< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27562 — Information technology — Security techniques — Privacy guidelines for fintech services [DRAFT]

Abstract

“This document provides guidelines on privacy for fintech services. It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to fintech services. It provides privacy controls specific to fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100, ISO/IEC 27701 and ISO/IEC 29184, and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.”

[Source: ISO/IEC JTC 1/SC 27 SD11]

Introduction

“Fintech” refers to the use of information and communications technology within the financial services industry - banking, insurance, investment etc. - in particular, for financial services delivered digitally.  A significant amount of personal information is processed through fintech.

Personal information is subject to an array of privacy laws and regulations as well as corporate privacy policies and ethical considerations, all of which help ensure the trustworthiness necessary to earn the trust of data subjects (customers).

Modern fintech architectures increasingly involve novel technologies such as cloud-based microservices with Application Programming Interfaces, blockchain and Artificial Intelligence/Machine Learning. In addition to the usual data/cyber security risks and controls, privacy concerns must also be identified, evaluated and addressed.

Scope of the standard

The standard addresses the privacy aspects of fintech.

Content of the standard

Main sections:

5. Stakeholder, general concerns for fintech services
6. General principles applicable to fintech services
7. Actors in fintech services
8. Privacy risks to actors
9. Privacy controls for actors
10. Privacy guidelines for actors
11. Privacy guidelines for industry regulators

... plus 6 annexes providing supplementary information about personal information plus privacy regulations, architecture, use cases, risks and AI.

Status

The project started in 2021.

 The standard is at Draft International Standard stage and is due to be published in 2024, hopefully once the numerous language and typographical issues are resolved.

Personal notes

 I am unclear if and why the financial services technology industry requires specific guidance on privacy that is not already available in other standards, laws and regulations. What makes fintech privacy special, I wonder?  Should we anticipate similar privacy standards for healthtech, govtech, agritech and so forth? Even within fintech, what about safety, information security, security generally and governance, aside from privacy? Where does it all end?

 A particular concern for the already heavily-regulated financial services industry is the potential additional compliance burden if regulators start using this standard as a mandatory set of privacy control requirements. There are lots of controls in this standard, some quite complex and costly to design, implement, operate, manage and maintain. The details are devilish.

On the upside, guidance on the application of AI/ML technologies within financial services is timely.

< Previous standard      ^ Up a level ^      Next standard >