Financial Services Compliance Requirements: An Overview

However, there is one thing you must understand — being compliant does not mean you’re secure.

According to Verizon’s 2024 Data Breach Investigations Report, there were 10,626 confirmed data breaches last year, a record high. The aftermath of a cyberattack is challenging for any organization, but for financial institutions, it can be devastating. Beyond the erosion of customer trust, they face crippling fines and severe penalties for non-compliance, leaving long-lasting scars on their reputation and operations.

Compliance regulations, again, are a minimum standard of protection, commonly referred to as checkmark compliance. They do not come with the level of security necessary to protect an organization pre- and post-breach. Being compliant doesn’t guarantee security, but being secure almost always ensures compliance.

This blog delves into the compliance requirements within the financial services sector and provides actionable insights for strengthening your cybersecurity measures beyond the fundamentals.

What Is Financial Services Compliance?

Simply put, financial services compliance is a set of rules the finance sector must follow. Often, these rules are enacted to protect clients, including investors, shareholders, and banking customers.

Targeting financial institutions and fintech firms, financial regulations primarily look at how private and sensitive information is managed to protect customer and client data from data breaches.

[Related Reading: Addressing Fintech Security Concerns and Compliance Regulations]

Financial Data Security Regulations

Following are key financial services compliance requirements that organizations must adhere to:

General Data Protection Regulation (GDPR)

General Data Protection and Regulation (GDPR) is a comprehensive European Union regulation that governs online privacy and how data is managed across EU Member States. A primary goal of GDPR is to give individuals more control over their personal data. From a business perspective, it aims to standardize the way personal data is managed between the 27 EU Member States.

If you live outside the EU, you might question GDPR’s relevance. Although GDPR is an EU regulation, many organizations you engage with daily are impacted if they operate in Europe. For this reason, many global businesses chose to apply to GDPR compliance policies across their entire organization to avoid confusion and create unnecessary challenges.

GDPR lays out seven protection and accountability principles:

1. Lawfulness, fairness, and transparency

2. Purpose limitation

3. Data minimization

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality

7. Accountability

GDPR is one of the EU’s most comprehensive pieces of legislation, designed primarily to safeguard personal data and establish uniform financial security standards in an increasingly digital economy. Its key points include:

• Clearly defining personal data, such as ID numbers, health records, employment information such as CVs and human resource records, video and audio recordings, customer information, biometrics, cookie IDs and IP addresses.
• Personal data collected must be relevant, collected for specific and legitimate purposes, and retained only as long as needed.
• Personal data must be accurate and kept up to date.
• Companies should process personal data transparently and in a manner that protects a person’s privacy.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure the protection of cardholder data. The comprehensive guidelines seek to standardize the way the following parties process, store, and transmit cardholder data:

• Merchants
• Service providers
• Financial institutions
• Developers and vendors of payment processing solutions, services, and products

Launched in 2006, PCI DSS aims to improve customer security throughout the transaction journey. It has six goals and 12 security requirements for ensuring compliance. PCI DSS 4.0 goals are:

• Build and maintain a secure network and systems
• Protect account data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

The 12 requirements for achieving PCI DSS compliance are:

• Requirement 1: Install and maintain network security controls
• Requirement 2: Apply secure configurations to all system components
• Requirement 3: Protect stored account data
• Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
• Requirement 5: Protect all systems and networks from malicious software
• Requirement 6: Develop and maintain secure systems and software
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Identify users and authenticate access to system components
• Requirement 9: Restrict physical access to cardholder data
• Requirement 10: Log and monitor all access to system components and cardholder data
• Requirement 11: Test security of systems and networks regularly
• Requirement 12: Support information security with organizational policies and programs

Deploying an intrusion detection system (IDS)

PCI DSS 4.0 Requirement 11.5 states that all financial institutions “network intrusions and unexpected file changes are detected and responded to” with an intrusion detection system (IDS) being a tool of choice. This is to be used in conjunction with a firewall to prevent unwanted network traffic.

A firewall prevents unauthorized parties from accessing your data from the outside. Differing from a WAF, an IDS serves as the second line of defense by monitoring suspicious activity that makes it past your firewall to detect and neutralize threats as quickly as possible.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 is a U.S. law passed in the wake of the WorldCom, Enron, and Tyco scandals. Meant to crackdown on corporate fraud and corruption, SOX primarily focuses on how organizations record and disclose financial information.

While most of the act doesn’t focus on cybersecurity, one part does — Section 404, Management Assessment of Internal Controls. This section states organizations must have measures in place to protect the authenticity and availability of financial data. Then there’s Section 302, which stipulates a company’s CEO and CFO must certify the authenticity of the organization’s financial data.

Protecting the integrity of corporate financial data

Essentially, SOX financial service compliance requirements require public companies to protect their financial data from tampering. For cybersecurity, this means implementing safeguards that keep financial data protected. These safeguards can include:

• Logical and physical access controls
• A disaster recovery plan that involves routine backups and business continuity planning
• A change management system that only allows authorized personnel to make changes and documents any changes made

In a SOX audit, an IT department can demonstrate financial industry compliance by showing the organization:

• Conducts routine backups of financial data
• Implemented comprehensive access controls for financial data

Gramm-Leach-Bliley Act (GLBA)

GLBA came into effect in the United States in 1999. It lays forth financial data security standards requiring the Federal Trade Commission (FTC) to regulate the distribution of private financial information. Under GLBA, financial institutions are required to:

• Inform customers of their data-sharing practices
• Educate customers on their right to opt-out of having their data shared with third parties

GLBA defines financial institutions as any organization “significantly engaged” in financial activities. This includes companies that:

• Offer lending, check cashing, and wire transfer services
• Broker and/or service loans
• Provide services like financial planning, accounting, investment advisement, tax preparation, and credit counseling
• Collect debts
• Offer real estate settlement services

The list above isn’t exhaustive. For a comprehensive list of companies bound to the GLBA’s financial services compliance requirements, review section 4(k) of the Bank Holding Company Act.

Type of data to protect

GLBA requires financial institutions to protect the security and confidentiality of customer data defined as “nonpublic personal information” (NPI). This data includes:

• Social Security numbers
• Customer-provided details required to obtain a financial product or service, including personal information such as names, addresses, and income data.
• All information about a customer related to transactions between the financial institution and customer. This includes payment histories, account numbers, deposit balances, and credit and debit purchases.
• Information received about a customer in connection with offering a financial product or service. Examples include information from a consumer report or court record.

GLBA does not safeguard personal information that is lawfully accessible to the public, such as government records and any other information available for public access.

Security policies and processes

GLBA’s primary focus is to protect customer data. From a security aspect, becoming GLBA compliant requires companies to implement measures to safeguard all customer data in their possession. These measures can include, but aren’t limited to:

• Assigning professionals to coordinate your information security program.
• Implementing safeguards to keep customer data protected and regularly test those safeguards.
• Tracking and recording network activity, including all attempts to access protected customer data.

GLBA also requires companies to be transparent about their security policy. To do this, organizations must provide an accurate description of ongoing security practices and policies.

Payment Services Directive (PSD2)

PSD2 is an EU financial IT compliance regulation aimed at regulating payment services and their providers. The directive requires IT compliance from businesses in both the EU and the European Economic Area (EEA).

PSD2 affects the payment industry in two major ways:

• It requires stronger security protocol for online transactions.
• Banks and other financial institutions must hand over consumer bank accounts to third-party payment service providers (if the customer gives consent).

The PSD2 is also meant to bridge the gap between fintech, banks, and other payment service providers. This requires banks to deploy APIs for sharing account information with other financial institutions, including third-party providers.

Updated security requirements

Full IT compliance for financial institutions requires meeting PSD2 security requirements. Payment service providers must implement multifactor authentication for all remote and proximity transactions. This means implementing two of the following three security features:

• A security feature only the customer knows, such as a unique password, code, or personal identification number
• An item to grant security access, like a mobile phone, smartcard, or token
• Something inherent to the user, such as a fingerprint scan or photo scan

Moreover, any elements selected should be mutually independent of another. This means that in the event of a data breach, one compromised feature cannot compromise the other security features.

Basel III

Basel III is a voluntary global framework developed by the Basel Committee on Banking Supervision (BCBS). It was the third installment of the four-part Basel Accords with a goal of strengthening the regulation of the international banking sector.

Basel III and IT controls

Basel III doesn’t focus on financial IT compliance. It instead emphasizes financial matters within the global banking sector, including liquidity requirements and minimum leverage ratios.

However, Basel III does state banks operating with inadequate IT controls should have greater risk capital reserves as compensation.

Its predecessor, Basel II, defined whether a bank has adequate IT infrastructure or not. It suggested that financial institutions have systems in place to prevent:

• Improper disclosure of information
• Execution of unauthorized transactions
• Confidential data from being accessed and modified by unauthorized parties
• Any changes (including system outages) that could compromise security infrastructure

New York Department of Financial Services (NYDFS) Cybersecurity Regulation

The NYDFS Cybersecurity Regulation (23 NYCRR Part 500) is a set of financial service compliance requirements set forth by the NYDFS, in accordance with the Financial Services Law. NYFDS combats the growing threat of cyberattacks against the financial service industry by requiring organizations to implement stronger policies and controls.

All entities regulated under the Department of Financial Services must follow the NYDFS Cybersecurity Regulation, including but not limited to:

• State-chartered banks
• Private bankers
• Lenders
• Foreign banks operating in New York
• Mortgage and insurance companies
• Service providers and third-party vendors

Organizations with fewer than 10 employees and organizations that generated under $5 million in gross annual revenue from New York operations over the past three years have limited exemptions.

Cybersecurity policy regulations

Companies regulated by the DFS must have a cybersecurity strategy aligned with the NIST Cybersecurity Framework. This means they must:

• Deploy a security infrastructure that protects against internal and external threats
• Have an up-to-date system for detecting security attacks
• A plan for responding to security issues, and work to recover from those issues

Along with these financial security standards, DFS also requires these organizations to designate a CISO and create a comprehensive cybersecurity strategy.

Reporting policies

The NYDFS’ financial IT compliance regulations also include procedures for reporting. CISOs must prepare an annual report covering:

• The organization’s cybersecurity policy in detail
• Security risks the organization faces
• The effectiveness of their cybersecurity policies and procedures

Focus on AI

In October 2024, New York State Department of Financial Services Superintendent Adrienne A. Harris announced new guidance to help regulated entities tackle and mitigate cybersecurity risks associated with artificial intelligence.

California Consumer Privacy Act (CCPA)

CCPA gives California consumers more control over how businesses use their personal data. It gives consumers the right to:

• Know about their personal data collected
• Delete their data
• Opt-out of their data being sold
• Non-discrimination for exercising the aforementioned rights

CCPA and cybersecurity

CCPA helps safeguard consumers’ personal information. The act defines personal information as a number of things, including but not limited to:

• Names, postal and email addresses, passport numbers, IP addresses, and other unique identifiers
• Commercial records, including records of personal property, goods and services purchased, and consumer purchasing history
• Biometric information
• Geolocation data
• Internet activity, including browsing and search history
• Professional and employment information
• Educational information

While CCPA isn’t centered around IT compliance for financial institutions, it does include fines and penalties for companies that fail to protect this data.

So, what does this mean?

Organizations operating in California should identify their data that meets the classification of “personal information” and take steps to safeguard that information. As such, the best action is to have a cybersecurity infrastructure to:

• Protect data from internal and external threats
• Promptly identify security issues as they arise
• Stop attacks as quickly as possible

Digital Operational Resilience Act (DORA)

On January 17, 2025, DORA went into effect across the European Union. With its implementation, all financial entities (FEs) such as banks, insurance companies, investment firms, and crypto-asset service providers within the EU, along with their critical information and communication technology (ICT) service providers, must comply with DORA standards.

DORA (Regulation (EU) 2022/2554) aims to enhance the digital operational resilience and security of the EU’s financial services sector. It focuses on mitigating risks associated with third-party ICT vendors, particularly those delivering critical services to financial entities.

The act has five stated pillars:

1. ICT risk management

2. Reporting of ICT-related incidents

3. Digital operations resilience testing

4. Information and threat intelligence sharing

5. Third-party risk management

Organizations not complying with DORA can fines of up to 2% of a company’s total annual worldwide turnover, individual fines up to 1 million euros, and up to 5 million euros in fines for critical third-party providers. Further possible penalties include suspension of services, mandatory remedial measures, audits, and public notices.

Other Financial Services Compliance Considerations

The regulations and frameworks mentioned above provide a foundational starting point for financial IT compliance. While they establish a minimum level of protection, they are not the sole considerations for achieving financial data security standards.

Truly protecting sensitive data requires you to go above and beyond the minimum. Consider the following:

Managing third-party vendors

It’s common for financial institutions to work with third-party vendors. When CCPA passed, there was significant concern about working with third parties. That’s because financial institutions could be held accountable when vendors experience data breaches.

Given that your company could also be held accountable, what steps can you take to ensure that your vendors adhere to financial industry compliance standards?

• Review the amount of data accessible to third-party vendors and restrict their access to only the information necessary for their tasks on your company network.
• Require all vendors to conduct regular security audits and reports. Their security practices must be completely transparent.
• Ensure your vendors have a security strategy that aligns with your company’s practices to avoid them becoming your weakest link in cybersecurity.

Encryption guidelines

An up-to-date firewall is an effective way to protect against cyberattacks, but what happens if attackers get through your first line of defense? That’s where encryption comes in.

Encryption acts as an added layer of security by obfuscating data, making it incomprehensible to unauthorized parties.

But not all encryption is created equal. If your organization handles highly sensitive data, it is crucial to ensure your encryption complies with the Federal Information Processing Standards (FIPS).

Encryption guidelines include:

• Advanced encryption standard (AES) using at least a 128-bit key
• Key management system to protect against data loss
• External network transport should be encrypted with SSL, TLS, SSH, IPSEC, or a similar secure protocol

Companies should opt for either full-disk encryption or folder encryption for sensitive data on mobile devices as well.

Improving Financial Services Compliance

Meeting financial services compliance requirements is step one. Step two goes further to ensure your organization is secure in the likelihood of a successful breach.

From asset discovery and vulnerability scanning to 24/7 monitoring and threat detection, Fortra’s managed security services — including Fortra XDR,  Fortra’s Alert Logic MDR, and Fortra Managed WAF — can help you achieve your compliance objectives. See for yourself how Alert Logic can be your compliance partner by scheduling a demo today.

Additional Resources:

What’s new with the Gramm-Leach-Bliley Act (GLBA)?

Optimize Your PCI DSS 4.0 Compliance with Fortra Managed WAF

Unpacking the Cost of a Data Breach: What Business Leaders Need to Know

Test Your Knowledge

Take this 3-question quiz to test your financial services compliance know-how.