Information security challenges for banking institutions in Mexico
March 2014 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
As a consequence of the recent implementation of the Federal Data Privacy law and its Regulations (the ‘Privacy Laws’), almost all foreign entities doing business in Mexico had to develop or adjust applicable privacy and information security standards and policies.
However, for banking entities engaged in business in the Mexican market, the pathway that leads to effective compliance on the matter is not fully clear. Although Mexican law is still developing and adapting to the international stage, the ball should already be rolling towards specific regulatory requirements.
The fact is that the implementation of the Privacy Laws is one of many initial steps required for Mexico’s legal framework to effectively address the rapidly changing nature of IT systems involved in the processing of information, and the practical issues that arise from such processing.
In the particular case of banking institutions in Mexico, a parallel compliance schedule must be considered. Even before the Privacy Laws came into effect, banks in Mexico were already required to comply with different information security guidelines arising from banking secrecy obligations, as set out in the Law for Banking Institutions; however, on the other hand, banks must also comply with information security requirements that derive from the Privacy Laws, which aim to protect the privacy and information self-determination rights of individuals.
Under this scenario, banks in Mexico have to deal with very broad laws and guidelines that do not necessarily match specific issues arising from bank information processing operations.
The main IT requirements for banking entities are addressed by the Securities and Exchange Commission Bulletin for Banking Institutions, and in a more general manner, by the Privacy laws. Nevertheless, such requirements are not specific enough when it comes to addressing operational aspects of data management, such as rules for maintaining critical data, requirements to develop and update data management policies, regulatory requirements for risk data aggregation and related IT infrastructure, among others.
From a long term perspective, Mexican law and regulations relating to IT systems and security for banking operations lack specific provisions on business continuity considerations, such as regulatory requirements for maintaining business continuity plans, updating and testing business and technology recovery plans, implementing business impact analysis, and conducting disaster recovery exercises, to name a few.
In a practical manner, the aspects and considerations mentioned above are addressed, in some way, by implementing international IT management and governance best practices such as ITIL (Information Technology Infrastructure Library) standards and COBIT controls and guidelines. However, best practices are by nature not legally binding, and of course cannot be enforced.
Thus, even when Mexican legal provisions on information security in banking activities address the surface of operational aspects, more specific scenarios and guidelines still need to be included for the benefit of both banks and their customers.
To date, a few matters involving data processing and information security considerations have been brought before the Federal Institute for Information Access and Data Protection (IFAI) – the authority in charge of enforcing the Privacy laws – with diverse and non-conclusive outcomes.
In the same way, currently, no court precedents exist that allow banking institutions to narrow the wide scope and compliance effects of such laws; in consequence, it would seem like more precise requirements and guidelines need to be defined and implemented.
The above becomes relevant when the role of banking services in Mexico is considered from an information value perspective. Such services involve information that is most valuable and even sensitive for customers, but also for the bank’s operations infrastructure, and from a wide angle, for the economy of Mexico. In this sense, banking operations require strong and well defined foundations that allow effective IT security and governance to take place.
The previous Mexican government (under Felipe Calderon Hinojosa) encouraged and issued the Privacy Laws with the aim of standardising data privacy legal provisions with those commonly in force in the countries which are Mexico’s main economic partners.
Under the current administration of Enrique Peña Nieto, the Mexican government has stated that a fundamental element of its development strategy focuses on strengthening and encouraging the implementation and use of information technologies and related platforms. Of course, some amendments have already been approved by Congress, but the scope and effectiveness of Mexico’s current development plan is still unproven, and will definitely require major IT related input to accomplish its goals in the long run.
A legal framework that addresses operational aspects precisely enough for IT systems processing banking information will provide legal certainty for banking institutions as responsible entities of information security, but also for individuals as the owners of the information processed.
So what can we expect in the near future? Will best practices suffice in the long term? The answer is currently unknown.
Federico González Peña is a partner at Sánchez DeVanny Esseverri, S.C. He can be contacted on +52 55 5029 8516 or by email: firstname.lastname@example.org.
© Financier Worldwide
Federico González Peña
Sánchez DeVanny Esseverri, S.C.