Data Protection in the Banking Industry

Ashish M. Shaji

23 Jun, 2020

As we all know that banks possess a large amount of personal and financial data about their customers, and with today’s technology, the information and data can be accessed by anyone who has the permission to access it. It is crucial that these data are secure. This article sheds light on the aspect of data protection in banking.

Overview of Data protection in Banking

The rise of many financial innovations has caused many changes over the last few days years like wire transfers, debit and credit cards, internet banking, mobile payments, etc. Banks have required constant updating of their systems in order to keep up with these changes. Moreover, when implementing new technology, they have to transform their processes to provide security.

The banking regulations have also constantly changed as per the requirements of the modern banking system. Banks deal with sensitive customer data that must be protected and secured from being exploited by anyone. The banks require securing the customers-facing end of banking process and internal process involving their employees etc.

Which legislation applies to data protection in banking?

Banks are governed by the Information Technology Act 2000^[1], which was amended in 2008. The amendment provides for provisions that banks must adopt reasonable security practices with regard to their databases. The IT Act provides that the customers of a bank can obtain compensatory relief for losses owing to any data leakage or any unauthorized disclosure of information by the banks.

Why is strong data protection in banking required?

Banks are one of those sectors that run the risk of privacy violations due to the sensitive and personal nature of the information that is stored, exchanged, and recorded. Banks deal with a large amount of customer data, and they are common targets for cybercriminals and malicious internal players.

The exploitation activities have become more sophisticated and more dangerous; therefore, a robust data protection system must be in place. In case where there is no in-depth defense strategy, one would be highly vulnerable to getting breached.

Banks handle a massive amount of Personal Identifiable Information (PII) and Personal Credit Card Information; therefore, there is a need for increased security and proactive security. An increase in digitalization means more vulnerability of banks for the data breach. This may be a bitter pill to swallow, but the banks need to be prepared for such instances.

Instances of a data breach in the banking sector

In the case of Punjab National Bank vs. Rupa Mahajan Pahwa, in 2008, the bank was charged with issuance of duplicate passbook of a joint saving bank account belonging to a husband and wife being maintained with operational instructions to an unauthorized person.

It was held that the bank is accountable for the disclosed information, and thereafter the bank was charged with a fine and was asked to look into the conduct of the officials who were providing the sensitive information to the unauthorized person.

 Here we find that a bank employee provided personal information to an unauthorized person. It brings us to the question if there is a need for a stringent privacy regulation that requires the employees to go through training on privacy procedures. Even if any personal information of a customer is disclosed, then prior notice must be given to the customers, and specific guidelines must be laid down that provides for cases where such information can be disclosed for strengthening the case for data protection in banking.

Ways of data protection in banking

When it comes to protecting their data, banks must follow a 360-degree approach. This means protecting the customer-facing end of banking and internal process.

Here are some of the ways through which banks protect the data:

• Authentication

Authentication requires that for every transaction, the identity of the person initiating such transaction must be confirmed. This shall apply to customers using online banking to log into their accounts, those visiting the bank branches, and those using credit or debit cards. It shall also apply to employees of the bank who have access to customer’s data. Earlier authentication required an ID and a password/pin only, but these days banks use two factor and multi-factor authentication to know that the person is the one who he or she claims to be. 

• Audit Trails

The banking history of a person is available in the form of statement or passbook, but additionally, banks maintain an audit trail for every event that transpires during a person’s interaction with systems. The time and details of the interaction are recorded whether a person is using mobile banking or online banking. This data is backed up on a daily basis and is never purged fully but archived.

• Secure Infrastructure

Secure infrastructure means the database system and server where the data is stored, and the boundaries are drawn to secure it. Production data is encrypted in any core banking setup. Access to the production system is restricted. Bank employees are provided special equipment that blocks access to social websites, personal e-mails, etc.

• Secure Processes

In the past, banks have used different processes to ensure that security is tested and implemented. It includes KYC (Know your Customer), NDA (Non-Disclosure Agreement) for employees, remote data centers, etc. By using a Data Loss Prevention solution, banks can minimize insider threats and secure customer data. 

• Continuous Communication

Banks constantly communicate with customers regarding upgrades to systems, induction of new authentication procedures, more safe security measures, etc. apart from periodic account statements that are generated. Customers can set alerts to ensure that they are informed in the event of any unexpected activity with regard to their accounts.

Conclusion

Also, read: Cybersecurity in Digital Banking: Threats, Challenges and Solution