The Bangko Sentral ng Pilipinas (BSP) has issued a cautionary memorandum to its supervised institutions regarding the utilisation of robotic process automation (RPA) and data scraping methods in handling sensitive data.
While these technologies offer advantages as internal data collection automation tools, the BSP expressed concerns about their potential impact on the integrity of the financial system.
“The use of robotic process automation IRPA)’ and other similar tools as an alternative data-sharing method raises some issues within the financial services industry.
While these technologies have merits as an internal data collection automation tool, the use of RPA and other data scraping methods, specifically to collect Personally Identifiable Information (PII) (i.e., log-in credentials) and use it in gaining access to financial account and/or facilitating financial transaction, is seen to pose significant risks that may undermine consumer trust in financial service providers and compromise the integrity of the financial system.”
the BSP highlighted in the memorandum.
Robotic process automation, or software robotics, uses intelligent automatic technologies to perform tasks typically handled by human workers, such as filling forms and extracting data. Data scraping involves extracting data from human-readable outputs via computer programs.
The central bank noted that BSP-supervised financial institutions (BSFIs) utilise customer data to gain competitive advantages and explore market opportunities. However, improper or unauthorised access and handling of customer data, especially financial information, can lead to customer complaints and data privacy issues.
The BSP stressed the importance of responsible data handling within the financial system, stating that the proper handling and protection of PII and other sensitive data are essential for maintaining customer privacy and preventing fraud, identity theft, and other financial crimes.
The BSP reiterated that financial institutions, as controllers of their customers’ data, must comply with the Data Privacy Act of 2012 and adhere to requirements set by the National Privacy Commission. These requirements include data portability rights, consent management procedures, data access methods, and data-sharing arrangements.
The BSP urged its supervised institutions to implement robust risk management systems and safeguards when handling PII and other sensitive data, including those involved in outsourcing arrangements.
“These include ensuring compliance with relevant laws and pertinent BSP regulations on financial consumer protection, data privacy and data protection, anti-money laundering and combating the financing of terrorism (AML/CFT), cybersecurity, outsourcing, and open finance, among others.”
The BSP emphasised that BSFIs should regularly review and update their policies and practices to align with evolving data governance standards and requirements.
Featured image credit: Edited from Freepik