< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27562 — Information technology — Security techniques — Privacy guidelines for fintech services [DRAFT]

Abstract

 “This document provides guidelines on privacy for fintech services. It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to fintech services. It provides privacy controls specific to fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100, ISO/IEC 27701 and ISO/IEC 29184, and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.”

[Source: ISO/IEC JTC 1/SC 27 SD11]

Introduction

“Fintech” refers to the use of information and communications technology within the financial services industry - banking, insurance, investment etc. - in particular, for financial services delivered digitally.  A significant amount of personal information is processed through fintech.

Personal information is subject to an array of privacy laws and regulations as well as corporate privacy policies and ethical considerations, all of which help ensure the trustworthiness necessary to earn the trust of data subjects (customers).

Modern fintech architectures increasingly involve novel technologies such as cloud-based microservices with Application Programming Interfaces, blockchain and Artificial Intelligence/Machine Learning. In addition to the usual data/cyber security risks and controls, privacy concerns must also be identified, evaluated and addressed.

Scope of the standard

The standard addresses the privacy aspects of fintech.

Content of the standard

Main sections:

5. Overview of general privacy concerns and principles
6. Fintech services business model (industry structure, personal information flows)
7. Fintech services actors (financial services suppliers)
8. Privacy risks for industry players
9. Privacy controls for industry players
10. Privacy guidelines for industry players
11. Privacy guidelines for industry regulators

Status

The project started in 2021.

 It is at second Committee Draft stage and is due to be published in 2024.

Personal notes

I am unclear why the financial services technology industry requires specific guidance on privacy that is not already available in other standards, laws and regulations. What makes fintech so special, I wonder?

< Previous standard      ^ Up a level ^      Next standard >