THE BANGKO SENTRAL ng Pilipinas (BSP) has warned its supervised institutions against the use of robotic process automation (RPA) and other scraping methods in handling “sensitive” data.
In a memorandum, the BSP said the use of these technologies have “merits as an internal data collection automation tool” but can hurt the integrity of the financial system.
“The use of RPA and other data-scraping methods, specifically to collect personally identifiable information (PII) and use it in gaining access to financial accounts and/or facilitating financial transaction, is seen to pose significant risks that may undermine consumer trust in financial service providers and compromise the integrity of the financial system,” it said in a memorandum.
Also known as software robotics, RPA employs “intelligent automatic technologies” to perform tasks usually done by human workers such as filling in forms and extracting data.
Data scraping involves a computer program extracting data from a human-readable output.
The central bank said that BSP-supervised financial institutions (BSFIs) use customer data to drive competitive advantages and market opportunities.
“However, improper and/or unauthorized access and handling of customer data, particularly involving financial information, may expose BSFIs to customer complaints and data privacy concerns,” it added.
The BSP emphasized the need for responsible data handling in the financial system.
“The proper handling and protection of PII and other sensitive data serve as cornerstones of customer privacy and represent critical components in the prevention of fraud, identity theft, and other financial crimes,” it said.
UK cybersecurity firm NCC Group earlier said that the finance and industrial sectors in the Philippines are among the top targets for cyberattacks in the country.
The BSP said financial institutions, as personal information controllers of their customers’ data, are responsible for compliance with the Data Privacy Act of 2012 (DPA).
It also noted that BSFIs must adhere to requirements set by the National Privacy Commission.
“These requirements may pertain to the right to data portability, the procedures for obtaining and managing consent, data access methods, and data-sharing arrangements.”
The BSP called on its supervised institutions to “employ robust risk management systems and implement adequate safeguards in handling PII and other sensitive data, including those covered under outsourcing arrangements.”
“These include ensuring compliance with relevant laws and pertinent BSP regulations on financial consumer protection, data privacy and data protection, anti-money laundering and combating the financing of terrorism (AML/CFT), cybersecurity, outsourcing, and open finance, among others.”
Moody’s data showed that from 2018 to 2023, the Philippines was among the top five countries in Southeast Asia with money laundering activity events added over the five-year period.
From 2022 to 2023, the number of money laundering events in the country rose by 45%.
“BSFIs should also regularly review and update their policies and practices to reflect the evolving data governance standards and requirements,” the BSP added.
The central bank has been finding ways to improve the banking industry’s cyber resilience against digital attacks, as well as enhancing its monitoring capabilities.
Sought for comment, Economist Intelligence Unit Industry Manager and Lead Analyst for Financial Services Swarup Gupta said that the BSP memorandum is timely given the rise in the adoption of these practices by financial service companies.
“The comments highlight the current lack of public scrutiny as to how organizations collect and preserve data, especially markers of personally identifiable information,” he said in an e-mail.
“Adherence to international standards, such as the ISO norms, regarding the collection and storage of data by corporations are the need of the hour and regulatory bodies need to hold organizations responsible to these norms,” he added.
Mr. Gupta said that the central bank should release specific rules and regulations on these kinds of practices.
“We should see the emergence of a data ombudsman, which adjudicates on data related issues, within fast digitalizing economies across the ASEAN (Association of Southeast Asian Nations) region as well as the passage of laws which define individual data rights in the near future.” — Luisa Maria Jacinta C. Jocson
