BSP to Banks: Beware of Bots in Handling Customer Data

The Bangko Sentral ng Pilipinas (BSP) underscored the significant risks brought by robotic process automation (RPA) and other data scraping methods which are employed by financial institutions to collect Personally Identifiable Information (PII) and gain access to a financial account or facilitate financial transactions.


RPA, or software robotics, uses intelligent automation technologies to perform repetitive human work such as extracting data, filling in forms, and moving files. Data scraping is a technique in which a computer program extracts data from human-readable output.


While the BSP recognizes the merits of these alternative data-sharing tools as innovative solutions to access and utilize data for market insights and optimize customer service processes, the improper and unauthorized access and handling of customer data, particularly involving financial information, through the use of such tools may expose BSP-supervised financial institutions (BSFIs) to customer complaints, data privacy concerns, and financial crimes such as fraud and identity theft.


The central bank strongly enjoins BSFIs to establish adequate safeguards and risk management systems in handling PII, such as log-in credentials, and other sensitive data to protect customer privacy and maintain the integrity of the financial system.


Moreover, the BSP reminds BSFIs, as personal information controllers of their customers’ data, to comply with relevant laws such as the Data Privacy Act of 2012, the National Privacy Commission’s issuances concerning consumer consent, and  BSP regulations on financial consumer protection.


In accordance with the data privacy principles of transparency, legitimate purpose, and proportionality, BSFIs should regularly review and update their policies and practices to reflect the evolving data governance standards.


The full memorandum can be accessed here.

Post a Comment