Bankers criticized the bill regulating the outsourcing of information processing and storage

Bankers criticized the bill regulating the outsourcing of information processing and storage. In their opinion, the document contains provisions that can make the service virtually unavailable to credit institutions. Meanwhile, according to experts, today banks transfer up to half of all collected data to third parties for processing and storage.

As Kommersant learned, the National Financial Market Council (NCFM), having discussed a bill on improving the legal framework for outsourcing information technology and the use of cloud services by financial organizations, sent a response to it. The document was submitted to the State Duma this summer (see Kommersant, July 25). According to bankers, the bill contains a provision that could prevent banks from accessing the ability to outsource information processing. As the head of the National Financial Markets Service Andrey Emelin explained to Kommersant, the document involves a ban on the transfer to a third-party company of information about the measures taken by the bank to combat money laundering and the financing of terrorism (AML/CFT).

“Information about the measures that banks apply within the framework of AML/CFT has not yet been required by any law to be allocated, and therefore it is collected and stored in a common file, from where the bank will not be able to isolate it, moreover, the company to which this information transferred for processing, he will also not be able to separate it from there,” explained Mr. Emelin. In his opinion, this norm is excessive and practically impossible to implement. “It will be cheaper for banks not to outsource the processing and storage of information at all than to rebuild all internal processes to highlight information about measures taken within the framework of AML/CFT,” says the head of the NSFR.

In addition, according to Andrey Emelin, although the text contains a clause stating that insurers are allowed to transfer personal data for processing and storage to third parties without additional consent of clients, other financial organizations are not mentioned in this context. As a result, the NSFR proposes to eliminate the ban on transferring information about AML/CFT measures to third parties, which is already contained in the relevant law, and add a provision that all financial organizations will be able to outsource the processing and storage of data without additional consent.

The head of the board of the Financial Innovations association, Roman Prokhorov, notes that, according to a Central Bank survey conducted last year, more than half of the financial market participants use outsourcing, the main areas being IT and cloud services. “Given the high cost of independent development of these areas for small credit institutions, outsourcing becomes the only option, which is why the Central Bank plans to give priority attention to these areas in terms of regulation,” emphasizes Mr. Prokhorov. The Bank of Russia, according to him, noted the risks of outsourcing associated with insufficient control on the part of credit institutions over the companies involved, while responsibility for compliance with the requirements of the legislation on bank secrecy and personal data is not transferred to outsourcers and remains with credit institutions.

According to the director of the technical department of RTM Group, Fedor Muzalevsky, today the share of outsourced processing and storage of information does not exceed 10%, if you do not take into account outsourcing created from the former IT department of the bank itself, or elements of a holding structure, like large banks. If we take into account “internal outsourcing”, the share can reach up to 50%.

As experts in the field of information security note, the law should encourage companies involved in processing and storing information to pay more attention to the organization of protection. According to Artem Sychev, advisor to the general director of Positive Technologies, the main difficulty of outsourcing is the contractor’s responsibility for the safety of information: “The purpose of the bill is to assign to the outsourcing company the same responsibility for the safety of bank secrecy that financial organizations now have.”

Maxim Builov