When investigating fraud
MANILA, Philippines — The Bangko Sentral ng Pilipinas (BSP) said banks and financial institutions can now freely share information for fraud investigations as cybercriminals continue to perpetrate their illegal activities with the massive shift to digital channels due to the pandemic.
BSP Deputy Governor Chuchi Fonacier said the National Privacy Commission (NPC) has allowed the sharing of relevant information for fraud investigation between BSP-supervised financial institutions (BSFIs) even without a court order.
Fonacier said one of the major hurdles in sharing relevant data, particularly those involving sensitive personal information, in pursuit of fraud investigation, is Republic Act 10173 or the Data Privacy Act of 2012.
Under the law, personally identifiable information of data subjects cannot be freely shared without the data subjects’ consent and without legitimate purpose. This covers all financial accounts such as e-money accounts, credit card accounts and other non-deposit accounts.
Based on the NPC advisory, Section 13 (f) of the Data Privacy Act that allows processing of personal information for protection of lawful rights and interests of natural or legal persons shall apply to sharing of relevant information for fraud investigations.
Thus, the processing of information for fraud investigations does not require an existing court proceeding and will not require a court order, it said.
“All BSFIs are therefore advised of the above NPC advisory opinion and to cooperate and share relevant information to third parties, such as other financial institutions, payment gateway providers, third party service providers and law enforcement agencies, among others in the conduct of fraud investigations,” Fonacier said.
The BSP said banks could share the name, home or delivery address, email address, mobile or other contact details as well as bank or financial account information and transaction details, among others.
“In sharing these information, BSFIs should ensure that the basic data privacy principles of transparency, legitimate purpose and proportionality are adhered to. Moreover, an existing court order or proceeding is not a pre-requisite for information sharing to happen,” Fonacier said.
The BSP official pointed out the financial services industry continues to massively shift to digital financial and payment services in response to the COVID-19 pandemic.
“As a result, cyberthreat actors have more avenues and channels to perpetrate cybercriminal activities which exploit vulnerabilities of BSFIs and their clients. The BSP’s ongoing surveillance shows that the impact of cyberattacks and fraudulent schemes increasingly extend over two or more financial institutions, simultaneously,” Fonacier said.
In order to resolve and effectively investigate fraudulent transactions involving two or more BSFIs, the regulator said there is a need to be coordinated and transparent information sharing mechanisms in place.