Perspective | Special Regulations on Financial Data Compliance from the Data Entry of a Certain Bank
Published:
2024-11-05
Recently, the author conducted a data compliance assessment for a certain bank's data assets. The bank's data was purchased from a third party and can be queried and used through an API interface with the authorization of the information subject. Relying on the data accumulated over the years, the bank has constructed statistical indicators from different business dimensions; built evaluation models based on intelligent algorithms; and introduced information on dishonest individuals and enterprises as references for risk assessment, forming the "Smart Risk Control Data Model" of the bank. This data model can provide data support for loan admission, anti-fraud, credit limit calculation, rating, pricing, and other services. It can also be applied to internal operational management, optimizing the risk control system and improving service efficiency and quality through relevant data resources.
Recently, the author conducted a data compliance assessment for a certain bank's data assets. The bank's data was purchased from a third party and can be queried and used throughAPI interface, with the premise of obtaining authorization from the information subject. Relying on the data accumulated over the years, the bank has constructed statistical indicators from different business dimensions; built evaluation models based on intelligent algorithms; introduced information on dishonest individuals and enterprises as references for risk assessment, forming the "Certain Bank Intelligent Risk Control Data Model." This data model can provide data support for loan access, anti-fraud, limit calculation, rating, pricing, and other services, and can also be applied to internal operational management, optimizing the risk control system, and improving service efficiency and quality through relevant data resources.
Financial data compliance must not only comply with general provisions applicable to data compliance such as the "Civil Code," "Cybersecurity Law," "Data Security Law," and "Personal Information Protection Law"; it must also meet the special regulatory requirements of the financial industry. It is especially important to pay attention to some industry standards that guide financial institutions in conducting financial data security protection work, such as the "Financial Data Security Classification Guidelines," "Financial Data Security Data Lifecycle Security Specifications," and "Technical Specifications for Personal Financial Information Protection." The following mainly introduces from the perspectives of data classification and grading and data lifecycle management:
1. Financial Data Classification and Grading
The "Cybersecurity Law" stipulates that the state implements a network security grading protection system, and network operators should take measures such as data classification and importantdata backup, etc., according to the requirements of the network security grading protection system. The "Data Security Law" also stipulates that data should be subject to classification and grading protection. Although there are currently no specific legal provisions for data classification and grading at the national level, the financial industry, as the earliest and most developed industry in compliance construction, has long issued various industry standards. From the perspective of banks, the People's Bank of China issued the "Technical Specifications for Personal Financial Information Protection" on February 13, 2020, classifying personal financial information into three categories based on sensitivity: C3 category information mainly includes user identification information; C2 category information mainly includes personal financial information that can identify the identity and financial status of specific individuals, as well as key information used for financial products and services; C1 category information mainly refers to internal information assets of institutions,which mainly refers to personal financial information used internally by financial institutions. The regulation also emphasizes that the same information may fall into different categories in different service scenarios, and the category of information should be identified based on the service scenario and the role of that information within it, implementing targeted protection measures. In addition, the "Financial Data Security Classification Guidelines" also classify financial data security levels into five levels from high to low based on the perspectives of national security, public interests, personal privacy, and legitimate rights and interests of enterprises.2. Lifecycle Management of Financial Data
After establishing a data classification and grading management system, it is necessary to effectively ensure data security, which should be specifically implemented in all aspects of the data lifecycle management, including collection, transmission, storage, use, deletion, and destruction. Financial industry standards such as "Technical Specifications for Personal Financial Information Protection" and "Financial Data Security Data Lifecycle Security Specifications" systematically stipulate compliance requirements for the lifecycle stages of financial data, including collection, transmission, storage, use, deletion, and destruction. In addition to being consistent with the legal provisions of the "Cybersecurity Law," "Data Security Law," and "Personal Information Protection Law," the main special compliance requirements are as follows: (1) Data Collection: Responsibilities and obligations regarding data security should be clearly defined through contracts and agreements; data collected from external data suppliers should have a constraint mechanism; data collected from corporate clients should be directly related to the financial products or services provided and should not exceed the scope of data collection; the scope of knowledge and security control measures for personal financial information and important data during the data collection process should be clarified to ensure the compliance, integrity, and authenticity of the collected data; the authenticity of data collection devices or systems should be verified during data collection; when collecting level 3 and above data, enhanced verification of the authenticity of data collection devices or systems should be conducted based on multiple factors such as password, device fingerprint, physical location of the device, network access method, and device risk status; when collecting data from personal information subjects, level 3 and above data should not be retained after the relevant business of the APP, WEB, and other clients is completed, and the cache should be cleared in a timely manner; the collected personal financial information should be directly related to the financial products or services provided and consistent with the content agreed upon in the contract and privacy policy, and should not exceed the scope of data collection, etc. (2) Data Transmission: Measures should be taken to strengthen network and data security during the data transmission process; financial data transmission involves two forms: internal data transmission within financial institutions and data transmission between financial institutions and external institutions or clients, and different transmission forms and objects should adopt different data transmission technologies, etc. (3) Data Storage: Data should be stored in a classified and graded manner; data should be stored based on the principle of minimum necessity; the security protection intensity should not be reduced due to changes in storage form or duration, etc. (4) Data Use: Specific and clear requirements are proposed for data access, data export, data processing, data display, development testing, aggregation and integration, public disclosure, data transfer, entrusted processing, and data sharing. (5) Data Deletion: When the personal financial information subject requests the deletion of personal financial information, it should respond according to national and industry regulations, as well as agreements with the personal financial information subject; data that exceeds the retention period specified by national and industry regulations, internal rules, and contract agreements should be deleted. (6) Data Destruction: Storage media should be destroyed in an irrecoverable manner; if the storage media needs to be reused, data should be securely erased through technical means to ensure that the data in the media cannot be recovered or utilized in any other form; regular verification of data deletion results should be conducted.
构建数据分类分级管理体系后,切实做好保障数据安全工作,还需具体落实在数据的采集、传输、存储、使用、删除和销毁等生命周期管理的各环节。《个人金融信息保护技术规范》、《金融数据安全 数据生命周期安全规范》等金融行业标准系统规定了采集、传输、存储、使用、删除和销毁等金融数据生命周期环节的合规要求。除了与《网络安全法》《数据安全法》《个人信息保护法》等法律规定一致的外,主要的特殊合规要求具体如下:(1)数据采集:应通过合同协议等方式,明确双方在数据安全方面的责任及义务;从外部数据供应方处采集数据,应制定数据供应方约束机制;采集的企业客户数据应与提供的金融产品或服务直接相关,不应超范围采集数据;应明确数据采集过程中个人金融信息和重要数据的知悉范围和安全管控措施,确保采集数据的合规性、完整性和真实性;采集数据时,应对数据采集设备或系统的真实性进行验证;采集 3 级及以上数据时,还应结合口令密码、设备指纹、设备物理位置、网络接入方式、设备风险情况等多种因素对数据采集设备或系统的真实性进行增强验证等;向个人信息主体采集数据时,APP、WEB 等客户端相关业务完成后不应留存 3 级及以上数据,并及时对缓存进行清理;采集的个人金融信息应与提供的金融产品或服务直接相关,并与合同协议条款、隐私政策中约定采集的内容保持一致,不应超范围采集数据等。(2)数据传输:采取措施加强数据传输过程中的网络和数据安全;金融数据传输涉及金融业机构内部数据传输、金融业机构与外部机构或客户的数据传输两种形式,不同传输形式和不同传输对象应采用不同的数据传输技术方式等。(3)数据存储:将数据分域分级存储;依据最小够用原则存储数据;不应因存储形式或存储时效的改变而降低安全保护强度等。(4)数据使用:就数据访问、数据导出、数据加工、数据展示、开发测试、汇聚融合、公开披露、数据转让、委托处理、数据共享提出了具体明确的要求。(5)数据删除:个人金融信息主体要求删除个人金融信息时,应依据国家及行业主管部门有关规定,以及与个人金融信息主体的约定予以响应;超过国家及行业主管部门有关规定、内部规章及合同协议所述保存期限的数据,应执行数据删除操作等。(6)数据销毁:采用不可恢复的方式对存储介质进行销毁;存储介质如需使用,通过技术手段安全地擦除数据,确保介质中的数据不可再被恢复或以其他形式被利用;定时验证数据删除结果等。
Key words:
Related News
Zhongcheng Qingtai Jinan Region
Address: Floor 55-57, Jinan China Resources Center, 11111 Jingshi Road, Lixia District, Jinan City, Shandong Province
