This article is written by Shyamachar. M, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from LawSikho.com.
The initial instance of there being any sort of network-enabled social interaction may be traced to the memos written by J.C.R. Licklider of the Massachusetts Institute of Technology (MIT) back in August 1962, created in furtherance of the vision of having an interconnected network of computers globally. Leonard Kleinrock, also from MIT, wrote and published a paper and a book on the packet switching theory, in 1961 and 1964 respectively. The Defence Research Projects Agency (DARPA) funded, developed and refined the Advanced Research Projects Agency Network (ARPANET), the first “wide-area packet switching–network”, and one of the earliest networks to incorporate the TCP/IP Protocol Suite.
The issue of privacy was examined even during the era of the second world war in the United States, as was seen by publications such as the project, “The Impact of Science and Technology on Privacy”, developed between 1962 and 1966, by the Special Committee of the Science and Law, of the New York Bar Association, which primarily examined the concept of privacy, the techniques involved and its development. The results were published in extensive detail by the Director of Research, Alan Westin, in the Columbia Law Review and in a book authored by him, titled “Privacy and Freedom.”
This article seeks to examine from a global perspective, the threats, regulations and standards in the field of cybersecurity in furtherance of the goal of privacy of data of various stakeholders. and its implications in terms of the steps and actions that would have to be taken by the fintech service–providing entities so as to ensure the best experience possible for the customers for the said services.
Concept of data privacy
The Oxford Advanced Dictionary defines data as, “information that is stored by a computer.” The information is mostly stored in an arrayed format, grouped on the basis of some common factor. The reasons for the same may be complex and varied, but a huge factor remains that such information, especially those pertaining to the customers, clients and other parties affiliated with a business, is a significant asset of that said business. The digitisation of records took place for reasons such as the lower cost, space and other resources involved in the storage of electronic data, greater ease of accessibility, navigation and location of specific details, simpler rectification of errors, and greater feasibility of modification.
Though the drawback of the possibility of physical damage of records was rectified by the digitisation of records, it gave rise to other challenges such as a lack of rigidity in the boundary fixed for the extent to which a company could collect the data of customers, as well as the access of unauthorised third parties to those said records as a result of the physical barrier being abolished by virtue of taking the record-holding online.
In fact, the online revolution has led to a shift from requiring to actively share the necessary information, to actively needing to hide, and with respect to what is being shared, putting a restriction on accessibility permissions by various parties. The concept of data privacy includes not just putting a bar on information shared to a select organisation or entity, rather implementing protocols in day–to–day activities online, as the said collection of data may be said to be perpetual and constant, with the issues being centred around evading online activity trackers, or sharing data, either intentionally or accidentally, with an organisation whose data sharing policy agreements with third parties are not fully understood, to name a few from an individual’s perspective.
An organisation dealing with massive volumes of data would have a plethora of challenges thrown at it as it is required of entities to incur costs in maintaining an entire framework for the protection of their data assets belonging to them, their customers, clients and various other stakeholders. A breach of the same often results in huge costs and losses in revenue, along with a possible reduction in goodwill. Data asset protection is quite demanding, as the growth of the said data is exponential, being created and added every second, requiring an ever–increasing volume of data to be brought under the shield and safeguarded.
Measures, regulations and frameworks : its implications on fintech
- Fintech organisations may implement consistent coding patterns in view of the best practices followed in the process of developing applications. Maintaining documentation of the said code would be beneficial in assisting new developers to understand the background details. The application and the competency of the people developing the same should be such that any tampering of code may be determined by changes, such as additions, removals and/ or other modifications during its runtime. Code obfuscation tools may be used to prevent the detection of logical connections in codes, reducing the possibility of the fintech software or application being reverse-engineered for malicious purposes. Unnecessary code is to be removed and developers must refrain from creating additional log displays and shortcuts.
- Fintech service providing entities is also to ensure that their track record in cybersecurity and data protection in general, is satisfactory. The third-largest fintech company, Finastra, was targeted by ransomware hackers in the March of 2020, due to its position in the fintech sector, as well as due to its track record of cybersecurity and data protection being unsatisfactory, such as unpatched servers and outdated Pulse Secure VPN and Citrix servers being in use. Fintech service – providing organisations dealing with customers’ data are expected to run regular security audits and keep company files encrypted. It is also to be ensured that the cloud services being in use offers secure encryption and is capable enough of distinguishing between authorised users and others, including the malicious users attempting to gain access.
The processing of data is to be done only to the extent on the basis of the consent provided by the data subjects, compatible with the purpose for which the said data was initially collected, or it could also process data if it is legally obliged to do so. The consent here must be a valid one, obtained freely under no coercion or misrepresentation, made out of a position of being informed and apprised of all material facts and information. The European Data Protection Board (EDPB) had clarified that in case of processing of the data of a “silent party” it would be lawful if the presence of “legitimate interests” can be proven. Any entity that processes data on behalf of the organisation such as a service provider is required to be bound by contractual obligation to meet the said requirements. Any potential breach is to be notified to the European Union as well as the individuals within 72 hours.
Some of the other enactments around the world
The Vermont Act 171 of 2018 Data Broker Regulation concerns itself with the data regulation of businesses that aggregate and sell data on individuals who have no direct relationship with the company (data brokerage), to prevent fraudulence and enable transparency in the dealing of Brokered Personal Information (BPI).
By virtue of the California Consumer Protection Act, fintech companies would be bound to apprise their customers as to the exact information collected on them and would have to abide if the customer wishes not to have a particular data on them shared. As compared to the GDPR, the CCPA lays greater emphasis on the sale of data, rather than its collection and processing.
The Personal Data Protection Bill of India would mandate that an entity is to collect the least possible or minimum data that would be required for processing for their purposes. The data subject would be able to confirm, correct and ask to be forgotten. Sensitive and critical personal data is prevented from being stored overseas. An appointed data protection officer would be required for organisations falling under the scope of the act, even if they lack a physical presence in the territory of India. Privacy rules adopted by the IT Ministry under the Information Technology Act lays down procedure compliances for personal information as well as sensitive personal information.
The New Zealand Privacy Bill restricts cross-border flow of data, requiring the consent of the individual, or the country of the person overseas to be having privacy laws comparable to that of New Zealand, or if there is a permitted exception in general. It provides for a Commissionaire empowered to deal with agencies, issue compliance notices, or share information with privacy enforcement authorities abroad.
The Protection of Personal Information Act (POPIA) in South Africa brings forth standards in accountability for the responsible processing of data, as well as establishing customer consent requirements. The Bundesdatenschutzgesetz (BDSG) in Germany has rigid standards for protective measures to be adopted and maintained for data stored in IT systems. The PDP in Argentina brought forth for the first time in the country the option for requesting deleting and for transferring of the data. The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada too, requires disclosure of the purpose for data collection and consent given to the owners of the data.
- The ISO/IEC 27001 is a significant addition to the security check for operations and transactions; it is an international standard for risk management of data security, providing requirements for Information Security Management Systems (ISMS). This would necessitate the fintech service-providing entities on integrity and keeping client data confidential, as well as promoting resilience of available information data and critical business processes.
- The ISO/IEC 27002 seeks to elaborate and codify in the greater specification, the information security controls within the ISMS, summarised in ISO/IEC 27001.
- In addition to the above, ISO/IEC TR 27015:2012 provides complementary security guidance for the security of information and better initiation and implementation of the abovementioned controls within organisations involved in financial services.
- The Contingent Reimbursement Model Code (CMR) by the Payments Systems Regulator in the UK aims at confirmation of payee by the Payment Service Providers (PSPs), where the new payee’s account name could be checked along with the sort code and account number.
- The Second Payment Services Directive (PDS2) takes a rather different approach as it seeks to make it a requirement for banks to open up their infrastructure systems of payment and data assets of customers possessed by them, so as to enable third parties to develop the payment and information services. This focuses not only on security and data privacy but also on operation strategy.
- Secure Sockets Layer (SSL) is a standard technology employed for securing an internet connection and safeguarding the transmission of sensitive data sent between two systems, preventing its malicious modification. Transport Layer Security is an updated version of SSL, providing greater security, enabling a fintech organisation to be up to date by buying a TLS Certificate with options such as ECC, RSA and DSA Encryption options.
Secure communication is done by means of a TLS Handshake, where the parties on either end generate public and private keys in the case of asymmetric encryption, and a common public key in case of symmetric encryption, that encrypt and decrypt all communications between them. Each new session utilises a new key, and the non-alteration of the data is confirmed by means of a Message Authentication Code (MAC).
- Storing cardholders’ data is mostly an inevitable element of providing Fintech services. The Payment Card Industry Data Security Standard (PCI DSS) lays down standards for improving the security of payment accounts of the customers while being subject to the whole digital transaction process.
For authentication data, the PIN would require utmost security, which is dealt with under PCI PIN security, which specifies security requirements for managing and processing, followed by the transmission of PIN data, preventing any sort of data compromise, especially during electronic payments, along with the PA DSS compliance for the validation of payment applications involving cardholders’ data.
- System and Organisation Control (SOC) Audits address third-party risks and verification of the operation of effective internal controls, which would provide assurance that a Fintech organisation is well equipped to secure customers’ data for confidentiality, privacy and processing integrity. SOC 1 report reinforces the due diligence done by an organisation on customers’ financial reporting, satisfying customers’ auditor requirements. SOC 2 report assures transparency with regards to the appropriate controls on information security.
- A Fintech organisation is to employ 2FA, or two–factor authentication for greater security with respect to customers’ devices and online accounts, requiring more than just a password to gain access. Authentication factors may include various components and options such as knowledge factors (PIN, passwords, favourite restaurants, pet name, etc.), possession factors (ID card, security tokens, phone apps), biometric factors, location factors (using GPS) and time factors for permitting and restricting access.
- A secure system for payments has been devised by the three companies, Europay Mastercard and Visa, due to which it is termed as EMV compliance. It lays down the requirement of up gradation of the point–of–sale systems in order to contain counterfeiting of credit cards, and defrauding incidents linked to the magnetic strip. EMV cards work by requiring them to be put into compliant readers, generating one-time transaction codes unique to each purchase. It also allows for secure smartphone payments via NFC radio wave technology.
As every regulation around the world seeks to improve and strengthen the data privacy mechanism required for authorisation of services provided by companies, the common factors include the consent of the owners of the said data, the requirement of transparency of the amount of data used and the manner of use, besides others. It would involve a good deal of work on the part of the fintech service-providing organisations as they strategize their interaction with regulators and compliance with regulations of not just data privacy but also others such as the anti-money laundering statutes governing the banking sector from country to country.
Fintech and technological developments in the financial sector on one hand getting increasingly inevitable, commonplace and assuming greater importance and significance with time, only accelerated by global incidents such as the COVID-19 pandemic and made essential by virtue of the basic need of economic activity and monetary exchange, would face a rather challenging backdrop of increasing regulatory mechanisms in place, with the regulators placing utmost responsibility, accountability and compliance requirements, along with huge and harsh crackdowns on non-compliance with regulations, standards and protocols and for laxity in disaster and cybercrime response. This would of course be in furtherance of placing much-needed discretion and weightage to consent in the hands of the common people and the citizens, providing them with a greater say on the utilisation and storage of data which they are rightfully in ownership of.
- Title (springer.com) Jan Holvast, History of Privacy, Holvast & Partner, Privacy Consultants, NL – Landsmeer, The Netherlands.
- Data Privacy Will Be The Most Important Issue In The Next Decade (forbes.com)
- Securing the Data Workflow in Fintech Apps | VERIMATRIX
- Ransomware Attack Hits FinTech Company Finastra – CPO Magazine
- Consumer data protection and privacy | McKinsey
- Fintechs are ransomware targets. Here are 9 ways to prevent it. – Australian FinTech
- EU GDPR: 10 things every fintech business should know – Lexology
- DLA Piper Global Data Protection Laws of the World – World Map (dlapiperdataprotection.com)
- PSD2 – a game changing regulation (pwc.co.uk)
- NRI FinTech upgrades to ISO/IEC 27001:2013 certification for information security management in real-time post-execution management solutions
- What is SSL, TLS and HTTPS? | DigiCert
- PCI_PIN_Security_Requirements_v2.pdf (pci security standards.org)
- 2FA explained: How to enable it and how it works | CSO Online
- What Is EMV Compliance Law: Your 2021 Guide | Fundera
Students of LawSikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.