Confidentiality of customer information in banking service is among very complicated issues as it concerns interests of customers and obligations of credit institutions as well as third parties that wish to access information. This article gives a brief evaluation of Vietnam’s general legal framework regulating customer information protection and the responsibility of banks and mobile service providers to safeguard customer information in fintech operations.
Tran Linh Huan[1] and Nguyen Mau Thuong[2]
Introduction
Safeguarding customer information is one of the top priority tasks in business operations and in performance of transactions of most organizations and individuals engaged in goods trading and service provision activities. In addition to guaranteeing the rights and interests of customers with regard to their law-protected personal information, the formulation of policies to optimize the efficiency of customer information protection helps businesses win trust of customers and raise their competitiveness, thus earning more positive business outcomes and improving the image and prestige of businesses themselves. Moreover, that customer data are stored systematically and safely might help reduce risks facing both customers and businesses. In the context that there are more and more hi-tech crimes with sophisticated tricks like today, customer information protection in the field of finance-banking not only ensures financial security but also contributes to controlling and preventing and combating transnational crimes.
General legal framework on customer information safeguarding
Basically, legal provisions on confidentiality of customer information in banking service have relatively clarified the rights and obligations of related subjects and their relationships, thus helping promptly protect customer information and limit the infringement upon customer information. However, objectively speaking, those provisions reveal inadequacies that need to be improved, requiring clear definition of responsibilities of banks and mobile service providers in safeguarding customer information.
So far, a general legal framework regulating the issue of customer information protection has been formulated. Specifically, the 2013 Constitution has affirmed that private life and personal secrets are inviolable and shall be protected by law.[3] The provisions on safeguarding of personal information are further concretized in the 2015 Civil Code. Accordingly, the collection and processing of data and use and publicity of information relating to the private life and personal secrets of an individual must be consented by that person, even information that one of the contractual parties has come to know during the establishment and performance of their contract.[4] With more detailed provisions, the 2010 Law on Protection of Consumer Interests has clearly set out the principle that “Consumers will have their information security and secrets guaranteed upon their participation in transactions or use of goods or services”[5]. Businesses may use consumer information only for the notified purposes and with the consent of such consumers. In addition, Article 14 of the 2010 Law on Credit Institutions defines the responsibility for keeping confidentiality of information about accounts, savings deposits, deposited assets, and transactions of customers of credit institutions and foreign bank branches. This requires businesses to make every effort and take appropriate measures to perform such responsibility.
It can be seen that safeguarding customer information in transactions and contracts is a matter of special concern according to law. Nevertheless, unlike laws of some other countries in the world that prohibit banks from disclosing customers’ identity to a third party, even tax authority or central authority,[6] Vietnam’s regulations on protection of customer information by businesses in Vietnam are more open so as to facilitate the flexible performance of state management tasks or other business purposes. Under those regulations, customers are entitled to guarantee of security and secrecy of their personal information, unless competent state agencies request disclosure of such information. As permitted under relevant laws, state agencies like courts, judgment execution agencies and tax offices may request provision of customer information to meet state management requirements and the requested businesses have to provide such information. Civil law and law on protection of consumer interests also allow customers and businesses to reach agreement to let the latter send customer information to a third party to serve other business purposes.
So, Vietnam’s law acknowledges the right to safeguarding of customer information as one of fundamental human rights. Businesses in general are responsible for ensuring information security for their customers in accordance with law.
A transaction office of VietinBank in Hanoi__Photo: Tran Viet/VNA |
Responsibility of banks and mobile service providers to safeguard customer information in fintech operations
Banks and mobile service providers usually have a relatively close relationship that is inevitable for facilitating smooth and effective operation of fintech applications. For financial activities in a digital environment, the requirement to protect customer information is laid out for both banks and mobile service providers. In fact, banks directly collect customer information but, in the course of conducting transactions via fintech applications, find it hard to totally control security of such information when it is transmitted in the cyber environment and accessed by third parties being mobile service providers. This is because fintech applications, no matter how modern and preeminent they are, cannot totally safeguard customer information. In fact, when an information leak occurs, the concerned customer will often request the bank to be accountable therefor even in case it is not clear what the cause of the incident is. Hence, to limit risks to banks and raise responsibility of mobile service providers, it is very important to clearly define responsibilities of these two subjects in safeguarding customer information upon performance of financial transactions on fintech applications.
Responsibility of banks
Customer information in banking service includes information provided by customers, information arising while customers request provision of or are provided by credit institutions or foreign bank branches with licensed banking operations, products and services, including know-your-customer information and information about accounts, savings deposits, deposited assets, transactions, securing parties, and other relevant information.[7] Such information is closely related to personal secrets, finance and assets of customers which, once leaked, may seriously affect their law-protected rights and interests. For that reason, banks should strictly protect customer information on the following principles:
Firstly, banks must adhere to the rules of confidentiality and provision of customer information that require them to keep customer information confidential and allow them to provide it only to competent state agencies or other third parties in accordance with the Law on Credit Institutions, Government Decree 117 of 2018 on confidentiality and provision of customer information by credit institutions and foreign bank branches, and relevant laws and decrees. Particularly, know-your-customer information used by a customer for accessing banking services, including private key, biometrics data, passcode, and other authentication information, may not be provided to any third party, even competent state agencies, without the customer’s consent. In principle, banks have to secure confidentiality of all customer information and may only provide some kinds of information as permitted by law to competent state agencies or third parties when so agreed by customers. Confidentiality of customer information must be included in internal rules of banks as a basis for application within the banking system.
Secondly, it is necessary for banks to optimize technological measures to improve the quality of information confidentiality of fintech applications. Fintech applications are not only convenient and fast but also capable of ensuring customer information confidentiality, thus convincing customers to use the applications and keep their trust in banks. To prevent attacks from hackers, fintech applications should constantly be upgraded while applying strict management methods through programming tips and using more often methods of customer information authentication via their mobile phone numbers, one-time passwords (OTPs), two-factor authentication, biometric identifier codes (fingerprints, face identification, etc.), and coding customer identification numbers. At the same time, it is supposed to apply artificial intelligence for promptly responding to attacks from malware to information confidentiality systems of the applications. Experience of Switzerland shows that bank accounts are numbered with incognito codes; even, names of account holders are not shown in most internal documents, e.g., bank statements. This requires not only a legal framework regulating the issue but also advanced technological measures of banks.[8]
Thirdly, information technology (IT) infrastructure of banks should be upgraded to promptly adapt to changes in fintech applications. The applications with backward technologies are highly vulnerable to attacks. Banks should therefore consider application of cloud computing technologies to store and effectively process customer information, use reliable information networks and install firewalls to ensure security of their information systems.[9] At the same time, they should take appropriate measures to properly manage their IT assets and human resources, and ensure safety for places of installation of IT devices and safety in the operation, access to and use of IT services by third parties. Fintech applications and IT infrastructure facilities of banks should also be simultaneously upgraded to be compatible with each other, thus helping limit technological risks in customer information security and ensure safe banking operations.
Responsibility of mobile service providers
As mentioned above, cyber security and confidentiality in transmission of authentication information and other information from banks to mobile subscribers are also critical for effective protection of customer information. The main responsibility of mobile service providers is to check cyber security for detecting and eliminating malicious codes and malicious hardware and dealing with security vulnerability. Regular checking will help detect and promptly block unauthorized accesses or other threats to cyber security. Additionally, mobile service providers should improve managerial and technical measures to detect and block customer information infringements in the cyber environment.[10] Researchers of a US-based security company found that OTPs are not really secure and may be stolen at any time, thus causing harm to the finance-banking system or online payment services.[11] This requires mobile service providers to upgrade their telecommunications infrastructure facilities and information security systems for preventing threats to consumer information. However, the issue concerning responsibility of mobile service providers for customer information protection in fintech applications is merely provided in the 2018 Law on Cyber Security and no legal document else touches upon this issue. To weather this problem, the author suggests referring to interpretations of Section 501(b) of the Gramm-Leach-Bliley Act of 1999 (or the Financial Services Modernization Act of 1999), and the Inter-Agency Guidelines Establishing Information Security Standards (Security Guidelines) that state: “The Agencies having issued the Security Guidelines require every financial institution to have an information security program designed to protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.”[12] Such guidelines already define the responsibility of service providers in banking activities so that banks and service providers understand their responsibility and coordinate with each other in safeguarding customer information.
Conclusion
It can be said that Vietnam’s law already has provisions aiming to safeguard customer information. This shows the role of law in guaranteeing customers’ right to personal information on digital platforms in banking operations. However, legal provisions on identification of responsibilities of banks and mobile service providers in customer information protection remain not specific and systematic enough to deal with the issue against the backdrop that customer information is so easy to be infringed upon like today. Therefore, it is required to further improve relevant regulations toward clearly defining responsibilities of the stakeholders when there arise incidents threatening confidentiality of customer information.-