A Look at Data Security
In the latest issue of DailyFunder, Cheryl Conner explored data security in the alternative business lending industry. Its basis was rooted in the ETA’s 2008 Merchant Cash Advance White Paper that stated Merchant Cash Advance companies must be PCI compliant.
That white paper was drafted in a different era, particularly when 99% of all transactions required a payment processing split rather than ACH debits. It’s true also that it specified companies “that handle sensitive payment related information”, namely cardholder data as part of its regular business operation.
Credit card processors that engage directly in issuing merchant cash advances are naturally already subject to PCI compliance, but for the funding companies that aren’t in the processing business, they’re basically off the hook. Indeed a spokesperson for the PCI Security Standards Organization informed Conner that “PCI standards apply to payment card data branded by one of the five founding brands, which means any entity that accepts, processes, transmits or stores account data from a PCI branded payment card should be applying PCI DSS for the protection of that data.” She went on to say that PCI DSS doesn’t apply to bank account data.
So while PCI compliance does not have a place in alternative business lending, it raised the question as to whether or not there were other privacy regulations that do, particularly the Gramm-Leach-Bliley Act (“GLBA”) of 1999. According to the FTC, the GLBA “requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.” The law is broad enough to cover any financial institution that is engaging in activities that are financial in nature.
The GLBA imposes a host of requirements on these financial institutions, including the need to establish an information security program to protect customer information.
But as is the recurring theme in alternative business lending, such rules do not govern institutions that engage in business-to-business transactions. On the FTC’s website, it states:
Under the Rule, a “consumer” is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person’s legal representative. The term “consumer” does not apply to commercial clients, like sole proprietorships. Therefore, where your client is not an individual, or is an individual seeking your product or service for a business purpose, the Privacy Rule does not apply to you.
Similarly, I’ve been told that the Consumer Financial Protection Bureau does not have jurisdiction over business-to-business transactions, even if one party is a sole proprietor. In a business-to-consumer transaction, there’s an assumption that the consumer may not be as sophisticated as the business and thus deserving of protections. In the course of two businesses engaging in business, it would be extremely difficult to draft rules that only protected one side as both are free market equals.
While there may not necessarily be any laws that regulate security or privacy in commercial transactions, there are plenty of benefits to following GBLA-like guidelines. For one, it could be used to build goodwill with clients. Additionally, security and privacy are sure to be examined during the course of a due diligence audit by potential investors. In this day and age, a breach of privacy or security could permanently disrupt a business’s ability to maintain the good faith of the public.
Do you feel that alternative business lenders are doing a good job?
Note: I am not a lawyer and this post should not be considered legal advice.Last modified: August 2, 2015