The processing of data in the financial sector raises particular legal questions and problems, regardless of whether this involves personal data. Financial data are particularly sensitive, often have increased value and entail a significant level of risk. Moreover, financial regulatory provisions lay down far-reaching requirements for the handling of data, compliance with which has been closely monitored by the regulatory authorities, especially in recent years. This article points out the main risks and looks at possible ways of dealing with these.
Background
The financial sector is more dependent on the processing of data than almost any other industry. A modern financial industry is simply inconceivable without intensive data processing. At the same time, several primary and secondary regulatory frameworks overlap here, from financial regulatory law to anti-money laundering law and IT security law to data protection law. For the companies concerned, this also entails special risks of violations punishable by fines and damage to their reputation.
In what follows, we highlight the most important legal challenges facing financial companies today when it comes to dealing with data, including processing, and look at possible ways in which these challenges can be met. The article especially has credit institutions and financial services institutions as defined by the German Banking Act and securities institutions as defined by the German Securities Institutions Act in mind, but the information can essentially also be applied to payment institutions as defined by the German Payment Services Supervision Act, insurance companies as defined by the German Insurance Supervision Act and investment management companies as defined by the German Capital Investment Code. Payment institutions, in particular, are subject to strict principles when it comes to the security of information technology systems (see in particular sections 53, 54 German Payment Services Supervision Act). Given the complexity of the issues involved, this article does not purport to be an exhaustive overview.
Financial regulatory requirements
Why do financial regulatory provisions deal with the handling of data?
Financial regulatory provisions require a bank’s internal risk management to be both appropriate and effective (section 25a(1), sentence 3 German Banking Act) and the proper handling of data is laid down in this context as a means of controlling, monitoring and communicating risks. At the international level, the Basel Committee on Banking Supervision already published a detailed set of rules for this in 2013 with Standard 239 (Principles for effective risk data aggregation and risk reporting). However, BaFin’s circular 10/2021 (BA) – Minimum Requirements for Risk Management (“MaRisk”) also devotes an entire chapter to data management, data quality and risk data aggregation, which applies at least to significant institutions (at individual and group level). According to this approach, data serve to reduce or mitigate the risk profile of financial companies, provided that they handle the data in accordance with the regulations.
In addition, financial regulatory provisions also consider data (usually referred to as “information” in this context) and the processing thereof as a source of risk. Here, too, preparatory work has been done by international standard setters. Recently, for example, the European Banking Authority (EBA) published comprehensive guidelines for ICT (information and communication technology) and security risk management. BaFin also addresses these information risks in its circular 10/2017 (BA) – Supervisory Requirements for IT in Financial Institutions (“BAIT”). This concerns the risk of possible damage due to inadequate integrity, availability, authenticity or confidentiality of data. Consequently, BaFin requires institutions to have an appropriate and effective information risk management system, which includes, in particular, information security precautions, proper identity and access management as well as data backup concepts. In contrast to the previous paragraph, data are not a means of risk management, but rather the object or goal of risk management.
How must institutions handle data so that they can be a useful tool for effective risk management?
For data to contribute to effective risk management, the institution’s data structure and data hierarchy must meet high standards. For example, the institution must ensure that data can be unequivocally identified, collated and evaluated and that they are available promptly when needed.
Special requirements apply to so-called risk data, i.e. data that are directly relevant for the identification, assessment and measurement of risks. Such risk data must be accurate and complete, and each institution must lay down internal requirements to ensure that this is the case. Furthermore, the risk data must not only be available in raw form, but must be processed appropriately. For example, institutions must aggregate the data and ensure that the data can be evaluated based on different categories (risk categories, business areas, group companies, etc.). In principle, data aggregation must be automated because aggregated risk data must be available promptly (especially during periods of stress). In BaFin’s opinion, the use of manual processes and interventions must therefore be limited to “the level necessary” (and must also be adequately justified and documented).
Finally, institutions must not rely solely on available risk data, but must reconcile such data with other information available at the institution (e.g. from the accounting or reporting systems) and carry out plausibility checks. This should make it possible, among other things, to identify data errors and weaknesses in data quality.
What aspects must companies in the financial sector consider in order to appropriately and effectively manage the risks associated with data and data processing (information risk management)?
Defined broadly, information risk management as required by regulatory provisions consists of (i) drawing up an IT strategy, (ii) specifying an IT governance structure on the basis of this, (iii) setting up appropriate monitoring and management processes with regard to information risks (information risk management) and (iv) implementing an information security management system.
The IT strategy must include, in particular, the development of the institution’s organisational and operational IT structure (including staffing and budget), the development of the IT architecture as well as principles of IT service continuity management. How detailed the strategies are depends on the scale and complexity of the institution’s business activities as well as the level of risk these entail (cf. MaRisk, AT 4.2, number 4). The strategy must be submitted to the supervisory board and discussed with it (cf. MaRisk, AT 4.2, number 6).
According to the financial regulatory provisions, IT governance means the structure used to manage and monitor the operation and further development of IT systems including the related IT processes (cf. BAIT, number 2.1). Of central importance here is the organisational and operational IT structure, i.e. the definition of tasks and processes (operational structure) as well as the establishment of organisational units (organisational structure) and the allocation of the aforementioned tasks and processes to one or more of the established organisational units. The organisational and operational IT structure includes, in particular, the allocation of access rights to data. These are to be allocated (as in other areas of the organisation of a financial company) on a need-to-know basis and adjusted swiftly if necessary (cf. MaRisk, AT 4.3.1, number 2).
According to BaFin, information risk management requires implementing a system for managing information risks (cf. BAIT, number 3.2). Of particular importance here is the concept of the information domain, which includes business-relevant data and information, business and support processes, IT systems and related IT processes as well as network and building infrastructures. The protection requirements must be determined for each and every information domain and cover the risk (determined by the institution) that the “integrity”, “availability”, “confidentiality” or “authenticity” of the data belonging to the information domain could be compromised. The “integrity”, “availability”, “confidentiality” and “authenticity” of the data are also referred to as the protection objectives of information risk management (cf. BAIT, number 3.4).
This means that the protection requirements analysis is a risk analysis, specifically of the abstract information risk. Using this abstract risk analysis as a basis, the institution concerned must define the measures that are appropriate for meeting the relevant protection requirements (catalogue of target measures). Subsequently, the catalogue of target measures must be compared with the measures actually implemented. To a certain extent, this comparison represents the specific risk analysis and takes into account possible threats, the potential for damage, the frequency of damage and the risk appetite of the institution. The management board must be informed of the results of the analysis on a regular basis, but at least quarterly (cf. BAIT, number 3.11).
According to the financial regulatory provisions, information security management is a continuous process that comprises various phases, namely planning, implementation, success monitoring as well as optimisation and improvement of the security of the institution’s data. An information security policy to be adopted by the institution’s management board constitutes one of the core elements of information security management (cf. BAIT, number 4.2). This policy lays down the strategic requirements for information security. According to BaFin, this includes defining competences, roles and responsibilities so that the security of information can be ensured. Based on the information security policy, the departments must lay down more specific, state-of-the-art information security guidelines and information security processes (including the sub-processes of identification, protection, discovery, response and recovery) (cf. BAIT, number 4.3).
However, the financial regulatory requirements not only involve organisational or procedural prerequisites, as BaFin also has equipment and resources in mind. The institution must ensure that appropriate resources, in terms of both quality and quantity, are available for information risk management (in the narrower sense) and information security management (cf. BAIT, number 2.3).
Who is responsible for compliance with these requirements?
According to BaFin, all the members of the management board are responsible for ensuring that the key elements of the institution’s risk management system are appropriate and effective. There is much to suggest that these key elements also include the requirements for data management (as a means of risk management) and information risk management (as a goal or object of risk management).
This is also clear from the MaRisk and the BAIT. Accordingly, data management and data quality are management issues: the corresponding principles must be approved and put into force by the management board of the institution (cf. MaRisk, AT 4.3.4, number 1). The IT strategy, IT governance structure and information security policy must also be adopted by the management board (cf. BAIT, numbers 1.1, 2.2 and 4.2).
The members of the management board of a group parent company are responsible for appropriate and effective risk management at group level too. This also includes the aspects of risk management relevant for data and data processing described in this article (cf. also MaRisk, AT 4.3.4, number 1).
Apart from the management board, however, financial regulatory provisions also explicitly assign responsibility for the proper handling of data to other units in the institution concerned. If such units do not exist, they must be established:
- A unit that is independent of the front office must check whether the institution’s internal rules, procedures, methods and processes for handling and processing data are being followed (MaRisk, AT 4.3.4, number 7).
- The position of information security officer must be established for the purpose of information security management (BAIT, number 4.4). The information security officer must be independent and, in addition to advising the management board, must contribute to appropriate information security management, for example by preparing information security policies, managing information security processes, investigating information security incidents and providing training sessions on information security. The information security officer is also the contact person for BaFin.
What consequences does the institution face if it breaches the financial regulatory requirements for the handling of data?
The financial regulatory requirements are more than just obligations on paper. The German Banking Act (and other applicable laws) give the regulatory authorities a comprehensive set of instruments for enforcing compliance. As a first step, BaFin may order an institution to eliminate deficiencies in its risk management system (including information risk management) (cf. section 25a(2), sentence 2 German Banking Act). Such an order may be issued following a special audit or for another reason (e.g. tips from a whistleblower).
In order to monitor compliance, BaFin may require the institution concerned to submit regular reports on its progress (section 44(1) German Banking Act) or may appoint a special representative who has comprehensive rights of inspection and information vis-à-vis the institution’s management (section 45c(2), no. 6 German Banking Act). If these measures are not effective, BaFin also has the option of ordering the institution in question to increase own funds pursuant to section 6c German Banking Act or restricting the institution’s business activity (section 45b(1) German Banking Act). The latter can also include restrictions on growth (e.g. with regard to new customers), as has happened in the recent past.
Furthermore, the regulator may also take action against the institution’s management board members and give them formal warnings (section 36(2) German Banking Act) or, if such measures are unsuccessful, demand that the management board members concerned be dismissed and ban them from working for other institutions (section 36(1) German Banking Act). Since the members of an institution’s supervisory board must also monitor the management board members’ compliance with the relevant banking regulatory requirements (section 25d(6) German Banking Act), such demands for dismissal and working bans may also be issued with respect to the supervisory board members (section 36(3) German Banking Act).
Finally, the members of the management board (or the supervisory board) may also be held liable under civil law, since non-compliance with financial regulatory obligations usually constitutes a breach of the duty of legality. The details of this are disputed in the case law and legal literature, especially if there is “only” a violation of BaFin’s circulars. The extent to which these are binding (i.e. whether they set out further details of the statutory provisions in a legally permissible manner) has not yet been clarified by the highest courts. Due to the threat of personal liability risks, we would advise treating the requirements as statutory law and observing them accordingly.
Data protection requirements
Which companies in the financial sector are particularly affected by data protection regulations?
Data protection requirements affect all companies in the financial industry. However, they are particularly relevant for banks and payment service providers that process data on transactions carried out by natural persons.
Neobanks and other financial companies with digitalised business models such as robo-advisors, account information providers, etc., where data processing goes beyond simply enabling transactions, also have an increased level of risk. Forums in which customers can discuss investment strategies in a manner similar to social media or dashboards that show customers their payment behaviour – such special services require particularly careful assessment under data protection law.
What are the most important data protection requirements for companies in the financial sector?
The data protection regulations also lay down requirements for data security (Article 32 GDPR). Appropriate protection measures must be put in place to ensure that personal data, especially customer data, are not impaired accidentally or intentionally, and in particular that such data are not lost, unavailable or disclosed without authorisation.
This poses a particular challenge in outsourcing scenarios, where the company engages a service provider and grants it access to the personal data of customers (and possibly also employees). The regulatory requirements are supplemented in this regard by the need for data protection provisions. Typically, companies and service providers must conclude an agreement on commissioned data processing, but in individual cases it what is known as a joint controllership agreement may also be required (Articles 26, 28 GDPR).
When it comes to data security, many companies in the financial sector also have to deal with conflicting objectives under data protection law. On the one hand, the security of customer data requires a certain degree of monitoring of those who handle such data – the employees. Security incident & event management (“SIEM”) systems are often used for this. Such systems track who accesses customer data, when, for how long and with what authorisation. On the other hand, the processing of personal data of employees is only permitted to a proportionate extent (Article 6(1)(f) GDPR, section 26(1) Federal Data Protection Act). So companies have to tread a fine line in order to comply with their legal obligations. A data protection impact assessment (Article 35 GDPR) often helps make it clear where this line lies.
But companies need to process data not only securely, but also lawfully. This means that the processing must, in particular, serve a specific legitimate purpose, have a sound legal basis and not go beyond what is necessary. This often means that customers’ consent is required before the company can use their data to personalise the service it offers or for advertising purposes. In addition, forms used for data collection should be carefully checked to ensure that only the necessary data is collected.
There is also a certain tension between the principle of data minimisation and specific regulatory requirements. In principle, obligations to keep records laid down in regulatory and data protection provisions should mesh seamlessly – the legally required retention of documents, e.g. records of discussions in which investment advice is provided pursuant to MiFiD II, is justified under data protection law (Article 6(1)(c) GDPR), whereas retention not required by law is prohibited unless there are other legitimate grounds for this. In practice, however, different regulatory authorities may often interpret the regulations differently, especially if they belong to different states. Therefore, companies need to be careful in their communication and when weighing up the various risks, options and requirements in order to meet all the regulatory requirements.
What is currently the biggest data protection problem for financial companies?
European financial companies that have to transfer data to countries outside the EU for legal or operational reasons find themselves in a similarly difficult situation, as European law imposes special restrictions on the transfer of personal data to third countries outside the EU and EEA, in order to ensure that personal data in the third country remains adequately protected.
This is deemed to be the case if the level of data protection in the third country has been officially recognised as adequate by the EU Commission (Article 45 GDPR) – however, such adequacy decisions have only been issued for a small number of countries (including the UK, Switzerland, Canada, Argentina and Japan, but not the U.S., India, Russia, China, Brazil, Turkey or Australia). In the absence of an adequacy decision for the respective country, additional safeguards must be provided, e.g. by concluding a data protection agreement based on the EU standard contractual clauses (Article 46 GDPR).
However, according to a recent ruling of the Court of Justice of the European Union, standard contractual clauses alone are not sufficient if the law of the recipient state allows (official) data access that goes beyond what is proportionate according to European standards. This is because contractual obligations alone cannot provide effective protection against such data access. EU companies that want to transfer personal data to third countries, especially the U.S., must therefore carefully analyse the circumstances and consequences of this transfer (data transfer impact assessment) and take additional protective measures if necessary. However, there are as yet no definitive rules governing the form these protective measures could take and these must therefore be assessed for each individual case.
Authorities in third countries will not usually be willing to enter into standard contractual clauses with a European company anyway. The company concerned must therefore check whether a data transfer is permissible on the basis of one of the exceptions laid down in Article 49 GDPR, in particular for the establishment, exercise or defence of legal claims (Article 49(1)(e) GDPR). This exception is specifically aimed at the use of personal data in judicial proceedings (e.g. in a subpoena), but may also justify other types of disclosures (e.g. in the context of monitorships).
Outlook
The legal challenges involved in processing data in the financial sector are set to become even greater in the future – increasing in step with the opportunities, as it were. At the same time, it is likely that the legal regulations will be enforced more strictly in the future than in the past. The authors’ experience shows that BaFin, for example, has made data security and information risk management a focus of its regulatory work and has also urged established market operators to make improvements in these areas. For neobanks and fintechs, however, shortcomings in these areas can threaten their very existence, as they may find themselves subject to drastic measures up to and including the withdrawal of their licence.