Personal data protection in banks
By concluding a contract for banking services or issuing a loan, a client of a financial institution provides him with a substantial array of his personal data for processing - the name and passport details to the information about the property and family status. At the same time, he does not always sign a consent to their processing. To what extent are his rights protected, and is there a liability of credit institutions for the unlawful processing of personal data or their transfer to third parties?
Personal data protection rules in banks
The degree of success of the banking business depends largely on the ability of the institution to keep banking secrets. Personal data of clients have a different confidentiality regime, other methods of legal regulation are used for their protection, but the organizational and technical measures used to protect both data sets may be identical. The only difference is that security standards are set:
- for personal data - the requirements of the FSTEC of Russia;
- for banking secrecy - by the instructions of the Central Bank of the Russian Federation.
Strict requirements encourage banks to take a systematic approach to the protection of personal data, especially since their leakage carries risks for business reputation and lawsuits related to compensation for damage caused to a citizen.
In a credit institution, personal data of citizens is stored in the following information systems:
- in a common database that processes transactions on individual accounts (automated banking system, or ABS);
- in the Client-Bank module, other systems of online access to accounts;
- in systems that transfer funds from a bank card;
- in accounting systems;
- in personnel systems (for personal data of bank employees).
In addition, they can be found on physical media in credit files, which contain contracts, applications for a loan, information about pledges and guarantors. Information on tangible media is the least protected from leaks occurring in the event of employee misconduct. In this case, the system for protecting the personal data of the bank's clients should be based on the control over the actions of insiders by the security services.
Banks have already developed technical systems for the protection of personal data, integrated with the information systems operating in them, ensuring the protection of information related to bank secrecy. As practice shows, external attacks, hacker attacks on banks are more aimed at information related to accounts and deposits, it is personal data that criminals are less interested in. But there are two groups of risks that everyone who trusts the bank with their information should know about:
- insider risks - very often ordinary bank employees voluntarily transfer information to their acquaintances or business partners;
- risks of transferring personal data to collection agencies when collecting problem debts or assignment of a right of claim.
In the first case, the responsibility will be borne by a specific employee, in the second only the court can punish the bank, but not in all cases.
Legal and regulatory documents governing the protection of personal data in banks
When developing a personal data protection system, banks rely on the Federal Law "On Personal Data", Government Decree No. 1119, orders of the FSTEC and the Federal Security Service of Russia. But since the information is stored in an automated banking system that has its own degrees of protection, the system of requirements established by the Bank of Russia Standards, which determine the standards for ensuring information security of organizations in the banking system of the Russian Federation, additionally operates.
Now relations in this area are regulated by six standards, each of which covers a specific security issue, and additionally methodological recommendations developed by the Association of Russian Banks (ARB). Two standards are directly devoted to the protection of personal data in the information systems of banks and the current threat model.
The standards define the need for several additional protection subsystems. These are subsystems:
- access control, identification and authentication;
- registration and accounting of actions taken by employees in relation to personal data, and security incidents;
- ensuring the integrity of the information database of personal data as its key characteristic;
- firewall security, which excludes access to data of users who do not have special rights to do so.
In most cases, the systems in which banking information is processed do not have independent access to the Internet. But this does not apply to the Client-Bank, modules that process money transfers to cards, and some other databases. If they have their own access to the Network, additional subsystems are created:
- anti-virus security;
- detecting external intrusions;
- analysis of the degree of security.
For a distributed system, it is additionally necessary to install cryptographic means to encrypt and protect the transmitted personal data.
Protection of personal data during their transfer to third parties
Litigation for the recovery of moral damage in the event that banks transfer personal information of citizens to collectors have already appeared in practice. In most cases, the courts side with banks if the credit institution has agreed in the consent to the processing of personal data the right to transfer information to third parties. But, on the other hand, the jurisprudence claims that the list of such persons should be strictly defined. The bank's client - the subject of personal data - does not always sign a separate consent to the processing of data, sometimes the rules that imply such conditions for their processing are provided for in the loan agreement. If the consent as a separate document, the registration of which is provided for by the law on the processing of personal data, was not drawn up, the client has the opportunity to collect from the credit institution not very large sums, usually not exceeding 10 thousand rubles, in the form of compensation for moral damage.
Lawfully and without raising any questions, the bank can transfer personal data of clients:
- The Central Bank of the Russian Federation for control purposes;
- Rosfinmonitoring to fulfill its obligations related to the legislation on money laundering;
- bailiffs, tax and investigative authorities at their request in cases directly provided for by law;
- insurance companies that carry out risk insurance under loan agreements, if this is provided for by the consent provided by the client.
In all other cases, the citizen must be informed exactly to whom his personal data will be transferred for processing or for other purposes, and express his consent to this.
When concluding an agreement with a bank, you need to be extremely careful about the information that is transmitted to it, carefully study the consent to the processing of personal data in terms of the list of persons to whom they can be transferred for processing.