The OCC OKs Stablecoins: What Does that Mean for Banks?

You’ve finally perfected your digital transformation strategy that was accelerated because of 2020’s global pandemic. What should you focus on now? Here’s an idea: stablecoin transactions.

The U.S. Office of the Comptroller of the Currency (OCC) last week published Interpretive Letter 1174 detailing that banks may use stablecoins and independent node verification networks (INVNs) to facilitate payments for customers. That is to say, banks can transfer stablecoins to other banks.

To catch you up to speed, INVS are distributed ledgers. And stablecoins are a type of cryptocurrency that minimize volatility by pegging their value to an external factor.

There are a few key things this means for traditional financial institutions.

Transactions become decentralized

Stablecoin transactions are essentially decentralized cryptocurrency transactions. Because of this, they enable banks to send and receive money without a government intermediary.

Faster payments

Stablecoin transactions do not rely on traditional payments rails, rather, they utilize public blockchains. Because of this, stablecoins, just like other cryptocurrencies can be transferred in near-real time from one party to the next.

On 24/7

Once again citing freedom from traditional payment rails, because stablecoin transactions occur outside of the traditional payments infrastructure– and because they occur instantly– they can essentially be made at any time, including on the weekends and holidays.

Compliance is still on the table

According to the letter, stablecoin transactions, “should have the capability to obtain and verify the identity of all transacting parties, including those using unhosted wallets.” So banks are still responsible to adhere to KYC guidelines.

Additionally, banks using stablecoin transactions are responsible for managing the multiple risks associated with cryptocurrency transactions. Per the letter, “The stablecoin arrangement should have appropriate systems, controls, and practices in place to manage these risks, including to safeguard reserve assets. Strong reserve management practices include ensuring a 1:1 reserve ratio and adequate financial resources to absorb losses and meet liquidity needs.”

This is positive news not only because it offers banks more options, but also because it serves as a signal that the OCC and the Acting Comptroller of the Currency Brian Brooks are bullish on cryptocurrencies.

Pay attention to the cryptocurrency/stablecoin sector this year. We’re expecting to see significant developments in the decentralized finance area, and banks’ involvement in initial cryptocurrency efforts will be crucial. There will be little-to-no room for laggards in this space.

Photo by from Pexels

What Ant Group Tells Us about Being Too Big to Fail

When is BigTech too Big? Ant Group may have the answer to that.

After anticipating its IPO and setting share prices in late October, the China-based tech giant’s plans were put on hold when Chinese regulators suspended the IPO.

At $34.5 billion, Ant’s IPO would have been the largest public offering to-date, surpassing the previous highest IPO set when oil company Saudi Aramco went public at $29.4 billion earlier this year.

So what is China’s qualm with a successful tech giant going public? The answer may lie in fintech’s favorite four-letter word: data. That’s because big fintechs such as Ant rely on data traditionally held by the Chinese government such as salary and debt levels to provide lending or credit services. Overall, the communist party is worried about losing centralized control by giving a large tech company control over valuable data.

Some also speculate that the suspended IPO was directed at Jack Ma, Ant Group’s controlling shareholder and founder of tech giant Alibaba, as a way to humble him. Just before the IPO was suspended, Ma had given a speech at a conference in which he criticized regulators and Chinese banks.

“What happened to Ant reinforces that sense that it’s really essential to show respect for party-state authority,” said Kellee S. Tsai, the dean of the School of Humanities and Social Science at the Hong Kong University of Science and Technology told the New York Times. “Capitalists have to play by the political rules of the game.”

It’s a stark contrast to the scene in the U.S., where the economy relies so heavily on large companies in key industries that the government is willing to shell out millions to bail them out. In either situation, however, Ant Group’s recent predicament has taught us that it’s important to remember who’s boss.

Photo by Kai Pilger on Unsplash

Has the U.S. Reached a Tipping Point with Open Banking?

This year has brought on a lot of changes for U.S. businesses and individuals alike– some for the worse, and others for the better.

One change that fits into the latter category– open banking– has heated up in 2020. There are four indications that the U.S. may be at a tipping point when it comes to open banking:

  • More consumers than ever are using digital financial services. Not only has the coronavirus has halted in-person activities, it has also prompted users to focus on their finances.
  • We’ve finally agreed that screen scraping is a bad way to aggregate accounts. Last week, even Wells Fargo announced it has stopped using screen scraping as a data aggregation technique.
  • Consumers have become aware of their data usage. Big tech companies like Facebook were put on trial in the U.S. in 2018 for questionable usage of consumer data. Now, in an election year, and with films like Netflix’s The Social Dilemma, users are more aware than ever of how tech platforms use their data to sway their opinions.
  • There’s more competition than ever in the B2C fintech space. New competitors are laser-focused on perfecting the user experience, and have started making data management as easy as possible for consumers. Many, for example, provide users a dashboard that allows them to manage third party data sharing, toggling certain platforms on and off.

All of these elements have aligned to bring the U.S. to a tipping point in open banking. There is still one thing missing, however, and that is a unified approach for data sharing.

Whereas Europe enjoys standardization through common API specifications thanks to PSD2, the U.S. is lacking direction. Instead of a government-mandated approach, the market is currently being driven by private players such as Plaid, MX, Envestnet|Yodlee, and others.

Despite challenges, 2021 may the year for open banking in the U.S. As the global pandemic continues next year, so will consumers’ online presence, and ultimately their awareness of their digital rights. Earlier this week, the U.K. surpassed 2 million consumers using open banking, more than double the number recorded in January of this year. And even though the U.S. still has a long road ahead to fully realize open banking, take hope– we’re closer than we’ve ever been.

Photo by Michał Parzuchowski on Unsplash

Have the Bots Failed Us?

I’ve been busy catching up on all of the discussions that took place at FinovateFall last week (if you are on our attendee list, you can do the same), and a panel conversation on AI and bots stood out to me.

Leading the panel was Emmett Higdon, Director of Digital Banking at Javelin Strategy & Research, who shared the following graph:

Higdon explained that because branches were closed and call centers were overwhelmed, banks were pushing consumers to solve their issue or receive an answer to their question via digital channels. While this worked for some consumers, it frustrated others who were less digitally native or needed a more customized answer. To mitigate frustration, some banks turned to chatbots to create a hybridized approach that offered a high-tech, low-touch customer service experience.

Given the data from Higdon’s graph, it is apparent that some firms’ bots failed– they were ill equipped to handle the influx into their digital channels. Others, however, leveraged data, as well as their prior experience with their digital channels, to create a digital banking experience tailored to each customer.

Mallika Daswani VP of Digital Channels-Online and Mobile Banking at TD Bank said her firm leveraged the bank’s virtual assistant in the company’s mobile app. This tool could answer simple queries and alleviate burden from the call center, which was then able to focus on high-value activity such as conducting video calls with customers. This combination of assisted service and full service helped meet customer needs at scale.

Alexandra Mack, Solutions & Customer Marketing at Zendesk, noted that sending proactive messages to consumers can be crucial during this time. However, she noted it is important to avoid blasting a customer base with intrusive, ubiquitous messaging. Financial services companies can leverage AI to analyze customer information and direct them to self-service solutions.

The group also discussed improvements, specifically, meeting customer expectations and implementing sentiment analysis. The customer expects that the bank not only knows information about the customer, but also has details about the customer’s previous interactions, even if it occurred with a bot or in a different channel. Additionally, implementing sentiment analysis, which uses AI to sense consumer frustration and route them to the appropriate person to mitigate frustration, can vastly improve the customer experience.

When discussing customer communications and personal information, it’s impossible to leave data security out of the conversation. It can be difficult to protect consumer information (and remain compliant) when consumers switch channels or move from website-to-website. However, frustration can arise when consumers are required to authenticate multiple times. To eliminate this, banks can use voice biometrics in the background to create more efficient re-authentication and reduce wait times.

Automation can solve problems, but it takes effort to get to that point. It not requires applying new technologies but also implementing consumer data. In the end, a hybridized digital offering requires a multi-pronged approach with the entire bank on board.

Photo by Ashkan Forouzani on Unsplash

A First Look at Inspired Capital-Backed Orum

For better or for worse, modern society has adapted to expect things instantly. We want a quick lunch delivery, a fast Uber pick-up, and we expect Netflix to buffer our movies in microseconds. Even Amazon’s two-day shipping takes too long.

Recognizing the value of the real-time economy, Orum launched its flagship product, Foresight, last week. The new tool helps banks move money in real time for instant account funding, overdraft protection, and consumer-focused pre-delinquency tools.

Instead of leveraging the blockchain for real-time transfers like Ripple does, however, Orum takes a different route. The startup uses AI to predict the availability of funds within an account and pre-authorizes transactions, incurring limited risk.

“At Orum, we are creating a paradigm shift for the way money moves,” said Orum founder and CEO Stephany Kirkpatrick. “We are leaving behind siloed accounts and manual transactions and building toward fully automated and point-to-point money movement. Technology has created an on-demand economy, but our money has yet to catch up.”

In addition to Kirkpatrick, Orum’s team includes former N26 employee Ryan Cooke and former Stash VP Christine Hurtubise.

Along with Orum’s new product announcement, the New York-based company landed $5.2 million in Seed funding led by Homebrew with contributions from Inspired Capital, Acrew, Bain, Clocktower, Box Group, and angel investors. Impressively, the round was both opened and closed during a pandemic.

“Today’s tools for immediate money movement leave enterprises decades behind what customers demand. Orum is tackling this challenge head on,” said Homebrew Partner Satya Patel. “We’re excited about Orum’s vision. The early demand they’ve seen—both from cutting-edge fintechs and incumbent financial institutions—speaks for itself. It’s clear the market understands the value of moving money in a new, more efficient way.”

According to Crunchbase, Orum is already working with 50 customers and has a waiting list.

The incumbents in the real-time payment (RTP) space in the U.S. have seen some traction, however none have seen widespread adoption. Aside from Ripple, other players working on RTP solutions include The Clearing House, which launched its RTP scheme in 2017 and now counts 32 banks and 19 technology providers as clients. According to Forbes, however, fewer than half of these members are operational on the RTP platform.

The U.S. Federal Reserve is also in on the game, having announced its own RTP scheme, FedNow, last year. Since its announcement, there has been much debate within the fintech industry over whether or not the government can effectively compete with the private sector with real time payments. However, given the lack of traction in the area, the Federal Reserve ultimately decided to pursue FedNow. In true government fashion, however, the offering is not slated to launch until 2023 or 2024.

Remember how society expects everything to happen instantly? The slow traction of incumbent players in the RTP space isn’t meeting expectations. That said, there is a lot of room for Orum in the RTP space and I think we’ll be hearing about a lot more traction from them in the second half of this year.

Photo by Volodymyr Hryshchenko on Unsplash

Does Your Bank Need a Chief Medical Officer?

In some parts of the globe, cities are slowly relaxing their social distancing guidelines. Businesses are beginning to open up and residents are once again venturing out to offices and into storefronts.

Some tech companies have made the move to become remote-first, keeping employees out of physical offices for the foreseeable future. Banks, however, face regulatory scrutiny over communication and documentation, and can’t allow their employees to work from home as easily.

So as many begin to let their guard down, where do a bank’s responsibilities lie in regard to maintaining a safe, virus-free work environment and branch location?

As with everything, the buck stops with the banks’ leadership. They are responsible for not only heeding guidelines from their local and federal governments, but also for understanding concerns of their customers and employees. To answer the question in the title, no, banks don’t necessarily need a chief medical officer. They do, however, need to appoint a person or a group responsible for creating safety measures around their branch and workplace.

The first step in doing this (aside from abiding by governmental guidelines) is to listen to the concerns of customers and of employees. While some may be ready to show up to the office or branch with minimum precaution, others may request increased social distancing in the office and curbside services at the branch.

Listening to these concerns will offer a clearer picture of next steps and a timeline. Options include offering individual cubicles separated by plexiglass, monitoring employee temperatures, increasing cleaning frequency to once-a-day, limiting the number of employees in the office and rotating work-from-home schedules, limiting customer numbers in the branch, requiring face masks, increasing sick leave for employees, etc.

If a requirement such as taking temperatures at the door arises that no one on the team feels comfortable with, hire an outside medical specialist. And if all of the new protocols seem completely overwhelming, banks should consider bringing on a consultant to help with things like deep cleaning protocols, updated health and safety plans, and emergency response plans.

Would it hurt to hire a Chief Medical Officer? Certainly not. But by listening to employees and clients and applying some creativity, banks can come up with a workable solution that helps both employees and customers feel safe.

Fintech Brings Peace During a Pandemic

COVID-19 has brought many new challenges to daily life– from working from home requirements to new budgetary restraints and stock market volatility. Fortunately, it is in times of crisis when fintech solutions shine the brightest. In a pandemic-burdened world, companies across the fintech sector offer answers (and to some, a sense of peace) to those wrestling with today’s new set of problems.

Personal connection

Even though many financial services offices are still closed to outside visitors, fintech tools can help maintain personal connections without requiring face-to-face interaction. Some roboadvisor platforms, for example, connect users with a dedicated certified financial planner to make sure their accounts are on track and to help them plan for the future.

And when it comes to replicating in-branch conversations, some banks– including Bank of America– have introduced video ATMs to offer customers a way to meet with a teller while social distancing. As an extra bonus, the video technology is making tellers available for longer hours, from 7am to 10pm.

Increased visibility

Fintechs provide users access to their account information 24/7 via web and mobile interfaces. More importantly, however, are the integrated analytics and tools that many platforms offer to help users make decisions, answer questions, and offer scenario-planning to help them reach goals.

Keeping users well-informed about their current financial situation as well as their options can help empower them to plan for their future. This is crucial when many are struggling with the uncertainty of job security and stay-at-home orders.

Digital communication

Chatbots have gained popularity over the past couple of years, fueled by advances in AI technology. In the past few months, however, the need for chatbot and automated response technologies have accelerated. That’s because bank call centers have been overloaded with a spike in mortgage refinance request and calls from consumers who need help sorting out financial hardships. Banks are seeing increased value in chatbots, which help relieve pressure on call centers by offering a different channel for consumers to go to for answers.


Looking back, many fintech companies originated to help users work around a process or a service that just didn’t suit them. For example, there are a multitude of players that cater to unbanked and underbanked consumers, helping them work around requirements imposed by traditional financial institutions. Additionally, mortgagetech companies help banks process loan applications more efficiently by moving the entire process into the digital realm.

In a post-pandemic society we will see many new needs arise that aren’t well-served by traditional processes. Take the traditional, brick-and-mortar bank branch model, for example. Because branches have been forced to temporarily close their doors to customers, many have accelerated digital transformation efforts that make the majority of their services available online.

Digital identity

In a pre-pandemic world, digital identity verification was already a hot topic. Now that banks and fintechs are working with consumers almost exclusively online, there is an increased need for services that remotely authenticate users’ identities. Fortunately, there are a wide variety of instant identity verification offerings– from KYC and AML tools to blockchain-based identity networks– available to help banks and fintechs better serve their remote clients.

Open Banking in the Same Language

What happens when third party fintechs try to access banking data on behalf of their consumers, but each way has a different way of doing so?

That’s exactly what’s happening in the U.S. right now, and it’s a major factor in preventing the country from adopting an open banking culture. In an era when consumers conduct their banking activities with multiple providers, open banking not only safeguards consumer data but also places them in control of how they want their data used and for how long.

Speaking different languages

The lack of a consistent approach is also the reason why customers of some U.S. banks have been locked out of third party applications such as Robinhood and Digit. While these customers were prevented from using their own banking data, banks had good reason to lock out the third party providers, citing security concerns. Our piece Are U.S. Banks Leaning Towards Closed Banking? covers the drama in more detail.

What’s needed is a standardized regulation for data sharing. Banks can’t trust third parties and what they may do with customer data. With new regulations such as CCPA and GDPR, banks are required to keep track of how their clients’ data is used. Once a third party possesses customer data, the bank can no longer guarantee it will be used and stored properly.

Aligning the approach

So how does the fintech industry get everyone on the same page when it comes to data sharing?

The Financial Data Exchange (FDX) was created to solve that very same problem. “FDX is member-driven and governed by majority vote and we’re united by a common mission and purpose: providing secure and convenient financial data sharing,” said FDX Managing Director Don Cardinal. “Our Working Groups are inclusive, transparent and benefit from our members’ decades of experience and professionalism.”

FDX is a non-profit organization that is creating what is essentially a playbook of data communications rules for banks and third party fintechs. FDX currently counts 102 organizations– only one third of which are banks– that vote on an agreed upon global standard for data sharing.

Keeping the end consumer in mind

Importantly, FDX not only helps its member organizations speak the same language, the alignment trickles down to benefit end consumers as well. That’s because FDX helps place consumers in control of their own data, allowing them to decide which organizations can use their data and for how long. Aiding in this transparency, some banks have created dashboards that allow customers to view and edit which apps have access to their data.

To promote more consumer awareness, FDX is working to create a certification stack that would indicate to consumers whether a bank, fintech, or organization is part of FDX. You can think of this similar to a bluetooth logo on a device that informs consumers that a product has undergone the Bluetooth Qualification Program.

So when can we expect mainstream adoption of FDX?

“While we cannot give an exact date, we know from similar innovations (online banking, billpay, mobile banking, EMV chip cards) that we are moving from the Innovator to the Early Adopter stage and that acceleration of adoption will accelerate once we pass the mid-market peak,” said Cardinal. “To date, our members have moved nearly 12 million U.S. consumers over to the FDX API.”

Are U.S. Banks Leaning Toward “Closed Banking?”

Odds are, if you work in fintech, you know what open banking is. It is such a popular concept that in Europe an entire regulatory regime, PSD2, has sprung up around the concept.

So if Europe is progressive enough to create regulations mandating open banking, how is the U.S. doing? It turns out that some banks in the U.S. are taking an opposite approach and preventing third parties from accessing consumer data.

Keeping it secure

The motive behind this move is pure: banks are closing down connections to third party apps to keep customer information secure and limit data breaches. Data retrieval methods such as screen scraping or using the customer’s password to gain access are indeed unsafe. We spoke with Chief Growth Officer and Co-founder of Flybits, Gerti Dervishi, who said this type of data sharing is “risky in so many different ways” since data scraping is not a standard protocol. Regarding recent decisions of U.S.-based banks who are gating off third parties, Dervishi said, “Honestly, this couldn’t go on for much longer.”


JP Morgan Chase recently came up with a new access plan for third party fintechs that require access to customer data. The aim of this new plan is to stop third parties from using password-based access to retrieve customer banking data. Starting July 30, fintechs will be barred from pulling customer information until they sign data access agreements and stop using customer passwords to retrieve banking information. Instead, JPM wants third parties to connect to consumers’ accounts via its open API. The bank made it clear that not only is this method more secure, it will also place consumers in control of what data they want other applications to access.

PNC Financial is also cracking down on third party data access, but is leaving third parties with fewer options. Explaining the decision to the Wall Street Journal, PNC Chief Customer Officer Karen Larrimer said, “When aggregators access account numbers, many store them indefinitely, often unbeknownst to customers. This puts customers and their money at risk. We want to make sure we know who is setting up the account.”

As part of the move, Pittsburgh-based PNC is preventing customers from using P2P money transfer app Venmo and has blocked “multiple different aggregators,” including Plaid, which PNC states circumvented its security protocol. Plaid, a popular data transfer network, connects consumer information to other third party apps such as Square’s Cash app, Robinhood, and Digit.

Who owns the data?

But shouldn’t the consumer be able to decide if they want a third party to use their data? This became a major issue when PNC began directing users from PayPal’s P2P payment app Venmo to Zelle, the bank’s in-house P2P money transfer tool. This is because, as Dervishi said, “There is already an agreement in place with Zelle. [PNC] understands data sharing with Zelle, but they don’t have a standardized agreement with Plaid.”

When it comes to the issue of data ownership, Dervishi circled back to the need for standardization. Because PNC does not have a clear agreement in place with third parties, there is nothing to hold them accountable when it comes to how they use or store customer data. “We need a NAFTA for data,” he said.

So though it may seem as if both of these U.S. players are taking a “closed banking” approach, that statement isn’t exactly correct. Both banks offer open APIs. The difference is that PNC has shut out Plaid (and, in turn, the many third party apps that use Plaid) to head off security issues. JPM (and potentially others) may not be far behind. As Ron Shevlin pointed out in his piece The Real Story Behind the PNC Venmo Clash, “[JPM will] be watching what happens with PNC, for sure. If PNC sees limited account attrition, other Zelle banks will be likely to follow.”

At the end of the day, the only thing to prevent banks in the U.S. from taking a “closed banking” approach may be to follow in the footsteps of the European Union and create a PSD2-like, standardized regulation for data sharing. “Because each bank takes a different approach to third party data access,” Dervishi said, “until we have a well-understood framework like open banking and PSD2, we will have a thousand different methods [to access data].”

Everything Fintech at Davos 2020

The five-day World Economic Forum wrapped up late last month. The event, based in Davos, Switzerland, hosted some of the brightest minds in the world to speak on some of the biggest issues facing our society today.

We combed through the agenda to bring you a view of the discussions through a fintech lens. Here’s a summary of some of the most interesting fintech-related topics covered at the global event.

Shaping the Future of Financial and Monetary Systems
The majority of this session wrestled with digital transformation. One of the overarching themes in this discussion as it related to digital transformation was the idea that we’ve recently reached a major inflection point in the banking industry. That is, banks are no longer adding products and services to their existing models, but the very nature of how they operate is beginning to change. And as these changes happen, banks can only move as fast as their customers are willing to move alongside them.

Shaping the Future of the Digital Economy
This panel represented a range of industries. Specific to the financial services industry, PayPal CEO Dan Schulman said he expects the fintech industry to see more innovation in the next five years than it has seen in the last 30. The cause of this development speed comes down to AI. Along with AI, digital transformation was another hot topic. The panel agreed that digital transformation has opened up new opportunities and in many cases requires firms to revamp their entire business model.

From Token Assets to a Token Economy
This session sought to answer the question, “how can tokenization make illiquid assets accessible without creating new financial risks?” The panelists explained how tokenization makes fractional ownership possible with physical goods, such as a famous painting or a piece of real estate. One overarching theme that pulsed throughout the discussion is that global regulation is behind in the tokenized asset realm. So while technology may be advanced enough for a tokenized asset economy, we are still many years away from it being commonplace.

How to Implement Responsible AI
The World Economic Forum has teamed up with the government of Singapore to create a model framework of governance for the use of AI. This panel discussed the new framework and how it addresses the explainability of AI, which aims to be simple enough for all players to understand. As a part of the effort, the group has also released a toolkit for boards of directors to understand how to conduct AI oversight.

The Real-World Impact of 5G
This session hosted representatives from Verizon, Qualcomm, and ABB. The group addressed political and policy issues around security and trust. Secondary to the conversation were social concerns. The first considered if 5G will cause a digital divide between societies that have 5G and those that do not. The other social concerns addressed were potential climate change and health concerns.

Global Cybersecurity Outlook
The general consensus of this panel is that we are currently losing the battle of cybersecurity. The panelists looked at who is ultimately responsible to act as the authority to govern fraudsters, discussed the balance between security and consumer privacy, and considered whether businesses’ cybersecurity spending is happening in the right areas. Finally, the panelists concurred that security is not an IT problem, but that it is a business problem and everyone at the organization should be a security expert to some extent.

Creating a Credible and Trusted Digital Currency
This discussion looked at opportunities, challenges, and concerns around digital currencies. The panel acknowledged that digital currency adoption has a certain and definite future. Representatives addressed real use cases, including cross-border payments, financial inclusion, and fraud prevention. Among the discussion points were stablecoin competition, central banks’ participation, as well as cultural effects. Much of the dialogue circled back to digital currencies issued by central banks (CBDCs).

Other sessions worth a look include Valuing Unicorns, Building Trust in Data Flows, and Investing in the next Frontier.

The CA Consumer Privacy Act Went into Effect While You Were on Vacation

If you’re unfamiliar with the California Consumer Privacy Act (CCPA), you might want to stop catching up on email you missed over the holiday and focus on this new regulation. Here are a few highlights of California’s new law, which went into effect yesterday.

CCPA grants California residents new rights when it comes to their data and privacy. Essentially, this group of consumers are now entitled to know what data businesses collect about them, where they received it, how they plan to use it, who they have shared it with, and if it will be sold.

Here’s are some take-aways of what fintechs need to know now that the new rule has taken hold:

What’s required of you

Essentially, California consumers have the right to receive a report of their personal information that a business has collected on them for the past year, the right to have that data deleted, and the right to limit the sale of their data to third parties.

All of this means that in addition to tracking consumer data, businesses are also responsible for reporting where the data came from and where it’s going.

CCPA may not apply to you

The state of California has almost 40 million residents, and if you’re conducing business in the U.S., you likely have clients there. And even if you don’t, CCPA grants the new privacy rights to all California residents as defined by income tax, even if they are not currently living in the Sunshine State. In contrast, those living in California but paying income tax in another state are not covered by CCPA.

That said, there’s still a chance CCPA won’t apply to you. Businesses with gross annual revenues less than $25 million, or those that deal with personal information of fewer than 50,000 consumers, or businesses that generate less than 50% of their annual revenue from selling consumers’ personal information are exempt.

Heads up: you could be sued

Data breaches are generally always costly, and CCPA will add to the expense. If a consumer notifies a business that it has improperly handled their data and the business doesn’t rectify the issue within 30 days, the consumer has a right to sue for damages in the amount of $100 to $750 per incident, injunctive or declaratory relief, or another option deemed suitable by the court.

On top of that, if a business experiences a data breach, sells consumer data without permission, or retains data after the consumer requested it to be deleted, the Attorney General has a right to charge violators $2500 to $7500 for each consumer data file involved.

CCPA may go federal

As you plan out methodologies to document data collection, usage, and distribution, don’t limit your systems to Californians. The privacy act may eventually be escalated to the federal level so plan your data protocol around all of your U.S. clients.

Just because you’re GDPR compliant doesn’t mean you comply with CCPA

The U.K.’s General Data Protection Regulations (GDPR) went into effect in May of 2018. But just because you’ve mastered your compliance strategy for GDPR doesn’t mean you can rest easy when it comes to CCPA.

On the contrary, there are a handful of differences between the two, as outlined by Pillsbury Law:

  • The coverage group
  • The privacy policy disclosures
  • The breadth of disclosure rights
  • The data disclosures and deadlines
  • The right to opt-out
  • The explicit protection against discrimination

For a more in-depth look into the differences, I highly recommend taking a look at Pillsbury Law’s piece.

Identity verification may be an issue

A user may request access to all of his data, but how do you ensure he is indeed who he says he is and not a criminal? Furthermore, how do you ensure he is a California resident?

According to IDology COO Christina Luttrell, “If GDPR is an indicator of how CCPA will unfold, then businesses need to consider how criminals can and will exploit subject access requests.”

Luttrell went on to explain, “The organizations that will be well positioned to complete CCPA-related requests are the ones that understand the facets of CCPA identity verification (IDV) and adopt IDV systems that scale and automate, are secure and easily integrated, and have multiple IDV methods that will satisfy consumer needs.”

You may be late but you’re not too late

In the event a business violates the CCPA, it has additional time before fines and enforcement take hold due to the 30 day period to cure noncompliance.

If a business can fix a problem with its privacy compliance and follow the procedures set forth in the law to do so, then they haven’t violated the law and will not be subject to a lawsuit for the failure to comply.