Skip to main content
Entire section Custom print Text Only Rich Text Print

Article 6: Protection of Consumer Data and Assets

C 8/2020 Effective from 25/12/2020

6.1 Consumer Data Protection

6.1.1 Introduction

Licensed Financial Institutions are required by the Article 120 of the Decretal Federal Law No. (14) 2018 to protect Consumers’ Data and ensure their confidentiality. This Regulation further requires that Licensed Financial Institutions collect the minimal amount of Consumer Data and information needed in respect of their licensed activities and remain in compliance with all other related laws.

6.1.2 Description

  1. 6.1.2.1 Licensed Financial Institutions must establish a function in their organization that is responsible for Data Management and Protection including responsibility for maintaining policies, procedures, systems and controls to protect Consumers’ Personal Data and information against misuse, unauthorized access and undue processing and analysis.
     
  2. 6.1.2.2 Licensed Financial Institutions must have policies that specify duration of record keeping and Data retention in accordance with the applicable laws, regulations and business.
     
  3. 6.1.2.3 Licensed Financial Institutions must have appropriate security and monitoring measures in place to detect and track unauthorized internal access or use of Consumer information. Any breach of access, misuse or unauthorized release must be recorded including any harm done by such breach for future reporting to and review by the Central Bank.
     
  4. 6.1.2.4 Licensed Financial Institutions must notify the Central Bank of all significant breaches of Consumer Data and information and notify any Personal Data breach to Consumers where a breach may pose a risk to the financial and personal security of the Consumer without undue delay. Licensed Financial Institutions are liable for reimbursing any direct costs incurred by the consumer for actual harm done as a result of the breach.
     
  5. 6.1.2.5 Licensed Financial Institutions must ensure that Consumers are able to make informed choices with respect to providing expressed consent as to their Data being collected, used and shared with third parties and within the Licensed Financial Institution.
     
  6. 6.1.2.6 Licensed Financial Institutions must prevent the misuse of Consumer information and Data.

6.2 Protection of Consumer Assets, Information and Data against Financial Crimes, Misappropriation and Misuse

6.2.1 Introduction

Financial Crimes, misappropriation and misuse of Consumer assets, Data and information significantly undermine Consumers’ trust and confidence in Financial Services. Licensed Financial Institutions must have sound and effective management and business practices for security within the first line of defence.

Licensed Financial Institutions must continually make appropriate efforts and investments to stay on top of these risks and make use of the latest technology and solutions to protect Consumer assets and Data.

6.2.2 Description

  1. 6.2.2.1 Without prejudice to other laws and regulations, Licensed Financial Institutions must treat Consumers’ information relationships and business affairs as private and confidential.
     
  2. 6.2.2.2 Licensed Financial Institutions must put in place strict internal controls to effectively protect Consumers’ deposits, savings, funds held by stored value facilities and other assets as well as Consumer information and Data, against internal frauds.
     
  3. 6.2.2.3 Licensed Financial Institutions must apply sufficient resources to be able to detect both external and internal frauds quickly and ensure they are fully addressed with future prevention measures.
     
  4. 6.2.2.4 Licensed Financial Institutions must compensate Consumers in a timely manner for financial losses and expenses resulting from Financial Crimes, misappropriation, cyber-attacks and misuse of assets and information unless it can be proven that the loss was due to the gross negligence or fraudulent behavior of the Consumers.
     
  5. 6.2.2.5 Licensed Financial Institutions must ensure their security and protection systems are updated and have the capacity to develop and adopt new approaches to cyber security as required.
     
  6. 6.2.2.6 Licensed Financial Institutions must demonstrate they have carried out sufficient Consumer awareness activities related to educating Consumers of the need to protect themselves from Financial Crime.