Addressing Privacy Risks in Fintech:

Safeguarding Data Security

MPF Symposium 2023

12 December 2023

Ada CHUNG Lai-ling

Privacy Commissioner for Personal Data
Statistics
Customers, including those in HK, trust the financial sector over data
The banking, insurance and financial services sectors … with HK ranking 6th among the 18
rank high in a survey of trust with personal data… markets surveyed for banks
Which sectors do customers trust most with their personal Net trust in banks to handle personal data
data? %, 2023
%, 2023, 18 markets across the world 85 Indonesia
61 80 India
52 75 UAE
47 44 Mainland Singapore
41 41 39 70 HK
Australia Canada
31 65
Germany Sweden
24 60 Mexico
Britain
Denmark
55 Poland
US
50
45
Banks Hotels & Insurance Online Tech Automotive Sports Video Social
airlines retailers companies Com- Organi- game media 40 Spain Italy
/ panies sations platforms companies France
Financial 35
services
Source: YouGov (2023) providers Source: YouGov (2023) 2
 Fintech
This “technology-enabled innovation in financial services” lives on data
Financial services Technology Fintech use cases
Payments Mobile Mobile payments
Happened
Lending Internet for some Peer-to-peer lending
time
Wealth Management Cloud Robo-advisors
Artificial Intelligence
Insurance InsurTech
Blockchain
Money transfer Virtual banks
Robotic Process Automation
Savings accounts Happening AI chatbots
Open API
Biometrics Regtech

IoT Cryptocurrencies

81% of fintechs identify data issues as their biggest technical challenge

Source: BIS (definition); MIT Management Review (services); Investopedia & Mckinsey (services & use cases) ; MIT Course “FInTech: Shaping the Financial World” (technology), Federal Reserve Bank St. Louis (use cases); InterSystems (Stat) 3
 Privacy Risks
The reliance on data has privacy implications
Risks Descriptions Fintech examples
• Technology companies tend to collect and retain as Virtual banks: information such as IP addresses,
Excessive collection of much data as possible for analytics location, online behaviour of users is collected for
personal data • The data may include personal data analytics, delivering personalised services and fraud
detection
Collection and use of • Data is used or disclosed by the providers/operators Mobile payment: phone no., identity card no.,
personal data without notice beyond users' reasonable expectations or meaningful location, transaction records may be used for new
consent purposes such as profiling and credit scoring and it
or users’ meaningful consent
may involve sensitive personal data
Lack of effective means to • While fintech may collect and keep as much data as Blockchains: immutable by design
erase or rectify obsolete or possible, an effective mechanism for correction might
not exist
inaccurate personal data
• The wealth of personal data stored may well be Mobile payment & Open APIs: transmitting personal
Data security treasure troves for hackers, making individuals data electronically among organizations and end-users,
susceptible to impersonations, scams, identity thefts increasing risk of data leakage/interception
etc.
Obscurity of the identities of • During use and operation, many parties get involved Open API: many developers having access to same
data users and data • Obscurity as to identity of data users and processors individuals’ personal data
obstructs tracing of liabilities Blockchain: no central administrator or authority to
processors 4
take responsibility
 Benefits
Imagine that if the risks are contained, the benefits of Fintech can be realised

Increased consumer trust Greater market penetration

• Ethical and safe use of technology can enhance • Fairness and inclusion can be achieved to ensure
consumers’ trust and confidence the underprivileged get access to financial services
• Adoption is up, and existing customers may become • Ethical and privacy-friendly nature serves as a
loyal customers competitive advantage
• Marketability is up and financial performance rises

Regulatory compliance Innovation

• Regulatory compliance: help avoid fines and legal • Strong privacy and ethical practices can attract
issues and help protect reputation collaboration opportunities with traditional
institutions that face stringent regulations
• Cost savings and efficiency gains

Source: Int. J. Financial Stud (2023); Tech Ahead; CFA Institute; IMF 5
Global Data Security Crisis
The bad news is that cyber attacks are rising, with more and more cases reported
Cyberattacks around the world Cybercrimes in HK
Publicly disclosed cyber attacks Cyber attacks in finance in UK Overall technology crimes in HK
2017 - 2022 Finance, insurance and credit sector, 2017 - 2022
Jun 2021 – Jun 2023
+136% +180% +310%
1,854 731 22,797

1,477
16,159
1,037 994 12,916
786 805
261 7,838 8,322
5,567

17 18 19 20 21 22 Jul 21 - Jun 22 Jul 22 - Jun 23 17 18 19 20 21 22

Source: University of Maryland CISSM Cyber Attacks Database Source: ICO Source: Hong Kong Police
6
Global Incidents
Financial firms are prime targets for cyber attacks

Medibank (2022) Nelnet (2022)

• Hackers used the credential stolen from an • Hackers reportedly exploited a vulnerability in
employee account with preferential access the system of the student loan service provider
to the internal system of the insurer • Data of 2.5 million students, including
• Health data of over 9 million customers addresses, phone numbers and social security
breached numbers were breached
Source: Reuters (2022) Source: Security Magazine (2022) 7
Local Cyber Security Attacks
Organisations faced a record high incidence of cyber security attacks this year
Yearly comparison
% of enterprises that encountered cyber security attacks in the
past 12 months
Hong Kong, 2019 - 2023 Record High
73% 73% 10%-pt
65% SMEs YoY Increase

41% 41% 39%

7%-pt

Corporates
71% YoY Decrease

19 20 21 22 23
Source: Hong Kong Enterprise Cyber Security Readiness Index
8
 7 Recommended Measures
Taking the below measures enhances data security of your organisation

Data Governance & Technical and Remedial Actions in Other

Organisational Operational Security the event of Data Considerations
Measures Measures Security Accidents

Risk Assessments Data Processor Monitoring,

Management Evaluation and
Improvement 9
Inspections and Compliance Checks
PCPD takes proactive actions
Inspections Compliance checks
Inspections by PCPD in the past three years Compliance checks initiated by PCPD
Report Date Companies Inspected 377 392
344 347
9 Oct 23 ZA Bank Limited

20 Sep 23 The Registration and Electoral

Office
20 Dec 22 TransUnion Limited 2020 2021 2022 2023 (Up to Oct)

18 Aug 21 (1) CLP Power Hong Kong Selected compliance checks launched in 2023
Limited and (2) The Hongkong • All credit reference agencies
• Selected organisations that process personal
Electric Company, Limited
data in the development or use of AI systems
10
Data Breach Response Plan
Putting a plan in place can help minimise impact of a data breach
What? Elements
A document setting out how an Description of what makes a data breach
organisation should respond in a data
breach Internal incident notification procedure

The plan should outline: Contact details of response team members

• a set of procedures to be followed in a Risk assessment workflow
data breach
• strategy for identifying, containing, Containment strategy
assessing and managing the impact
Communication plan
brought about by the incident from start
to finish Investigation procedure
Why? Record keeping policy
Help ensure a quick response to and
effective management of a data breach Post-incident review mechanism
Training or drill plan
11
5 Steps for Handling Data Breaches
Proper data breach handling and management shows data users’ commitment

Gathering essential information

1
immediately

2 Containing the data breach

3 Assessing the risk of harm

Considering giving data breach
4
notifications

5 Documenting the breach

12
Privacy Management Programme (PMP)
Definition and benefits of adoption

What’s PMP? Why PMP?

A management Minimise risk of data security
framework incidents
• For the responsible
Handle data breaches effectively to
collection, holding,
minimise damage
processing & use of
personal data by the Ensure compliance with PDPO
organisation
Build trust with employees and
• To ensure compliance
customers, and enhance corporate
with Personal Data
reputation and competitiveness
(Privacy) Ordinance
(PDPO)
“Guide for Independent Non-Executive Directors” published by HKIoD recommends
use of PMP as part of ESG management!
13
1 3
Privacy Management Programme: A Best Practice Guide Guidance on Data Breach Handling and Data Breach
(revised in Mar 2019) Notifications (revised in Jun 2023)

2 4
Guidance Note on Data Security Measures for Guidance on the Ethical Development and Use of
Information and Communications Technology (Aug 2022) Artificial Intelligence (Aug 2021)

14
Thank you
2827 2827

www.pcpd.org.hk

communications@pcpd.org.hk

15