Summary of Protection Aspects of Client Identifying Data

Summary of Protection Aspects of Client Identifying Data

Flavio Gerbino
by Flavio Gerbino
time to read: 15 minutes

On January 1st, 2015, the Finma, the Swiss Financial Market Supervisory Authority, circular Operationelle Risiken Banken (translation: Operational Risks Banks) went into effect.

It appears to me that it’s time that we have a look at the implementation of the circular in connection with the requirements towards risk management when dealing with electronic customer data after banks have implemented various preparatory and implementationary measures.

Basically, the circulatory cements the Principles for the Sound Management of Operational Risk established by the Basel Committee for Banking Supervision. Among other things, the principles define the responsibility for management of operational risks at the highest level. They also demand that banks have a framework, a controlling mechanism and a technology infrastructure that allows the identification, limitation and surveillance of these risks adequately. So basically, you could say that the Circular offers nothing new from the standpoint of a responsible risk manager.

You could conclude that the Finma circular aims to establish a regulatory standard in Switzerland based on international standards. However, the intentions of the circular are more far-reaching than that due to the fact that operational risks covers an entire spectrum of events that range from legal incidents such as fraud to IT related incidents.

Due to the fact that incidents with electronic customer data have manifested not only in other countries but also in Switzerland, they have moved into the focus of interest. Therefore, Finma defines nine basic rules in Annex 3 of the circular. These basics seek to govern the management of risks in connection with confidentiality of electronic customer data of natural persons (private customers).

With this, Finma tries to apply lessons learned from a range of incidents that range from data theft at places such as HSBC Private Bank in Geneva, Credit Suisse, Bank Julius Bär, Hyposwiss to system manipulation within the bank itself to price fixing at Libor or foreign exchange deals.

Client Identifying Data

Regarding client identifying data (CID), the rulings of the circular are more detailed than when it concerns other risk areas. This relatively high degree of detailing was one of the main points of critique when it was presented as a draft to the interested finance institutions. Finma has taken this into account in the final version, but stuck to the basics of their regulatory concept.

Apart from the circular, bank-client confidentiality and data privacy regulation in Switzerland limit the access and transfer of certain data. These laws are applicable to data in any form – be it written, oral, electronic or of any other nature – that allow for a direct or indirect identification of current, former and potential clients, accounts of fiscal relationships.

Returning the to the topic of requirements towards risk management when dealing with electronic customer data, we would benefit from an overview of what types of CID there is.

Definition: Client Identifying Data

CID is information that allows the identification of a client or his relation to a financial institute. Therefore, we’re dealing with personal data according to the Federal Act on Data Protection, Article 3 regulation a.

There are three kinds of CID:

  1. Direct CID
    • Characteristics: All unique identifiers that allow the direct identification of a client.
    • Categories: Personal identification / Company identification / Electronic address data / Physical address data
    • Examples: First name, last name, signature, e-mail address, social network IDs, private or business address, name of company
  2. Indirect CID
    • Characteristics: Information that allows identification of a client only when combined with another bit of information
    • Categories: Personal IDs in Public Registries / Customer identifiers / Career details
    • Examples: Passport ID, ID Card, Social security number, Tax ID, Car number plates, customer number, IBAN/BIC, Account number, Safe deposit number, Contract numbers, User ID / Passwords, Card numbers (credit and debit cards), IP address (static, dynamic) / Career details
  3. Potentially indirect Client Identifying Data
    • Characteristics: Information that only allows the identification of a client when combined with other information as well as other special circumstances
    • Categories: Details of birth / details of family / details of living situation / professional profile / identifiers of company / non-identifying company details / details of personal relationships
    • Examples: Day and month of birth, year of birth, nationality, age, gender, diplomatic status hobbies, memberships in professional, private or charity clubs, homeland, zip code, professional qualification, currency of account, credit rating, transaction data

Consequences of Use

The following overview shows which consequences the use of CID brings based on their type and sensitivity.

Direct and indirect CID

CID are always to be treated according to the Need to know / Need to have principle, regardless of whether they allow a direct or indirect identification of clients. The following points are to be adhered to and are of the utmost importance:

Potentially Indirect CID

The sensitivity of potentially indirect CID can be divided into two categories:

  1. Personal identifiers
  2. Impersonal Identifiers

Their sensitivity varies from case to case, depending on the kind and amount of data, the application used to manage the data and the requirements towards the data such as the outsourcing relationship. To find a universally applicable rulebase is very difficult because it depends heavily on environment and the way the data is treated.

Some rules can be applied, though:

A violation of confidentiality of CID has occurred when CID has been exposed to unauthorized persons, regardless of whether they are team members of people from outside the company.

Most accidental violations of confidentiality of CID happen because team members are not aware of the proper treatment of CID. A term to note here are lack of risk awareness.

Violation of confidentiality can carry big risks. Among them are:

Challenges of Toxic Combinations

A toxic combination is the combination of data that allows for identification of clients in Switzerland by foreign interest parties that exploit insufficient or missing access controls or errors in processes. Accessing Swiss data from outside the country’s borders because of toxic combinations can lead to violation of Swiss law as well as regulatory presets.

Illustration of Toxic Combination

Toxic Combination of CID

Strict and adequate division of CID is most likely the best way to ensure that users have no way of determining the identity of clients.

Toxic Combinations are highly likely to pose a challenge in the near future of regulations of financial institutes while said regulations will keep to become tighter.

There are first concepts on the horizon that deal with Toxic Combinations but the diversity, complexity of systems and environments as well as the factors of outsourcing and offshoring and the processes associated with all these things makes a pragmatic and risk based implementation difficult. On the other hand, these challenges could be used for a general overhaul of organizational and technological measures of protection. This could be a solid base for the adjustment of the business model as well as the processes.

General High Level Principles When Protecting CID

During the conceptual planning of the implementation of the Finma circular there need to be presets set and aspects respected.

  1. Clarity concerning the requirements on creation
    • Which CID is stored in which applications?
  2. Need to Know
    • Closer definition of Need to Know under the aspect of roles
    • Closer definition of Need to Know under the aspect of functions
    • Pay attention to Toxic Combinations
  3. Pay attention to other subject matters

The requirements should permeate all levels of hierarchy of a financial institute and should be addressed from the top down.

  1. Management: Attention & Awareness
    • Definition of the CID mission
    • Allocation of needed resources
    • Communication
    • Emphasis on importance of subject
  2. Team members: Attention & Awareness
    • Information
    • Workshops with key personnel
  3. Internal Controlling
    • Assimilation of the requirements in the circular
    • Updating of pre-existing CID processes
    • Design of new CID processes
    • Adaptation of guidelines concerning protection of client data
  4. IT
    • Implementation revised need to know principle
    • Conforming of standards
    • Conforming of access rights
    • Conforming of access concepts

The following overview is a possible and simplistic structure of the subjects that are to be dealt with:

Summary

The Finma circular demonstrates that the client-bank confidentiality will get better protection against external data theft if the circular is being observed. It is, however, only a guide and not a law. Regardless of the circular’s legal status, financial institutes need to take more note of these requirements. Despite the fact that the circulars are not legally binding, financial auditors are required to check banks for the adherence to the circulars. Therefore, the circulars have great impact on the operations of a financial institute. This includes enforcement that carries decisive power when court proceedings need judgment.

Considering the point at which the bank industry is currently at, it seems even more appropriate that banks change their paradigms to meet the guidelines the circular sets in terms of protection of CID. It is known that adapting to the guidelines is hard on resources and so is maintaining them on a day-to-day basis. Unfortunately, we observe that banks often see themselves close to the finish line but they’re really only at the start of the race. They often underestimate the complexity and act too lightly around this critical topic.

Here are the special challenges:

However, there are a great many opportunities in the implementation of the circular’s guidelines that will benefit the financial institute greatly.

About the Author

Flavio Gerbino

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

Are you interested in a Penetration Test?

Our experts will get in contact with you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here