Mauldin & Jenkins Financial Institutions Newsletter  |  January 2020
Is Your Bank Ready for the California Consumer Privacy Act?
Jameson Miller, CPA | Mauldin & Jenkins, LLC

If you spend time online, as most of us do these days, you have probably noticed an uptick lately in the number of websites informing you that they are updating their privacy policy. The recent spate of changes is a response to the soon-to-be-implemented California Consumer Privacy Act (CCPA). Passed in 2018, the law goes into effect as of January 1, 2020 and applies to many businesses that collect or maintain data on any California consumers, including data gathered through websites. This means that even if your bank does not have a presence in California, you need to understand how to comply with CCPA.

Do you recall the near-frantic preparations that website owners went through getting ready for the General Data Privacy Regulation that governs data collection relating to web users in the European Union? Well, CCPA could create even more legal obligations and limitations than its European cousin. There is no need to panic, but there is an urgent need to ensure your bank knows what CCPA covers and how to comply with it.

The new law grants four rights to all California consumers regarding Personally Identifiable Information (PII) about individuals (including employees) that businesses collect, retain, use, share or sell:
  1. The right to know (what types as well as the specific data points)
  2. The right to delete the information companies and their business service providers possess about them
  3. The right to opt-out of having that information sold
  4. The right to non-discrimination based on their choice to exercise privacy rights (meaning a business may not charge different prices or deliver different levels of service to these customers than to others)

In addition, the law requires businesses that collect such information to implement and maintain reasonable security procedures and practices. That is a vague standard to go on, leaving plenty of room for attorneys to quibble about just what does and does not constitute ‘reasonable’ under the law. But, while the lawyers are having a field day arguing it out, banks and other business organizations must prepare for CCPA’s imminent enactment despite the lack of clarity.

Preparations should include at a minimum the following steps:
  • Identifying relevant data – Whose data does the company currently possess? Is there any chance that California consumers are represented in one or more databases? CCPA utilizes a very broad definition of PII in establishing the scope of what is covered under the act.
  • Performing risk analysis and preliminary research – Does the bank have operations in California? Does it qualify for an exemption? State legislators have added a number of exemptions and qualifying conditions, some specifically applicable to financial institutions. Even where an exemption exists, however, it does not provide banks with free rein to use consumers’ personal data as they wish.  Typically, only certain data and activities covered by other laws such as the Gramm-Leach-Bliley Act, California Financial Information Privacy Act and Fair Credit Reporting Act are affected by the exemption.  
  • Assessing existing security procedures – Are current security measures sufficient to qualify as reasonable for the purposes of CCPA?
  • Developing appropriate systems and protocols – How will the bank store consent records and process and retain opt-out requests? What will it do to ensure that data is deleted properly upon request?
  • Updating websites and privacy policies – Do the bank’s data collection tools need to be altered to meet the law’s requirements? Does its consumer-facing privacy policy accurately describe updated policies and procedures, including those regarding opt-out choices?

Bank leaders will likely want to seek expert advice as part of their preparation for CCPA. In addition, they should be aware of other privacy laws governing collection, retention and use of consumers’ personal data. These include the Children's Online Privacy Protection Act (COPPA), Driver's Privacy Protection Act (DPPA), Video Privacy Protection Act (VPPA), Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), Telephone Consumer Protection Act (TCPA) and others.

Another complicating factor may soon arise due to the absence of a federal law similar to CCPA. While no such law is on the horizon at this point, a handful of other states are beginning to develop their own versions of California’s consumer privacy legislation. A patchwork of state laws could seriously hamper banks’ efforts to comply with differing requirements and severely limit the practical possibility of collecting the types of data covered under them at all.

Consumer privacy concerns in the digital age are certain to increase, and businesses must remain alert to a changing landscape of legal obligations. For help keeping your bank in compliance with CCPA and related data privacy regulations, contact the experienced business consultants at Mauldin & Jenkins.

Ron Mitchell, CPA
Financial Institutions Practice Leader

We are excited to release the second edition of our Financial Institutions Newsletter, which we designed to be an additional resource for financial institutions to utilize in order to help them continue to succeed with their strategic initiatives. 2019 continues to be a record year for most financial institutions relative to net income as well as stock price valuations and continues to confirm that the difficulties faced by financial institutions during the financial crisis are well behind us and the industry emerged stronger than ever.   

We are sending you our newsletter in hopes that you will find great value in its content and that it will aid you in your own goals to grow and succeed. If you ever find that what we offer is not for you, simply click 'unsubscribe' at the bottom of any email.

The Consumer Financial Protection Bureau (CFPB) aims "to make consumer financial markets work for consumers, responsible providers, and the economy as a whole."  They "protect consumers from unfair, deceptive, or abusive practices and take action against companies that break the law." The CFPB arms "people with the information, steps, and tools that they need to make smart financial decisions."

For more information and resources, click here.

Emily Dent, Director

Emily Dent is a director with Mauldin & Jenkins who has been with the Firm since 2007. In addition to being a CPA, she is a Certified Regulatory Compliance Manager (CRCM) and a Certified Anti-Money Laundering Specialist (CAMS).  She is a member of the American Institute of Certified Public Accountants, the Georgia Society of CPAs, the American Bankers Association, and the Association of Certified Anti-Money Laundering Specialists.

Emily's commitment and passion for supplying support on compliance issues and building relationships with her clients epitomize the professionalism, leadership, and service M&J offers.

Emily received her Bachelor of Business Administration degree from Georgia Southwestern State University in 2001. She began her career in banking in 1999 prior to joining Mauldin & Jenkins.  Emily provides accounting, auditing, and compliance services to financial institution clients.

She resides in Albany, Georgia with her husband, Mike and daughter, Maddie.
UPCOMING EVENTS...Hope to see you there!
FBA 6th Annual Cyber Security Symposium
Friday, February 7, 2020 - Embassy Suites USF, Tampa, Florida

"Managing Cybersecurity Risks through Effective Vendor Management"
2:15 - 3:15 pm
Jameson Miller, Director, Mauldin & Jenkins

This presentation will cover the importance of effective vendor management practices.This topic has become increasingly more relevant as more third-party providers are processing data and financial institutions are seeking out reputable third party and/or cloud service providers. Topics will include infosec regulatory obligations for vendor management under the Gramm-Leach_Bliley Act; an overview of vendor management threats; best practices for managing risks associated with vendors; and an overview of System and Organization Controls (SOC) Reporting.

You can see more about this on the event website below.

GBA Call Report Seminar
Wednesday, February 12, 2020 - Conference Center, Middle Georgia State University, Macon, Georgia

9 am - 4 pm
Kris Trainor, Partner and Michael Gordon, Partner
This one-day seminar presented by Mauldin & Jenkins, LLC, will offer practical techniques to improve your overall reporting process. Participants will receive a detailed line-by-line review with helpful tips for reporting individual items. Relationships between schedules and common errors will be discussed as part of this review. The session will include a review of the proposed and finalized changes for 2018, including those changes for Form 041 filers and Form 051 filers. Particular attention will be placed on Schedules RC-C, RC-R and other areas receiving increased regulatory scrutiny. Schedules not covered include Schedules RC-S, RC-T, and RC-V.
  • Proven organizational techniques to improve both speed and accuracy in your bank's call reporting processes
  • Hands-on experience in call report preparation
  • Common mistakes and problems with call reporting

For more information click the link below to be directed to GBA.


Email Marketing by ActiveCampaign