< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27562:2024 — Information technology —  Security techniques — Privacy guidelines for fintech services (first edition)

Abstract

“[ISO/IEC 27562] provides guidelines on privacy for fintech services. It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.  [ISO/IEC 27562] is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.  [ISO/IEC 27562] can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.”

[Source: ISO/IEC 27562:2024]

Introduction

“Fintech” (a contraction of financial technology, formally defined by the standard as “digital innovations and technology-enabled business model innovations in the financial sector”) refers to the use of information and communications technology within the financial services industry - banking, insurance, investment etc. - in particular, for financial services delivered digitally. A significant amount of personal information is processed by fintech.

Personal information is subject to an array of privacy laws and regulations as well as corporate privacy policies and ethical considerations, all of which help ensure the trustworthiness necessary to earn the trust of data subjects (customers).

Modern fintech architectures increasingly involve novel technologies such as cloud-based microservices with Application Programming Interfaces, blockchain and Artificial Intelligence/Machine Learning. In addition to the usual data/IT/cyber security risks and controls, privacy concerns must also be identified, evaluated and addressed.

Scope of the standard

The standard addresses the privacy aspects of fintech.

Content of the standard

Main sections:

5. Stakeholder, general concerns for fintech services
6. General principles applicable to fintech services
7. Actors in fintech services
8. Privacy risks to actors
9. Privacy controls for actors
10. Privacy guidelines for actors

... plus 6 annexes providing supplementary information about personal information plus privacy regulations, architecture, use cases, risks and AI.

Status

The standard development project started in 2021.

The first edition was published in December 2024.

Personal comments

I am unclear whether/why the financial services technology industry requires specific guidance on privacy that is not already available in other standards, laws and regulations. What makes fintech privacy special, I wonder?  Should we anticipate similar privacy standards for healthtech, govtech, agritech and othertech? Even within fintech, what about safety, information security, security generally and governance, aside from privacy? Where does it all end?

A particular concern for the already heavily-regulated financial services industry is the potential additional compliance burden if regulators start using this standard as a mandatory set of privacy control requirements. There are lots of controls in this standard, some quite complex and costly to design, implement, operate, manage and maintain. The details are devilish.

On the upside, guidance on the application of AI/ML technologies within financial services is timely.

< Previous standard      ^ Up a level ^      Next standard >