Financial data leaked into industry "stubborn disease" Experts recommend the introduction of protection regulations

Build a "firewall" and pay close attention to the "money bag"

—Focus on personal financial information protection

【French Eye View】

What should you do when a bank leaks your bank water to others without your permission?

Not long ago, talk show actor Chi Zi (whose real name was Wang Yuechi) posted on Weibo that, without his authorization, CITIC Bank Shanghai Hongkou Branch provided his personal account flow to the bank's "big customer"-Shanghai Xiaoguo Culture Media Co., Ltd. It sent a letter through a lawyer, asking CITIC Bank and Xiaoguo Culture to compensate for the loss and publicly apologize.

Soon, CITIC Bank issued a letter of apology, saying that in terms of customer information protection, the bank established a set of systems and procedures, but individual employees did not strictly follow the system. The bank stated that it had punished employees in accordance with relevant regulations and removed the president of the branch. So far, this high-profile bank leak has come to an end. However, the issue of personal financial information protection caused by the incident is thought-provoking .

　　In recent years, my country's financial industry has developed rapidly. With the advancement of network technology, the traditional financial industry continues to "touch the Internet", and users of online payment and online lending have grown rapidly. The data shows that my country's online shopping users are 710 million, and online payment users are up to 768 million.

　　At the same time, personal financial information leaks also occur from time to time. According to a survey report on the protection of the rights and interests of netizens issued by the Internet Society of China, personal identification information of 78.2% of netizens and online financial transaction records of 63.4% of netizens have been leaked. In recent years, the annual financial privacy breaches have been increasing at a rate of about 35%.

　　"Personal information in the financial field is special. Compared with other personal information, it is highly related to personal assets and credit status. Once leaked, it will not only violate personal privacy, but also may pose a great threat to the security of the information subject's property. Guo Xinming, deputy of the National People's Congress and president of the People's Bank of China Nanjing Branch, said so.

　　How to build a strict "firewall" for information security, and to make the "money bag" closer for the people, has become a major problem in the current financial field.

Painful financial data leaks become industry "stubborn illness"

　　"Data is similar to the engine of an aircraft, and user privacy is similar to passengers on an aircraft. If there is a problem with the engine, the safety of passengers will be seriously threatened." For the importance of personal financial data, Wu Yechao, a 360 financial information security expert, likes this.

　　Data leakage has become a "stubborn illness" in the financial industry. In addition to data breaches such as bank transaction records and credit reports, data breaches in insurance and securities industries are also of concern.

　　In 2016, many insurance institutions in Shanghai and other places were involved in the "leak door" incident, and many car owners received fraudulent calls posing as insurance company staff shortly after a traffic accident and reporting to the insurance company; former employees of a payment platform Within three years, download 20G of the user's data for sale; a financial platform was revealed that a large amount of sensitive information of 600,000 users was leaked...

　　"Online loan business has become one of the main sources of financial privacy leakage." Lu Tianliang, associate professor of the Collaborative Innovation Center for Cyberspace Security and Rule of Law of the People's Public Security University of China, pointed out that a large number of online loan business needs and an imperfect personal credit reporting system have spawned a large number of Civil risk control agencies. In order to carry out risk control business, some companies use illegal crawling, collection, exchange and other methods to obtain or defraud information such as citizenship, location, credit and even communication.

　　On the one hand, "inner ghost" leakage of information is difficult to prevent; on the other hand, hackers steal information rampantly. Yuan Deyu, a doctor at the People’s Public Security University of China, said that the current financial sector has become a “heavy disaster area” for online black production, and financial information leakage has become the basic soil for the existence of black production. After the information is stolen, it is often overwhelming with spam messages and emails; harassment and fraudulent phone calls in succession; even more, accounts are stolen and money is missing.

Hidden worries behind the popularity of hot financial apps

　　On December 4, last year, the National Cybersecurity Notification Center released news that 100 apps that illegally collected personal information were investigated and ordered to be rectified. Among them, financial apps such as Everbright Bank, Bank of Tianjin, Tianjin Rural Commercial Bank and Le Loan are well-known on the list.

　　"The application of the mobile Internet in the financial field is represented by various mobile application apps, mainly including banking, consumer, payment, financial management, and securities." Lu Tianliang introduced, among them, consumer apps for individual users The largest number, accounting for nearly 40%. No privacy agreement, unclear description of the scope of collection and use of personal information, excessive collection of personal information and non-essential collection of personal information, etc., have become the main cases of infringement of personal information by financial apps.

　　According to Feng Cheng, Director of Industry Consulting, Financial Technology Research Center, China Information and Communication Research Institute, in actual business development, financial apps are only one of the channels for financial institutions to reach users, and online applications are placed on PC-side web pages, applets, and third-party platforms. The data collection, transmission, and retention in the channels such as the entrance and WeChat service account have increased the hidden dangers of personal information data due to the increase in intermediate links.

　　At present, a large number of new technologies such as artificial intelligence, big data, biometrics, and mobile Internet are applied to the financial field. While providing users with convenient and high-quality services, they also bring more risk challenges to the protection of financial privacy. For example, face recognition payment and fingerprint payment face the risk of being counterfeited, and data storage servers that rely on the Internet of Things, big data, and cloud computing technologies are often the key targets of hacker attacks.

Focus on accelerating the legislation of financial consumer rights protection

　　In 2007, the Central Bank successively adopted documents such as the Management Measures for Customer Identification and Customer Identity Data and Transaction Records of Financial Institutions, and gradually established requirements for the collection scope and utilization principles of personal information, which became the source of personal financial information protection regulations in my country.

　　At present, the Personal Rights Code in our Civil Code specifically regulates privacy and personal information protection, and the civil protection of personal financial information has a clear superior legal basis. At the same time, facing the problems of insufficient protection of personal financial information and inadequate legal investigation mechanisms, the industry called for strengthening the construction of relevant legal systems.

　　At the end of 2019, the Central Bank issued the "Trial Measures for the Protection of Personal Financial Information (Data) (Preliminary Draft)", which involves the improvement of the credit reporting mechanism and system construction. Penalties for illegal collection and use of personal credit information.

　　In February this year, the National Financial Standardization Technical Committee issued the "Technical Specifications for the Protection of Personal Financial Information". The standard divides personal financial information into three categories of C3, C2, and C1 according to the degree of sensitivity. Among them, C3 is mainly various account passwords, C2 is mainly account, ID card information, SMS password, address, etc., C1 is mainly Account opening time, payment mark information, etc. The specification stipulates the security protection requirements for personal financial information in the collection, transmission, storage, use, deletion, destruction and other aspects. At the same time, financial institutions should not be required to obtain personal financial information by default authorization, function bundling, etc., nor should they entrust or authorize institutions without relevant qualifications in the financial industry to collect personal information such as ID numbers and mobile phone numbers.

　　At this year's National Two Sessions, several representatives proposed to accelerate the legislative process for the protection of financial consumers' rights and interests, and to revise and improve the existing financial supervision regulations.

　　Zhou Zhenhai, deputy of the National People’s Congress and Counselor of the People’s Bank of China, proposed formulating regulations on the protection of financial consumer rights. The long-term and fundamental interests of those involved; on the other hand, the regulatory standards in the field of financial consumer rights protection can be unified to avoid regulatory vacuums and regulatory arbitrage.

　　Zhou Zhenhai also suggested that certain special institutional arrangements be made at the legislative level, such as establishing a regulatory coordination mechanism, introducing a financial consumer public interest litigation system, and establishing a diversified settlement mechanism for financial consumer disputes.

　　Starting from the source, promulgating unified financial information protection regulations will become an important part of the governance and rectification of the financial industry. At the same time, the establishment of internal control mechanisms for corporate personal financial information protection must also be followed up.

　　"The problem of illegal trading of personal financial information is severe, exposing the problems of inadequate third-party internal control, security loopholes in information systems, long transmission chains of information leakage, and difficulty in traceability." Wu Yechao believes that the protection of user information requires financial technology companies to strengthen internal control and management. Do a good job in data privacy and protection system construction, data security monitoring and cycle control, and build a data security defense system. At the same time, enterprises, public security, scientific research institutions and other departments should work together to improve the overall security and defense status of the industry and build a good financial ecosystem.

(Reporter Jin Hao)