Bank secrecy and our data privacy laws have their purposes and advantages especially in the arena of protecting consumers’ sensitive personal information. However, recent fraudulent events nearing the holidays and involving bank accounts have led some to ask: Where does the balance lie between privacy, on the one hand, and regulation and investigation? How will valuable data and personal information be made available in order to properly investigate and prosecute cyberattacks in our financial institutions?
Bangko Sentral ng Pilipinas (BSP) may have struck such delicate balance through BSP Memorandum M-2021-059 signed last 3 November 2021.
The BSP recognized that indeed, there is a massive shift to digital financial and payment services in response to the Covid-19 pandemic. Now more than ever, there is a need to revisit channels that perpetuate cybercriminal activities, largely reliant on outdated cybertechnologies or lax privacy mechanisms of banks and other BSP supervised financial institutions (BSFI) and their clients.
The BSP recognized that indeed, there is a massive shift to digital financial and payment services in response to the Covid-19 pandemic. Now more than ever, there is a need to revisit channels that perpetuate cybercriminal activities, largely reliant on outdated cybertechnologies or lax privacy mechanisms of banks and other BSP supervised financial institutions (BSFI) and their clients.
The BSP found that as with recent events, cyber-attacks and fraudulent schemes involve over two or more financial institutions simultaneously. This multi-party effect of fraudulent cyberattacks highlights the need for transparency and information sharing, which involve personal sensitive personal information if a fraud investigation were to become fruitful and get to the bottom of such incidents.
Of course, at the heart of the matter is the Data Privacy Act of 2012 (DPA) or RA 10173. Under the DPA, personally identifiable information of data subjects cannot be freely shared without the data subjects’ consent and without a legitimate purpose. These cover all financial accounts such as e-money accounts, credit card accounts, and other non-deposit accounts. To address this legal concern, the BSP sought clarification and advice from the National Privacy Commission (NPC) with respect to information sharing for fraud investigations.
Based on NPC Advisory Opinion 2021- 026, the processing of personal information for the protection of lawful rights and interests of natural or legal persons is allowed under Sec. 13 (f) of the DPA. It applies to the sharing of relevant information for fraud investigations as in those carried out involving banks and other financial accounts. The NPC also stated that such processing does not require an existing court proceeding, and thus, will not necessarily require a court order.
Aside from the foregoing, Section 21 (f) of the Implementing Rules and Regulations (IRR) of the DPA allows the processing of personal information when the same is necessary for the fulfillment of the constitutional or statutory mandate of a public authority, in such case when directed by the authority involved in the fraud investigation being carried out. Arguably, it may also be allowed under Section 21 (g) which allows such processing if necessary to pursue the legitimate interests of the personal information controller, or by a third party or parties to whom the data are disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution.
Armed with such opinion, the BSP advised that all BSFI must cooperate and share relevant information to third parties, such as other financial institutions, payment gateway providers, third-party service providers, and law enforcement agencies, among others in the conduct of fraud investigations. Information that may be shared/disclosed to the said parties, include, but is not limited to the following:
a. Name
b. Home/Delivery Address
c. Email Address
d. Mobile or other contact details
e. Bank/financial account information
f. Bank/financial transaction details
Nevertheless, BSFI are reminded that sharing of such information, the basic data privacy principles of transparency, legitimate purpose, and proportionality must be adhered to. The IRR of the DPA requires personal information controllers and personal information processors such as the BSFI in respect of their customers’ information to implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data. The security measures should be adequate to assure the availability, integrity, and confidentiality of personal data and prevent any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing.
In this day and age, it has been said that data is the new gold. Golds are often buried deep under the earth’s surface and mined for them to become valuable resources. Data must similarly be protected, secured, but in the proper cases, mined and shared if necessary in order to eventually combat and deter cybercrimes and other fraudulent attacks.
Let me end with a wish that all of you, my dear readers, have a blessed and Merry Christmas.
First published on The Daily Tribune.
