Future Features: Compliance Review

[amark]

Companies like Plaid and similar financial data aggregators must comply with several U.S. laws and regulations when handling bank account information from users.

1. Gramm-Leach-Bliley Act (GLBA)

• They are expected to follow GLBA Safeguards, which require protection of nonpublic personal information (NPI).
• The CFPB has cited GLBA as the baseline security framework for data providers under Section 1033 of the Dodd-Frank Act.
• They must ensure data minimization, user consent, and protection of account numbers from misuse in marketing.

2. Section 1033 of the Dodd-Frank Act

• Finalized in October 2024, this rule gives consumers the right to access their financial data and share it securely with third parties.
• Requires covered data providers (including banks and fintechs) to offer secure, reliable APIs for data sharing.
• Examples of supporting compliance through:
  • API-based data access,
  • Authorization record retention,
  • App registration and security verification.

3. State Laws: CCPA and CalFIPA

• California Consumer Privacy Act (CCPA): Companies must provide transparency about data collection, allow users to opt out of data sales, and respond to data deletion requests.
• California Financial Information Privacy Act (CalFIPA): Limits how financial data can be shared with third parties.

4. Security and Compliance Standards

• Adhere to:
  • ISO 27001 and ISO 27701 (information and privacy management),
  • SOC 2 Type II (data security compliance),
  • AES-256 encryption and TLS for data in transit and at rest.
• Conducts regular audits, penetration testing, and maintains a bug bounty program.

5. User Consent and Data Control

• Companies like Plaid enforce explicit user consent before accessing or sharing data.
• Users control:
  • Which apps access their data,
  • What data is shared,
  • Ability to revoke access.