How the EU’s GDPR Impacts Y-O-U

While us EPCOR staff members are not IT experts (at least not most of us), and do not play them on TV, occasionally IT and compliance merge. This is one of those times, mostly due to the volume of questions we have been receiving on whether, and how, the European Union’s General Data Protection Regulation (GDPR) impacts financial institutions. The GDPR became effective on May 25, 2018. As its name implies, it is not a U.S.-based regulation. So, why the fuss? Well, if your institution falls under the GDPR, you could have significant compliance responsibilities to undertake, administer and maintain.

What’s the gist of the rule? Essentially, the regulation grants rights and protections to the EU’s citizens with respect to their personal information. “Personal information” could include the normal information you obtain to identify a customer (e.g. name, address, social security number or date of birth), but could also extend to items like passport information, email addresses, photos, usernames, passwords and more.

The question is: do you obtain, retain, process or otherwise handle personal information for citizens of the EU? The first place you are likely to look is at your current customer base. Any time you collect or request materials for a Bank Secrecy Act (BSA) Exam or a BSA audit, you are asked to provide a listing of customers who are not U.S. citizens and those who reside outside the U.S. Which of these customers are U.S. citizens residing outside the U.S. and which of them are citizens of the EU? You’ll want to focus on those who are actually citizens of the EU.

If you go through this exercise and don’t identify any customers who are citizens of the EU, you’re not done. You’ll have to review other methods through which you may obtain personal information of EU citizens. Examples may include, but are not limited to:

  • Tracking cookies attached to your website.
  • Prepaid card offerings.
  • Online account opening platforms.
  • Online application platforms.
  • Withdrawn, rejected or otherwise non-originated transactions.

If you find that you have collected, currently house or retain any personal information for EU citizens, you will need to address your GDPR compliance responsibilities. MetaCompliance has a free, downloadable version of GPDR for Dummies that walks you through compliance responsibilities once you have determined that you have stored or collected (in whatever capacity) personal information for EU citizens.

Source: Sterling Compliance

Join Us at Payment Systems Update to Breakdown GDPR

Would you like further information on will impact your financial institution? Join us for a Payment Systems Update seminar near you for a more in-depth discussion of the EU’s GDPR and what your financial institution must do in response. Register now online or contact Member Support via email at memserve@epcor.org or call 800.500.0100.