SBP asks banks to ensure data privacy

KARACHI: The State Bank of Pakistan (SBP) on Monday asked the financial institutions to ensure that customers’ confidential data should not be disclosed to unauthorised officials.

“Section 33A of the Banking Companies Ordinance, 1962, inter alia, requires that bank / financial institution shall not divulge any information relating to the affairs of its customers except in circumstances in which it is, in accordance with law, practice and usage customary among bankers, necessary or appropriate for a bank to divulge such information,” the SBP said in a statement.

“It has, however, been observed that the above directives envisaged under the law are not being meticulously followed.” The SBP said the centralisation of core banking systems of banks has now made customers’ data accessible across the banks.

“This access, however, needs to be suitably managed to ensure that only authorised officials access this confidential data for specified purposes,” it added. “Instances of accessing customer related information by irrelevant bank officials and divulging of same to unauthorised persons have been noted. Such practices on part of banks and development finance institutions (DFIs) are not appropriate and have been viewed seriously.”

The SBP asked banks / DFIs to strictly incorporate necessary controls, checks and balances in their policies and procedures to stop such practices and ensure meticulous compliance of Section 33A of the Banking Companies Ordinance, 1962 in letter and spirit. The SBP also advised the banks to reinforce directives for safeguarding the customers’ information.

“A proper training should be provided to all staff members for not disclosing confidential information of customers to unauthorised persons,” the SBP said. “The right to access of information pertaining to the customers’ account balance and other important information should only be available to the relevant bank official(s) on need basis, and in accordance with the approved authority, which should be properly documented.”

The SBP further said in case of change in role or responsibilities of a staff member, all IT access rights no more required for new role should immediately be deleted, and any additional rights should be assigned through approved process. In addition, regular reviews of staff IT access rights should also be carried out to ensure that there are no anomalies, it added.