Data Protection in the Financial Sector: Legal Imperatives and Business Realities

The financial sector is no longer just about balancing assets and liabilities; it is a sophisticated ecosystem where data has become the new currency. Banks, financial institutions, insurance companies, and payment service providers are not merely handling capital - they are also the digital guardians of personal information. Ensuring the security of this data is not just a matter of technological solutions; it is a fundamental shift in the relationships between businesses, regulators, and consumers.

Data in the financial sector has transformed from mere numerical values into a strategic asset. This is why the European Union has implemented strict regulations through the General Data Protection Regulation (GDPR)¹, and Ukraine has taken steps to align its legal framework with European standards. The Law of Ukraine "On Personal Data Protection"², together with the Law "On Payment Services"³, lays the groundwork for regulating the digital flow of information, but is this enough for real control?

The concept of Open Banking, promoted in the EU through PSD2⁴, has dramatically reshaped relationships between financial institutions and their clients. Now, account data can be shared among financial intermediaries with the client's consent. This fosters competition and drives financial innovation, yet it also raises concerns about the risks of unauthorised access to confidential information. How much control does a client truly have over their data when algorithms start understanding their financial behaviour better than they do themselves?

Blockchain technology offers an alternative solution to security concerns, ensuring data immutability and transparency in financial transactions. However, from a legal standpoint, it presents a new challenge: how to reconcile the principle of blockchain's permanence with the "right to be forgotten" enshrined in GDPR⁵? Once financial data is recorded on a distributed ledger, it becomes nearly impossible to erase, even when required by law. This is not just a technical issue but a profound dilemma in modern digital jurisprudence.

Financial monitoring has become a key tool in combating financial crimes, requiring banks and financial firms to disclose increasing volumes of client information. Ukraine, in line with its international commitments under FATF⁶ and EU directives, has implemented stricter financial monitoring rules. Every suspicious transaction is now subject to scrutiny, and identifying the ultimate beneficial owner is mandatory for opening an account. However, where is the boundary between preventive measures and excessive intrusion into personal privacy?

Automated big data analysis and artificial intelligence have become indispensable in the fight against financial fraud. Machines learn to detect suspicious patterns, predict risks, and even determine creditworthiness. But can algorithms be truly objective? Research by the European Banking Authority (EBA)⁷ indicates that automated decision-making systems may not only prevent fraud but also create new risks of discrimination. If an AI model is based on historical data, does it risk reinforcing biases and excluding certain categories of clients from financial services?

In the United States, where financial data protection is regulated by the Gramm-Leach-Bliley Act (GLBA)⁸ and the Fair Credit Reporting Act (FCRA)⁹, approaches to data management are also being reconsidered. Financial confidentiality requirements are becoming stricter, particularly following the introduction of the California Consumer Privacy Act (CCPA)¹⁰. This reflects a global trend: consumers want not just security but also control over their financial footprints.

Legal regulation of personal data in the financial sector continues to evolve. In 2025, the EU is expected to adopt new directives on digital financial identity¹¹, impacting client identification and authentication requirements. Meanwhile, the G7 is discussing global standards for financial data exchange¹², which could significantly alter the rules for international business. This means that financial firms must not only comply with existing regulations but also proactively prepare for future changes.

Bibliography:

1. General Data Protection Regulation (GDPR), Regulation (EU) 2016/679
2. Law of Ukraine "On Personal Data Protection" No. 2297-VI
3. Law of Ukraine "On Payment Services" No. 1591-IX
4. Directive (EU) 2015/2366 on payment services (PSD2)
5. Article 17 GDPR, Right to be Forgotten
6. Financial Action Task Force (FATF), Recommendations on Money Laundering and Terrorism Financing
7. European Banking Authority (EBA), Guidelines on Internal Governance
8. Gramm-Leach-Bliley Act (GLBA), Public Law 106-102
9. Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681
10. California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.100
11. European Commission, Proposal for a Regulation on a European Digital Identity
12. G7 Finance Ministers and Central Bank Governors, Communiqué on Financial Data Standards

Author: Yaroslav Ognevyuk