29
AFI GUIDELINE NOTE ON DATA PRIVACY FOR DIGITAL FINANCIAL SERVICES
PILLAR 5: SUPERVISION AND ENFORCEMENT This Pillar covers a range of important issues relevant to supervision and enforcement including risk-based supervision; supervisory mandate, powers, capacity and resources; the need for consultation and coordination on an ongoing basis; establishing a credible threat of enforcement and considering data privacy in a regulatory sandbox environment. 5.1 GUIDING PRINCIPLE: TAKE A RISK-BASED AND PROPORTIONATE APPROACH TO SUPERVISION KEY RECOMMENDATIONS: Supervise DP4DFS rules on a firm and market risk > basis. Develop a methodology for assessing privacy risks in > DFS business models from e.g., information sources, information sensitivity, use cases and systems interconnectivity.
5.3 GUIDING PRINCIPLE: ESTABLISH CLEAR CONSULTATION AND COORDINATION FRAMEWORK KEY RECOMMENDATIONS: Provide for ongoing consultation and coordination > with public sector stakeholders on policy and regulatory issues, FinTech innovations and systemic DP4DFS issues. Implement consultation mechanism with DFS industry > and civil society groups (e.g., privacy advocates and consumer associations). Consider if Industry Advisory Group is desirable.65 > > Establish MOUs with key regulators and government agencies. > Consider regional data privacy initiatives.
5.4 GUIDING PRINCIPLE: CONSIDER DP4DFS ISSUES IN REGULATORY SANDBOX ENVIRONMENTS KEY RECOMMENDATIONS: > Consider data privacy issues when testing DFS innovations in regulatory sandboxes. > Consider thematic regulatory sandboxes specifically for DP4DFS innovations.
5.5 GUIDING PRINCIPLE: ENSURE CREDIBLE THREAT OF ENFORCEMENT KEY RECOMMENDATIONS:
5.2 GUIDING PRINCIPLE: ENSURE SUPERVISORS HAVE EFFECTIVE MANDATE, POWERS, CAPACITY, AND RESOURCES
Ensure sanctions are significant enough to be > effective.
KEY RECOMMENDATIONS:
> Require notice of significant breaches to regulators/ and data subjects.
> Provide supervisors with clear DP4DFS mandate. > Ensure appropriate powers for supervisor e.g., to supervise, to assess use of FinTech-related technologies or require evidence of how they are used; to issue fines, to grant exemptions, to make orders to ban/suspend DFS processing practices, to register or de-register data controllers and to handle complaints.
> Publicize all enforcement action.
Consider making provision for fines to be a > percentage of profits or turnover and/or a specified flat amount. > Consider basing fines on severity of breaches.
> Ensure supervisor has organizational and technological capacity and resources to design, implement and supervise DP4DFS now and in future, taking into account likely FinTech developments. > Consider current environment and likely future developments. e.g., open banking.
65 See, for example, Personal Data Protection Advisory Committee in Malaysia
