve as a case study for others. It will help determine if their approach violates GDPR by forcing consent for data tracking.

3. Strip Website of Ads

USA Today is offering a new website experience for its European users. This website is free of ads and includes no tracking. Some have claimed it offers a better user experience and has praised the publication for taking this approach.

That being said, it is uncertain whether USA Today will continue to do this for very long since many publications rely on ad revenue to stay afloat in this day and age. Publishers must figure out ways to fund their operations while remaining transparent about data use under GDPR.

The post The Effects of GDPR are Beginning to Take Shape appeared first on IDMERIT.

Does GDPR apply to you?

Let’s make this simple: GDPR applies to anyone who handles personal data from EU consumers. This means any organization, anywhere can fall under GDPR compliance. Furthermore, companies that store personal data must be compliant as well as companies who process requests to reach personal data. Just because you are located outside the EU does not mean that you can avoid GDPR. You are just as liable as anyone else.

Fraud Prevention > GDPR Compliance

You may think that following KYC and AML procedures overshadows GDPR compliance, but this is not the case. All these compliance rules now have to work together. It can be easy to ask for large amounts of data for authentication purposes, but storing this data is no longer allowed. Under GDPR, you can collect personal data during the onboarding process for verification purposes, but storing it unnecessarily is no longer allowed. Furthermore, you can’t ask specific questions during access such as Date of Birth and a specific address.

72 hours to notify EU citizens about breaches

Many organizations are worried about the turnaround time for informing regulators about breaches. Ideally, if a company finds out about a breach they should find out what the breach is, who has been affected, how big the breach is and how it happened – all within 72 hours. Many organizations do not have such a breach plan in place though. While this can be panicking, it’s important to note that the 72-hour time frame starts after the breach has been discovered, not after it has occurred. This gives organizations some wiggle room to develop processes and put them into place before beginning to track breaches in their systems.

GDPR compliance only applies to online channels

If you are a company that stores personal data from EU consumers, GDPR applies to you. It doesn’t matter if you talk to these people in person, on the phone or some other way. GDPR applies to any entity that stores high amounts of data from EU citizens. One good example is a call center. Call centers store information from consumers such as emails, phone numbers, and addresses; therefore, they fall under compliance. The best way to reduce the risk of noncompliance at a call center is to verify the customer’s identity at the beginning of the call and lower the amount of personal data used during phone calls.

GDPR compliance can be tricky, but you can’t avoid it any longer. The sooner you begin processes to comply with the new legislation, the easier it will become. GDPR sets a new standard for the retention of personal data of EU consumers. It will have a lasting effect for organizations all around the globe. IDMERIT can help you toward your goal of GDPR compliance. Contact us for more information today.

The post Don’t Make These GDPR Assumptions appeared first on IDMERIT.