Establishing Effective Compliance Programs in 2024

What does achieving an effective approach to compliance in today’s payments climate really require?

Recently, Spreedly’s Rachel Fine sat down with Ben Weikert at Ketch for a webinar on More Regulation, More Enforcement. What’s in Store for Privacy and Compliance in 2024 to discuss the latest trends in compliance and their impacts within the payment space. 

While privacy may stand out as a core aspect of compliance, this webinar uncovers that compliance is a multi-faceted function with many rules and regulations to juggle. Join us as we dive into key insights from this webinar and explore just how intertwined payments and compliance truly are.

A 2024 Overview of Compliance Trends in the U.S.

It’s safe to say that data privacy has become a central focus of U.S. regulatory initiatives. 

According to 2023 International Association of Privacy Professionals (IAPP) data, more than half of all U.S. states have introduced privacy legislation, with 15 states signing such bills into law. Looking at what these bills specifically entail, we can see a clear prioritization of consumer rights when it comes to accessing, correcting, and deleting their personal data. 

A common example used by regulators is targeted advertising. Consumers are receiving more protections and guidelines for how to opt out of targeted advertising within the U.S.

This stands in contrast to the EU, where consumers must opt-in first to receive targeted advertising at all. 

From a customer experience standpoint, this opt-out versus opt-in regulatory approach adds another layer of complexity depending on where your business is based and where your target customers are located. Providing customers with a satisfactory consent management experience starts with understanding the importance of these locations and how they impact your regulatory burden. 

In terms of standout data privacy laws in the U.S., the California Consumer Privacy Act (CCPA) is serving as a template and benchmark for similar legislative initiatives in other states. 

After its initial introduction in 2018, the CCPA has given way to more thorough regulatory investigations, with an emerging focus on payment scenarios involving employee data, consumer data, loyalty programs, and streaming services. Specifically, regulators are looking to ensure that users are provided with the proper opportunities to opt out of data collection processes across different devices and applications. 

The CCPA has set a solid foundation for how modern businesses should deliver data privacy experiences to consumers, especially in terms of cross-functional, cross-device compliance. What matters now is how you adapt your own compliance operations to meet the expectations of evolving data privacy regulations.

Spreedly’s Approach to Compliance: The Secure Controls Framework

Although regulatory change comes with operational hurdles, data privacy is one area that comes with many existing frameworks, like the NIST privacy framework. Such frameworks allow you to establish a robust approach to data privacy without reinventing the wheel.

Using a framework like NIST ensures privacy is not treated as a siloed function but rather an interconnected piece of the larger compliance puzzle.  

For example, at Spreedly, we use the Secure Controls Framework (SCF) — a broader framework of which NIST is a subset. This framework covers not only the specifications of NIST but also the requirements of international regulations like GDPR, as well as state-specific laws like the CCPA.

Part of what appealed to Spreedly about the SCF was the framework’s prioritization of a risk-based perspective. According to Rachel Fine:

“As a payments orchestration company, the way we have historically looked at everything in the eyes of our customers and [the payment data] that we hold. We wanted to start expanding into all of the other types of data that we have as a company, and not that we were doing anything incorrectly, but just those areas for improvement, those areas for enhancement, and embedding the privacy principles into our organization, not just how they relate to payments, but just in general, in our day to day working life, what is your role? What kind of data do you look at, in your role? How should you protect that?”

Rachel Fine, Senior Compliance Manager, Spreedly

Through this SCF risk-based approach, the Spreedly team can tackle compliance functions at a more granular level, assessing each component of the compliance strategy and how it intermingles with different operational functions, such as payments. 

The Need for Continuous Adaptation in Compliance

As soon as you feel caught up on the latest regulatory changes, new legislation arrives to disrupt your approach to compliance once again. Staying nimble in today’s rapidly-paced regulatory environment requires a highly adaptable compliance program.

In addition to employing a framework like NIST or SCF, you can also optimize your approach to data privacy by:

• Engaging with external consultants, including legal counsel in Europe, to ensure your compliance program accurately interprets different rules and requirements
• Continuously re-evaluating the effectiveness of your compliance program 
• Introducing automation to eliminate time-consuming and error-prone manual processes

What’s most important is taking the time to ensure your data privacy strategy and broader compliance program are truly cross-functional. 

At Spreedly, we achieve this cross-functionality by engaging daily with stakeholders in three main ways:

1. Compliance & Security Collaborations: From an operational standpoint, Spreedly aligns our compliance and security teams to ensure all the necessary legal boxes are checked in a way that supports the technical integrity and security of our platform. 
2. Product Development Cycles: Product development teams at Spreedly partner closely with compliance teams to optimize new product releases and product enhancements. Rather than discovering a problem at the eleventh hour, this close partnership enables us to weave in compliance through all stages of product development. 
3. Executive Engagement: Spreedly hosts a monthly compliance committee meeting to touch base with executives on current compliance and privacy initiatives. By having continual and constant conversations about compliance and data privacy, Spreedly keeps our entire team on the same page, from our developers to our top brass. 

Keeping Your Customers in the Compliance Loop

Part of establishing a cross-functional approach to compliance is remembering the role your customers have to play in data privacy initiatives. As Rachel puts it:

“ — [We] really have to be constantly evolving and listening to what our customers are asking us. We’re a consultative body for them, as well as all other parts of it, and they will really want to understand how we’re handling some of these key issues that impact them too.” 

Rachel Fine, Senior Compliance Manager, Spreedly

By choosing Spreedly for your payment orchestration needs, you gain the advantage of a robust compliance program powered by Ketch capabilities. 

Speak with Spreedly today to discuss your payment compliance program requirements. 

Download the PCI Compliance eBook Below