If you're a fintech company with an iOS app, you’ll have to comply with Apple’s privacy policies, specifically their Regulated Financial Services Disclosure.
As someone in this industry, you’re surely no stranger to regulation from governments and requirements set by other companies you partner with. Most financial companies have entire departments devoted to such compliance, who review written and visual content as a part of their charge of keeping the company out of legal scrutiny.
The language on your Apple App Store listing is yet another piece of writing that needs to be right, particularly when it comes to your privacy policies — after all, Apple has staked a lot of its brand value on privacy so they take the topic very seriously.
Whether you’re the writer or the reviewer, we’ll help you understand the requirements, why they’re there, and what you can do to ensure that both your language and your policies comply.
Compliance is good for you and your customers
You probably understand the rationale behind privacy and security regulations, but here’s a quick review in case you’re new to the field or could use some language to convince a skeptic that it’s a good idea to follow the rules.
Whether or not you agree with their regulations, governments have the power to put the hurt on your business if they find you’re not following the rules — especially if you’ve been warned and continue to disobey. Companies failing to comply with regulations around data privacy have faced severe fines, lawsuits, and even the possibility of being shut down completely.
Doing the right thing to protect your users’ data is also simply good business because hackers can make quite a dent in your profits, too. It takes a whole lot more than enforcing character variety on a password because today’s fraudsters use all sorts of techniques such as credential stuffing and brute force attacks to get into customers’ accounts and drain their funds, as well as your brand’s credibility.
One particularly scary incident was Westpac’s 2013 data breach. The major Australian bank had a feature that would display a customer's name when anyone entered their phone number to send them money. A nice way to let people know they were sending funds to the right person, but also a wide-open door that allowed miscreants with random-number generators to plug in millions of numbers and collect the banking details of 98,000 customers.
Data breaches not only cost trust, they also cost companies real money. On average, across the globe, each data breach has cost financial institutions over $6 million in 2024.
What is Apple’s privacy policy for fintech apps?
Apple’s privacy policies require that you identify any information your app collects. This includes disclosing what data is collected, how it’s used, and whether the data is linked to the user and tracked across websites and apps. This information is then exposed to users in a Privacy Nutrition Label.
The “nutrition label” for the iTunes Store.
In addition to general privacy policies, Apple has specific criteria for data practice disclosure for financial services. The way they stipulate the policy is a little convoluted, so we’ll break it down, based on the text as of October 2024.
-
Regulated Financial Services Disclosure
Data types that are collected by an app that facilitates regulated financial services and where the data collected meets all of the following criteria are optional to disclose
Our read: If you collect a certain type of data — say, a name — in a way that meets four specific criteria, you are not required to tell users in the App Store listing, otherwise you must.
- Collection of the regulated data is in accordance with a legally required privacy notice under applicable financial services or data protection laws or regulations (e.g., GDPR or GLBA).
You have to follow the laws and regulations to properly notify users within your app or wherever else they provide the data. (You should do this anyway!)
- Collection by the app of that data occurs only in cases that are not part of your app’s primary functionality, and which are optional for the user.
Users don’t have to provide this type of data, and not providing it won’t diminish their ability to use your app for its main purpose. For example, if a banking app offers a feature to remind you of your friends’ birthdays, this particular data collection could be eligible for non-disclosure if it meets the other criteria.
- Such notice provides that data is not shared with unaffiliated third parties to market other products and services.
This third bullet refers to the first: your privacy notice must specify that you’re not giving the information to another company or organization. This excludes other parts of your business; e.g., you don’t have to say if you’ll give a name and an email to another part of your company for marketing or other purposes.
- Such data is not linked with third-party data for advertising purposes or shared with a data broker except for purposes of fraud detection or prevention or security purposes, or with a consumer reporting agency for credit reporting.
If you combine this data with data from other sources for most purposes, you have to disclose it. However, you don’t trigger the data disclosure requirement if this data is combined with outside data to detect or prevent fraud, maintain security, or report on credit.
- Data types must meet all criteria in order to be considered optional for disclosure. If a data type collected by your app meets some, but not all, of the above criteria, it must be disclosed in your privacy section.
Apple specifies data types. Each type of data that you collect must be evaluated according to all four bullet points. Any data type (such as information collected by third-party cookies used for advertising purposes) that does not satisfy all four must be disclosed in their structured format.
Apple also has other general principles and guidance related to data privacy on their Developer site. Fintech companies risk having their apps pulled from the App Store, or app updates rejected, if they fail to comply with the below guidelines:
- Do not secretly or deceptively collect data
- Ask user permission to track across apps and websites
- Disclose any third-party data sharing (except for the cases listed above)
- Do not sell user data
- Allow users to delete their data upon request
- Comply with major privacy regulations like GDPR, CCPA, and India’s Digital Personal Data Protection Act
Why should fintechs care about Apple’s privacy policy?
We trust that your company is already complying with government regulations, so we won’t belabor that requirement (though here’s a story of recent enforcement actions in India that might scare you straight). But it’s possible that even if you do comply with the laws, you still aren’t behaving and describing your behavior to Apple’s satisfaction.
You’d do well to consider Apple like you would another regulator. If Apple determines you are not following their privacy policy, they can de-list your app from their App Store or restrict you from deploying app updates until your listing complies with their policies both in practice and description. You can imagine the consequences this enforcement action may have on your business and your customers’ experience, not to mention your brand reputation.
It’s a tricky balance. The less information you collect, the less you may have to disclose, and the less scrutiny you may draw from skeptical users — but, on the other hand, you do need enough information to properly vet your customers. However, if your asks are too broad, you have a lot more to tell users about and more opportunities that an honest mistake of omission could lead to big headaches.
How fintechs can keep apps secure and compliant with device intelligence
Every visitor to your website and app projects a unique digital identity from the characteristics of their device, network, browser, and so on. Making use of this information to understand your users is called device intelligence. Fingerprint collects over 100 such signals to create a unique visitor ID for each user that visits your digital properties.
On top of the visitor ID, Fingerprint’s Smart Signals collects a range of real-time data — like VPN usage, jailbroken or rooted devices, and emulators — to help fraud teams quickly spot potentially suspicious behavior. Fraud teams can then use that data and the visitor ID to determine the next steps to take, such as adding additional authentication steps if an account is accessed from a suspicious or new device.
Fingerprint is a valuable component of a modern data privacy and security practice. The platform was built to:
- Comply with major data privacy regulations: Fingerprint checks the important boxes, such as GDPR, CCPA, ISO 27001, and SOC 2 Type 2.
- Keep your data private: Fingerprint doesn’t share customer data with anyone else.
- Identify visitors with industry-leading accuracy: Fingerprint’s precision lets you catch more bad guys while reducing friction for real customers.
What does this have to do with Apple’s privacy policies? Using Fingerprint might allow you to need less of your customers’ data to confidently protect their account, so you have less collection to potentially disclose — or get slapped with big consequences for not disclosing.
Fingerprint is easy to set up and get started, with a variety of SDKs for popular languages and web frameworks as well as native and cross-platform mobile SDKs. If you’re interested in nailing the balance between privacy and security with Fingerprint, set up a free trial or contact us today.