30 Understanding Data Privacy in the Financial Services World

TCS BaNCS Research Journal

UNDERSTANDING DATA
PRIVACY IN THE FINANCIAL
SERVICES WORLD
“WE SHOULDN’T ASK OUR In the wake of recent high profile providers. The customer on-
CUSTOMERS TO MAKE A TRADE- data breaches worldwide, the data boarding process in a bank entails
OFF BETWEEN PRIVACY AND privacy debate has assumed greater capturing personally identifiable
HTTPS://GOO.GL/MGNYPT

SECURITY. WE NEED TO OFFER
THEM THE BEST OF BOTH.
ULTIMATELY, PROTECTING
SOMEONE ELSE’S DATA
PROTECTS ALL OF US.”
- TIM COOK, CEO, APPLE
significance and assumed center-
stage in the regulatory world; and,
more so in the financial services
industry given the vast amounts of
personal data processed by banks/
financial services organizations
and their third party IT solution
information, and this can range from
sharing non-financial data such
as names, addresses, e-mail ids,
contact and social security numbers
to financial data in the form of
savings, loans accounts and debit/
credit card numbers.

From a regulatory compliance
perspective, it is also important to
distinguish between personal and
sensitive personal data. Personal
data relates to information about
identified or an identifiable
natural person (“data subject”)
with particular reference to
an identifiers, such as names,
identification numbers, location
data, and online identifiers, or to
one or more factors specific to the
physical, physiological, genetic,
mental, economic, cultural or
social identity of that person. This
also includes financial privacy
that refers to the maintenance
of confidentiality of customer
information about transactions and
finances by financial institutions.
Sensitive personal data, on the
other hand, refers to personal
information that reveals racial or
ethnic origin, political opinions,
Understanding Data Privacy in the Financial Services World
religious or philosophical beliefs,
trade-union membership; or data
concerning health or sex life and
sexual orientation; and genetic data
or biometric data. Going forward,
organizations will require stronger
grounds to process sensitive
personal data than required with
“regular” personal data.
Cost Implications of Non
Compliance
It is also important to understand
the costs associated with the
data breaches resulting from
non-compliance to data privacy
regulations. Average costs
associated with each breach
such as related to its detection,
response plans, notifications et
al have been rising over the last
few years. Implementing a robust
data compliance framework that
enables adherence to data privacy
31
TCS BaNCS Research Journal
GOING FORWARD,
ORGANIZATIONS WILL
REQUIRE STRONGER
GROUNDS TO PROCESS
SENSITIVE PERSONAL
DATA THAN REQUIRED
WITH “REGULAR”
PERSONAL DATA.
regulations can help organizations
avoid the costs associated with
various data breaches.
There are also huge financial
penalties envisaged by regulators for
privacy infringements, and serious
focus is required to implement and
review data governance across an
organization, its operations and
information systems.
In addition to financial penalties,
the industry also faces a significant
reputational risk to the business
in the event of any personal data
breach.
HTTPS://GOO.GL/MGNYPT
Emerging Trends in Data Privacy in
the Face of Evolving Threats
As seen in the preceding section,
the banking industry is one of
the primary data breach targets
due to the perceived value of the
underlying data. To capitalize on
32 Understanding Data Privacy in the Financial Services World
emerging growth oppurtunities,
TCS BaNCS Research Journal
banks need to be flexible in sharing
customer data, and it is therefore
critical that they achieve a balance
between how flexible data sharing
can be while also maintaining its
privacy. Recently, the “BCG Global
Consumer Sentiment Survey”
findings concluded that “ credit card
and financial information’ are the
most private types of data, globally.
Globally, there is a paradigm shift
in the way the banking is being
conducted. The ‘brick & mortar’
type of banking business is being
dispensed with through the rapid
adoption of digital technology.
Increasingly, banks are moving from
an ownership model to a cloud
infrastructure. In the channels
arena, the initiation processes are
being regulated directly by the
customer (e.g., Internet banking,
Cards Platforms, Point of Sale
Terminals, etc.) with appropriate
security features. There is a
visible transition in the banking
environment, with the banks
(including local cooperative banks)
using their front offices for sales
promotion, cross selling, upselling
and customer service.
There are three emerging trends
in data privacy that are being
witnessed in the wake of data
breaches, i.e., data breach evolution,
regulatory focus and technology.
Evolving data breach threats are
forcing sweeping regulatory changes.
With the help of technology, banks
are developing and implementing
operational and procedural changes
in order to comply.
HTTPS://GOO.GL/MGNYPT
When it comes to data privacy
regulation, there rarely is a
universal law that is applicable to
all. Oftentimes, there is a significant
variation between data privacy
regulation and enforcement
Data breach evolution Regulatory evolution Technology adoption
• Increasing threat of • Increased regulatory • Focus on simplifying
external malware focus. data protection and
programs. • • Harmonization of data controlling costs
Growing data protection standards • Increasing use of
breach events across geographies identity and access
due to malicious • Outsourcing management solutions
‘insiders’ destinations adopting • Using smartphones for
• Breaches due to privacy laws cyber security (e.g.,
unintentional user Alerts, OTP, etc)
misakes.
harshness, which makes cross- lines, focusing on the rights
border data transfers burdensome. of data subjects and enhanced
While regulations are being scrutiny of data handlers. To give
adopted by different countries, the a sense of the direction that new
degree of intensity varies (i.e., from data privacy regulations will take,
the most stringent to the least or some of the key requirements as
sometimes, no regulations at all). envisaged under the EU’s Genral
Data Protection Regulation (GDPR)
In this regard, it is pertinent to are summarized in chart 1.
make a mention of the European
Union’s (EU) Global Data Protection
Regulation, commonly known as
GDPR, which was finalized after
a series of amendments and
will be effective from May 25,
2018, thereby replacing the old
Data Protection Act and other
national data protection laws. The
regulation, which aims to provide
a legal framework for protection
of personal and sensitive data to
all natural people based in the EU,
irrespective of their citizenship
and where the data is processed,
will impact all industries that rely OFTENTIMES, THERE IS A
heavily on the usage of natural, SIGNIFICANT VARIATION
people related data.
BETWEEN DATA
New Requirements in the Data
Privacy Regime PRIVACY REGULATION
AND ENFORCEMENT
The essence of evolving privacy
laws is on the protection and HARSHNESS, WHICH
maintenance of a customer’s MAKES CROSS-BORDER
personal information. It is fair to
assume that privacy laws in other DATA TRANSFERS
regions will also be on similar BURDENSOME.
 Understanding Data Privacy in the Financial Services World 33

TCS BaNCS Research Journal

Chart 1

Chapter Category Requirements

1 General • This regulation lays down rules relating to the protection of natural people with
Provisions regard to the processing of personal data and rules relating to the free movement
of personal data.
• GDPR applies to data processing of EU citizens in their country of residence or a
foreign country.
• Data exchange is allowed only if a country or counterparty is compliant with GDPR.
2. Principles • Explicit consent from customers to process their data.
• Demonstrate content from customer data both initially and after any correction/
deletion in a structured format, ensuring that there is an audit trail.
• Special protection for the personal data of children.
• Data subjects must be informed about the right to withdraw their consent at any
time (consent must be as easy to withdraw as to give).
• Audit log for future references by stake holder/ enquiry/ delivery of data.
• Data encryption or “pseudonymization” to prevent data breaches.
3. Rights of the • Electronic formats and the process of capturing customer consent.
Data Subject • Collection of customer data in standard questionnaires to align customer data as
well agreements for further processing, e.g., KYC, fraud, marketing. In any case, data
is required for KYC, fraud to prevent customer loss and compliance.
• Automated and secure Information of the data subject in an electronic or paper
format
• Support customer requests for information, correction, and erasure within a month.
• Notification about subject information in case of requests for information,
correction, deletion in a structured form, allowing the channel to process this
automated information.
• Audit trail of notifications for data subjects.
4. Obligations of • Data mapping is required to be able to determine compliance with GDPR.
Controller & • Gap analysis based on data mapping with GDPR level of compliance.
Processor
• Governance and policies for data protection.
• Data protection by design and by default.
• Prevention of attacks via encryption, “anonymization”, “pseudonymization”,
controlled access & data minimization.
• Accountability, by documenting process flows, privacy controls and decisions made
for data protection.
• Ensure security of processing.
HTTPS://GOO.GL/MGNYPT

• Notification of data breaches.

5. Transfer of • Standardized reports for use by customer.
personal data • Restrict transfers of data outside EU with appropriate system validation.
to third-party
• Audit logs of data transfer for traceability.
countries or
international • Secure transfer mechanism to prevent data loss and its falsification.
organizations
34 Understanding Data Privacy in the Financial Services World
TCS BaNCS Research Journal

Data Privacy Framework
Compliance to data privacy
regulations will require a structured
approach. Organizations will need to
• Define and roll out a robust
governance model to implement
data privacy programs
• Review, design and implement a
target operating model
• Review current capabilities
of information systems,
remediate and roll out upgraded
information security systems
To facilitate the above, the program
will need to assess current policies
and frameworks, processes
and IT systems. This will need
to be followed by design and
development of new policies and
processes and, lastly, implemented
and monitored through a well-
designed program.
s
Designing Data Security Laws and
Governance
Financial services organizations
will have to overcome a number of
challenges in implementing data
protection practices.
Firstly, the key to successful
implementation of any data privacy
regulation lies in winning trust
of customers through a well-
defined data security architecture
De

Governance
es

fin
s
As

Data
Privacy

Operations Information
HTTPS://GOO.GL/MGNYPT

Systems

Implement

Figure 1:
A Data Privacy Framework
 Understanding Data Privacy in the Financial Services World 35

TCS BaNCS Research Journal

Chart 2

Areas Data Privacy Activities

Governance • Define and implement a data privacy program.

• Re-define data governance policy framework, data principles and integrate them within
existing functions.
• Re-define reporting needs for requisite senior management focus.
• Appoint data protection officers.
• Design and develop privacy impact assessments.
• Review and update partner Agreements for data privacy clauses.
• Define and review supplier relationships.
• Create awareness across functions within the enterprise.
• Develop and roll out a role-based induction program.
• Conduct privacy assessments regularly and as and when new products /processess are
launced.
Operations • Define templates for data privacy notices.
• Define processess for recording consent, withdrawal of consent, correction of stored
data, data erasure and portability.
• Define a policy for retention and disposal of data.
• Integrate security solutions with regular operations.
• Establish data audit trails.
• Maintain system activity report logs, templates, response records of data subjects.
• Maintain data sharing logs, policies, protocols and disclosures.
Information Systems • Assess IT systems’ data privacy architectures for new requirements such as consent
management, data privacy notices, data erasure, portability and breach notifciations.
• Remediate and re-design applications to enable prevention controlled access and data
minimization.
• Define access control points.
• Implement automated compliance controls.
• Maintain incident logs.
• Conduct regular compliance, audit and vulnerability tests.

without compromising on the
advantages and benefits of data
access and networking. This will
pose a significant challenge in
implementing data protection
significance in deciding the data
security design at various levels
across the chain. Organizations will
also have to balance the needs of
shared data access with that of data
data protection laws globally.
The EU has taken the lead in
repealing older versions, which
will be effective from May 2018,
and other regions and countries
HTTPS://GOO.GL/MGNYPT

by design. Who needs to see the
data and to what extent, and who
does not need to when carrying
out regular tasks will play a key
role in designing these laws.
Encryption, “anonymization” and
“pseudonymization” will assume
security.
Secondly, there have been a
number of data breach incidents in
the recent past where customers’
data has been stolen, and this has
added to the urgency in revising
are expected to follow suit. Given
the multinational nature of most
businesses, especially in the
banking sector, the challenge will
also lie in stating a multitude of
such laws in various forms and
understanding the nuances for each
36 Understanding Data Privacy in the Financial Services World
TCS BaNCS Research Journal
region. Data protection in the EU
could be quite different from laws
in the USA.
Thirdly, in an environment where
outsourcing is the norm, fixing
responsibility for liability in
circumstances where personal
data has been disclosed to various
recipients, including third-
party countries or international
organizations, will prove to be a
challenge. The legal agreements
between data controllers and data
processors will have to review and
reflect any changes as per the new
data protection regimes.
Finally, lack of awareness among
people handling data at various
levels is another challenge.
People need to understand the
importance of data security and
HTTPS://GOO.GL/MGNYPT
own it at all levels. Any data
protection compliance program
when implemented will only be
successful if people are made
adequately aware and educated
about its importance.
In Conclusion…
Yogesh Sharma
As the dependency of banks on Product Specialist
TCS Financial Solutions (TCS BaNCS)
technology is increasing, banks are
facing exponentially increasing
privacy and security risks to their
valuable assets. With this, the
cyber-crimes related to banks have
also increased manifold even as
security mechanisms employed by
banks are no longer optimum. A
robust data privacy framework is
required to provide a safe banking
environment to users. As customers
become wary of the data security
risks, this could also be seen as a key
differentiator for banks as they look
for growth opportunities. The focus
on data privacy will definitely be a
key factor in winning customer trust.
Nageshwaran R
Product Specialist
TCS Financial Solutions (TCS BaNCS)