1 minute read
Pillar 5: Supervision and Enforcement
This Pillar covers a range of important issues relevant to supervision and enforcement including risk-based supervision; supervisory mandate, powers, capacity and resources; the need for consultation and coordination on an ongoing basis; establishing a credible threat of enforcement and considering data privacy in a regulatory sandbox environment.
5.1 GUIDING PRINCIPLE: TAKE A RISK-BASED AND PROPORTIONATE APPROACH TO SUPERVISION
Advertisement
KEY RECOMMENDATIONS:
> Supervise DP4DFS rules on a firm and market risk basis.
> Develop a methodology for assessing privacy risks in
DFS business models from e.g., information sources, information sensitivity, use cases and systems interconnectivity.
5.2 GUIDING PRINCIPLE: ENSURE SUPERVISORS HAVE EFFECTIVE MANDATE, POWERS, CAPACITY, AND RESOURCES
KEY RECOMMENDATIONS:
> Provide supervisors with clear DP4DFS mandate. > Ensure appropriate powers for supervisor e.g., to supervise, to assess use of FinTech-related technologies or require evidence of how they are used; to issue fines, to grant exemptions, to make orders to ban/suspend DFS processing practices, to register or de-register data controllers and to handle complaints. > Ensure supervisor has organizational and technological capacity and resources to design, implement and supervise DP4DFS now and in future, taking into account likely FinTech developments. > Consider current environment and likely future developments. e.g., open banking.
5.3 GUIDING PRINCIPLE: ESTABLISH CLEAR CONSULTATION AND COORDINATION FRAMEWORK
KEY RECOMMENDATIONS:
> Provide for ongoing consultation and coordination with public sector stakeholders on policy and regulatory issues, FinTech innovations and systemic
DP4DFS issues.
> Implement consultation mechanism with DFS industry and civil society groups (e.g., privacy advocates and consumer associations). > Consider if Industry Advisory Group is desirable.65 > Establish MOUs with key regulators and government agencies. > Consider regional data privacy initiatives.
5.4 GUIDING PRINCIPLE: CONSIDER DP4DFS ISSUES IN REGULATORY SANDBOX ENVIRONMENTS
KEY RECOMMENDATIONS:
> Consider data privacy issues when testing DFS innovations in regulatory sandboxes. > Consider thematic regulatory sandboxes specifically for DP4DFS innovations.
5.5 GUIDING PRINCIPLE: ENSURE CREDIBLE THREAT OF ENFORCEMENT
KEY RECOMMENDATIONS:
> Ensure sanctions are significant enough to be effective.
> Publicize all enforcement action.
> Require notice of significant breaches to regulators/ and data subjects. > Consider making provision for fines to be a percentage of profits or turnover and/or a specified flat amount.
> Consider basing fines on severity of breaches.
