11 March 2022
Data privacy is one of the major concerns of compliance, especially in the digital financial sector, where the processing of personal data of its customers is its main ingredient in the development and operation of their respective applications.
However, in the design and development of these fintech applications, data privacy is oftentimes the last consideration, which frequently led to re-doing or revising the applications in order to comply with the data privacy requirements. As such, data privacy by design is important at the start of the conceptualization, pre-development, and development of the fintech apps.
Data privacy by design is an approach undertaken in order to incorporate data privacy compliance requirements in the design and development phase of a system. This approach includes the risk determination, analysis and remediation involving the data processing cycle and lifespan in the front-end and back-end of the app’s ecosystem.
The following are the few guidelines for industries engaged in the development of fintech apps (i.e. e-wallets, virtual currency exchanges, payment systems, online lending) :
The type of personal data to be collected and processed – Under the Data Privacy Act of 2012 (DPA), one of the principles is proportionality. This means that the type of data to be collected and processed is relevant and necessary for the desired purpose. For example, for e-wallet operators, the rules on the Know-Your-Customer shall be applicable whereby the e-wallet operators shall collect the minimum information requirement in order to onboard and verify the user and to allow the user to perform the functionalities of the e-wallet.
On the other hand, in online lending apps (OLAs), the National Privacy Commission (NPC) opined that the OLAs violated the proportionality principle when these OLAS collected, accessed, and processed phone contacts of the borrower because such processing is not necessary for the purpose of approving the loan application and loan collection.
Method of obtaining consent – The requirement under the DPA is that the consent from the customer or data subject must be express and such consent must be recorded, whether written, electronic or recorded means. In the design of the app, the manner and procedure in securing consent must be technically defined. For example, the tick box for the consent should not be pre-filled and if the said tick box is not filled, the onboarding process will not push through.
Data sharing – The financial sector players are interlinked with each other in the performance of their services. By way of an example, an operator of payment system transmits information of the merchant’s customers to another bank for settlement purposes. Another example is when an online mortgage broker shares and submits the information of the borrower to the banking or lending institution. These sharing mechanisms are generally automated such that the information and/or documents containing personal information which are already pre-determined are shared and transferred from one system to another.
These sharing of personal information is required to comply with the data sharing rules prescribed by the DPA and as expressly codified in NPC Circular No. 2020-03. The data sharing agreement shall expressly state the purpose and lawful basis of the data sharing, objectives, the type of the personal data, method of the processing of the personal data, term of the agreement, operational details of the sharing, security measures, and the retention and data disposal.
Access Credentials – Access credentials are key to prevent that no one other than the user can assess the app or on the part of the operator, that a user access and log in credentials matrix is formulated already at the inception of the app development. As the regards the front-end of the app, the developer shall consider the password complexity requirement and frequency of password change requirement. For transaction execution, the developer shall also consider the type of the authentication mechanism depending on the tiering matrix for user classification.
Security measures – Whatever type of the fintech app, technical security is a must. One of the requirements mandated by the DPA and relevant BSP rules is the implementation of a vulnerability assessment and penetration testing during the user acceptance testing and before the app becomes “live” or in production, as a best practice.
Another way of securing data is by way of encryption. Under NPC Circular No. 16-01, all personal data that are digitally processed must be encrypted, whether at rest or in transit. The NPC recommends Advanced Encryption Standard with key size of 256 bits (AES-256).
As regards the back-end access, it has always been recommended that the back-end system’s access records log-in audit trail. In this way, it prevents or traces data theft.
Data Ownership and Data Location and Retrieval. BSP Circular No.1137 provides that one of the most common areas of concern is data transit, storage, and retrieval particularly in view of the multi-region cloud deployment set-up. Under the said circular, prior to the app’s design in terms of employing cloud as the data storage, it is important that the cloud is able to implement access control mechanisms and to segregate the data of the financial institution from that of the other customers of the cloud service provider.
This article is for general information only and is not intended nor should be construed as a substitute for legal advice on any specific matter. A professional legal advice is still necessary to an actual or particular issue.
#fintech #dataprivacy