Finance Use Case: FinTech Customer Information Protection

The Gramm-Leach-Bliley (GLB) Act imposes data security and data-sharing standards on businesses that engage in general categories of ‘‘financial’’ activities. In addition, many U.S. states, New York, New Jersey, Connecticut, Massachusetts and California, have supplemented GLB with the ‘‘money transmitter’’ laws to cover financial technology or “FinTech” companies.


“Financial companies must….ensure the security and confidentiality of customer information and to protect against unauthorized access to or use of that information, both by third parties and your own employees.”


This means GLB places responsibility for data security directly with the board of directors and for public companies, the Sarbanes-Oxley Act makes the CEO and CFO responsible. With alarming frequency, new reports of serious breaches reveal that concentric or layered security architectures based on detection, protection and transportation technologies are simply inadequate. In many cases human error plays the largest role from misconfiguration, fraudulent scams, and even intentional security violations. Making this problem even more complex to solve, leading global Fintech companies are proactively turning to cloud technology in an attempt to meet increasingly stringent compliance regulations. This is not to say the security challenge is not also faced by historical financial companies since they do offer Internet-connected customer services. Nevertheless, any data breach, no matter how small, can result in direct liability to a company and its officers.



Working in conjunction with existing security products and processes, the best practice to ensure data protection even after a breach is to encrypt customers’ PII data so that cyber criminals or internal non-authorized users only obtain unintelligible data. Bonafeyed can secure this customer data with the following approach:



Taking these steps, it is easy to integrate Bonafeyed into existing systems – simply take what are today’s stored procedures or reporting agents on the database server and move them to a separate machine acting as a client with restricted permissions. In such a case, if there is an error or hack, the exposure to information is contained and limited.


With Bonafeyed, when encrypted data is lost, stolen, abandoned or forgotten, it remains protected and becomes permanently inaccessible once keys are deleted or retired ensuring cyber criminals or internal non-authorized users only obtain unintelligible data, which exceeds the requirements of Gramm-Leach-Bliley Act and money transmitter laws!