Data Protection in the Financial Sector and Why it Matters

Like our sister regulator the Financial Services Commission, the Central Bank of Barbados is proud to be associated with this data protection conference, under the theme “Compliance Beyond Borders – Insights from Financial Regulators.” In fact, had we not been legitimately invited we would have engaged in our own version of a data breach and crashed the party anyway. I am pleased however that proper etiquette and decorum prevailed, and it did not come to that. So, thanks very much Warrick and Alicia!

One of the major objectives of the Central Bank of Barbados is to promote financial stability that is conducive of the orderly and sustained economic development of Barbados. We all know that financial stability is inextricably linked to the confidence which the users of a financial system have in its operational resilience. 

Every day, banks, credit unions, insurance providers, and investment firms deal with vast amounts of personal data; some of it being sensitive in nature. 

This data may consist of names, email and physical addresses, telephone numbers, and government-issued identification documents. Categories of sensitive information include financial status, race, religion, sexual orientation, political opinions, religion, criminal records, and involvement in legal proceedings. There is also now in some jurisdictions the question of health data. Due to the possible harm that will otherwise result to an individual, customers’ financial and personal information needs to be protected from theft, unauthorised access, and misuse. 

If then financial consumers come to believe that our system is porous relative to the way that their data is stored and maintained, such a belief could affect financial stability, as in the event of a breach, persons could move their funds away from a particular institution or institutions. It is for this reason that the Central Bank has a vested interest in ensuring that all institutions under its remit, properly comply with the requirements of the Data Protection Act 2019-29 of Barbados and the data protection pillars that underpin it.

These pillars indicate that personal data must be processed lawfully, fairly, and in a transparent manner; is collected for specified, explicit, and legitimate purposes; is adequate, relevant, and limited to what is necessary; is accurate and kept up to date; is kept in a form that permits identification of data subjects for no longer than is necessary; and is processed in a manner that ensures its appropriate security. The consent of customers to the collection and processing of their data must be expressly obtained, as well as an explanation given as to the reason for collecting this data and its ultimate use.

By implementing a stringent and effective data protection policy, banks can mitigate unauthorised access to sensitive data. The Act lays a foundation via which a financial entity adheres to best practices and safeguards the rights of its data subjects. It also ensures that the organisation is transparent about how it handles, maintains, and safeguards personal information, thus building and maintaining trust with its customer base.

The data protection policy will thus be in the vanguard of a bank’s risk management strategy particularly if wedded to (1) a well-trained staff and (2) an appropriate tone from the top, thus forming columns of mutual defence and support. And while I now realise that an analogy of a three-way marriage might not be the most appropriate, I hope you at least agree with my point. 

The presence of your Data Privacy Officer will also be an important element as this resource – which can be a shared resource – is the hub through which issues of data protection may be identified, advised upon and ultimately addressed.

Of course, a well written policy would probably be meaningless without effectively operationalised cybersecurity safeguards relative to electronically stored data. The Central Bank of Barbados is particularly interested in ensuring that financial institutions have appropriate security measures in place to ward off possible cyber breaches. This is of particular importance where the institution is a payments provider and is connected to our domestic payments infrastructure.

In closing let me reiterate the pleasure and interest of the Central Bank of Barbados in being associated with this conference. Compliance for the financial sector is vastly important due to the risks that compliance seek to mitigate against. It therefore behoves all stakeholders to co-operate to the greatest extent possible to secure the best outcomes for our jurisdiction. When it comes to data protection, it is our hope that the energy displayed and exerted in ensuring that this conference is a success, is a strong indicator of the road ahead.