Financial institutions: launching a privacy compliance program
July 2014 | EXPERT BRIEFING | DATA PRIVACY
Privacy and data protection is one of the hottest compliance topics for most companies in Mexico. Financial institutions are no exception, particularly since the Mexican privacy regulator, the Instituto Federal de Acceso a la Información y Protección de Datos (IFAI) recently imposed several sanctions against financial entities on account of data protection violations. These sanctions have included a couple of important financial institutions in Mexico, including one of the largest banks and financial groups, Banamex, a subsidiary of Citigroup.
On more than one occasion, the IFAI has resolved that Banamex breached the provisions and principles on the Mexican Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) since it continued processing financial information after the relationship with the data owner had ended and the company ignored several requests from data owners to access and suppress the information that Banamex kept. In particular, one individual whose credit-card application was rejected tried to exercise his access and suppression rights to cancel all information that Banamex had about him. When Banamex refused to process this request, the individual filed a complaint with the regulator. In the end, Banamex was severely sanctioned by the regulator.
The sanctions imposed on Banamex (as a group) are currently the most significant the IFAI has imposed and amount to approximately US$1.4m. Such sanctions were executed against the company’s insurance division, its credit card company and the bank itself. One could argue that the IFAI has used Banamex to set an example and to deter other companies from breaching the Mexican Data Protection Law. Nevertheless, the lesson for all companies (including, most particularly, financial companies) is clear: implement compliance programs and do not underestimate the IFAI or the need to comply with the Mexican Data Protection Law.
In the following paragraphs we will discuss the most important steps and issues that every financial institution needs to consider when launching a program to comply with the Mexican Data Protection Law, its regulations and other rules issued by the regulator or competent authorities.
First of all, every company must have data protection policies that explain what data is collected and processed, for what purposes and with whom such data is shared. The data policies should be consistent and take into account the eight principles stated in the Mexican Data Protection Law for the processing of information: legality, consent, notice, quality, purpose, loyalty, proportionality and accountability. A complete analysis of the personal information that will be collected and processed by financial institutions is essential, since such analysis will be the basis for the preparation of these policies. Several departments within the financial institution shall participate in this assessment and in the drafting of the policies, including front office employees who gather personal information from customers, but also back office employees who process such personal information.
The second step is to design a privacy notice, which financial companies (as any other data controller) are required to deliver to their customers. The privacy notice should be consistent with the data protection policies and with the results of the assessment mentioned in the foregoing paragraph. It will also be used as the mechanism to obtain consent (implied, express or written) from customers. Note that privacy notices will be the key document in any inspection by the regulator since it is the document in which the financial institution discloses to the data owner how his or her information will be processed and for what purposes. The privacy notice needs to be made available to the data owners prior to the collection of their data, and in the case that financial data are collected, it will be necessary to obtain the data owner’s express consent. Sensitive information requires express written consent. When drafting or updating the privacy notice, financial institutions must pay particular attention to the Guidelines to the Privacy Notice (Lineamientos del Aviso de Privacidad), which is a set of rules that include detailed requirements of privacy notice contents.
Any compliance program must include the appointment of a Data Privacy Officer or Department (DPO) that will be in charge of processing the claims made by data owners and of promoting within the financial institution an adequate processing of the personal data collected. The DPO is an important role in every financial institution because all of the requests executed by the data owners and many of the initial verification proceedings by the regulator will be, in the first instance directed and attended by the DPO. It is necessary that the DPO is aware of all of the terms and formal requirements stated on the law; its proactive approach and awareness of the main obligations stated in the law is of utmost importance to prevent complaints and sanctions. Note that in the Banamex cases, most of the violations of the law could have been avoided with a simple and timely reply by the DPO to the data owner’s initial requests.
Another important step is to follow and implement a data privacy security plan and apply measures to protect personal data collected from damage, destruction, theft, loss, alteration or unauthorised processing (especially if processing financial or sensitive data). It is important to bear in mind that the Mexican Data Protection Law contemplates three different categories of security measures: physical, technical and organisational. Unlike the laws in other jurisdictions, the Mexican Data Privacy Law fails to state specific measures to follow. Instead, it only provides that security measures shall be at least the same as those applied inside the company to protect the company’s proprietary information. Note, however, that banking and financial laws do require banks and financial institutions to encrypt and implement certain specific security measures to safeguard certain information, including transactional information. Therefore, financial institutions need to consider not only the general principle and rule under the Mexican Data Privacy Law but also industry-specific requirements when implementing their security measures.
Additionally, the IFAI issued some Recommendations on Security of Personal Data in order to have a frame of reference with respect to the minimum actions considered necessary for the security of personal information. The IFAI has expressed, as a general recommendation, to adopt a Security Management System of Personal Data, which has four cycles with different phases and activities known as ‘Plan-Do-Check-Act’.
Transferring and sharing personal information is also an important issue to consider in any compliance program. As a general rule, any transfer of personal information requires consent from the data owner and disclosure in the privacy notice. From the perspective of the Mexican Data Protection Law, the transfer and sharing of personal information with data processors does not require consent or notice to the data owner. Also, the Mexican Data Protection Law allows the transfer of personal information to parent companies, subsidiaries or affiliates as long as binding corporate rules are implemented. However, other financial laws may not contain data-processor or ‘intercompany’ exceptions.
Any compliance program should emphasise the need to respect the data owner’s decision to not be contacted for purposes different from those strictly related to contract performance. For instance, customers have the right not to be contacted (and consent is required to contact them) for marketing purposes. There is a registry where consumers of financial services may register their email addresses and phone number in order to avoid unwanted advertising and this registry shall be consulted by financial institutions before engaging in any marketing campaign. Note that in one of the cases against Banamex, the situation that triggered the verification by the regulator was an unjustified contact to a person that no longer had any relationship with Banamex.
Last but not least, financial institutions must also consider secrecy and confidentiality obligations stemming from other industry-specific laws, such as the Credit Institutions Law (Ley de Instituciones de Crédito), the Financial Transparency Law (Ley para la Transparencia y Ordenamiento de Servicios Financieros) and others. These industry-specific requirements are very relevant and there is not always consistency between financial secrecy rules and privacy rules.
For some reason, the Mexican regulator has chosen the financial industry to set an example about the negative consequences of breaching the Mexican Data Protection Law. Therefore, financial institutions must concentrate on compliance programs and keep themselves up to date with recent decisions, recommendations and rules issued on this topic. The actions mentioned above are only the first steps that financial institutions must follow to comply with the Mexican Data Protection Law.
Federico De Noriega O. is a partner and Rodrigo Méndez S. is a senior associate at Barrera, Siqueiros y Torres Landa. Mr Noriega can be contacted on +52 55 5091 0154 or by email: firstname.lastname@example.org. Mr Méndez can be contacted on +52 55 5091 0166 or by email: email@example.com.
© Financier Worldwide
Federico De Noriega O. and Rodrigo Méndez S.
Barrera, Siqueiros y Torres Landa