Topic-specific policies
ISO/IEC 27562

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC AWI 27562 — Information technology — Security techniques Privacy guidelines for fintech services [DRAFT]



“This document provides guidelines on privacy for fintech services. It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to fintech services. It provides privacy controls specific to fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100 and ISO/IEC 27701 and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.”
[Source: SC 27 Standing Document 11 (2021)]


The proposed 1st Working Draft stated:

    “Fintech refers to the use of ICT technologies across all financial service functions, for example, banking, payments and insurance, etc.

    Fintech represents the next wave of innovation for the financial service sector. Strong authentication technologies, emerging decentralized technologies like blockchain, analytical technologies for fraud detection and anti-money laundering compliance are changing digital financial services. Privacy aspects must be the top priority in order to build trust and confidence in fintech services and applications and to protect financial infrastructure and customers. 

    AML (anti-money laundering) rules require the collection, processing and use of personal data as part of Customer due diligence (KYC). Fraud detections require transaction monitoring, behavioral monitoring, internal data sharing (including within a group), external data sharing (including with regulators and other financial institutions), data sharing for outsourced arrangements; and cross-border processing of data (especially for international payments). Consumers want to be able to control access to their information.

    This document should apply privacy principles described in ISO/IEC 29100:2011 as a starting point. The privacy guideline is to use the existing work on privacy framework (including NIST privacy framework: an enterprise risk management tool) and privacy impact assessment in ISO/IEC 29134:2017 to develop the guidelines.

    It will identify all relevant stakeholder and privacy risks, which are related to fintech services. It also considers regulatory requirements, such as those from anti-money laundering and fraud detection.”


Scope of the standard

Privacy aspects for financial services’ IT.


Content of the standard




The project started in January 2021.

It is at 1st Working Draft stage.


Personal notes

I don’t know what “AWI” in the title of this draft standard means - yet another example of ISO failing to expand obscure abbreviations. Who knows, perhaps it stands for “Acronym Worth Ignoring” or “Abbreviated With Impunity”.  Come on SC 27, it’s not that hard to consider the poor reader, is it? They are, after all, your customer.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.