2 minute read
Pillar 1: DP4DFS Policy and Regulatory Framework
This Pillar is intended to cover the process for establishing the DP4DFS policy and regulatory framework and the related principles.
1.1. GUIDING PRINCIPLE: ESTABLISH GOVERNANCE AND CONSULTATION ARRANGEMENTS
Advertisement
KEY RECOMMENDATIONS:
> Establish Steering Committee with lead DP4DFS regulator and representatives of other financial sector regulators and other relevant government
Ministries and agencies (e.g., for finance/ telecommunications / competition/ consumer protection/ innovation), as well as representatives of industry (including traditional financial sector and
FinTech entities) and consumers (e.g., consumer associations). > Ensure Steering Committee representatives have, or have access to, expertise covering DFS, data privacy issues and FinTech innovations in data processing for
DFS.
> Engage outside experts as needed, e.g., data scientists or data privacy experts. > Consult widely on new framework with public/ private sector stakeholders and general public.
1.2. GUIDING PRINCIPLE: ASSESS CURRENT DFS LEGAL AND REGULATORY FRAMEWORK AND MARKET
KEY RECOMMENDATIONS:
> Undertake a diagnostic analysis of existing legal and regulatory framework applicable to DP4DFS, including: - general data privacy and consumer protection laws - financial consumer protection laws - sector specific provisions in, e.g., e-money and payments laws - industry codes of practice - national strategies (e.g., for DFS or financial sector development or financial inclusion) - policy and regulatory guidelines > Assess gaps/overlaps in regulatory framework and related supervisory mandate and powers by reference to Guiding Principles. > Consider DFS market and related data privacy risks, including types of providers, controllers, and processors of personal data, DFS products, forms of consent, privacy policies, types of data and data analytics techniques used and any FinTech-specific issues.
> Consider needs of vulnerable groups, e.g., women, youth, the elderly, persons with disabilities and displaced persons. > Assess any systemic complaints issues relating to
DP4DFS.
> Document key benefits and risks of current environment for key stakeholders (especially data subjects and data controllers and processors).
1.3. GUIDING PRINCIPLE: ESTABLISH OVERARCHING POLICY AND REGULATORY PRINCIPLES
KEY RECOMMENDATIONS:
> Clarify regulatory principles to guide design of
DP4DFS framework.
> Consider especially risk-based and proportionate rules, which provide a balance between privacy, data protection, innovation and competition and are: - clear and accessible - principles based - technology neutral - outcomes focused
> Require new framework to be activity-based so as to create a level playing field and minimize the risk of regulatory arbitrage (subject to following points). > Consider whether some obligations should only apply to ‘significant’ data controllers such as obligations concerning: - Registration - Appointing a Data Privacy Officer - Preparing a Privacy Impact Assessment for high – risk processing operations - Breach reporting to regulators and to data subjects - Independent assessments of compliance > If some rules only to apply to ‘significant’ data controllers, establish criteria for defining them such as: - Nature of the DFS products or business model. - Volume and sensitivity of data that is processed.
