The risks of transferring personal data of cellular subscribers to banks are named: fraudsters will win

“The regulator needs customers to be identified as correctly as possible”

The Central Bank of the Russian Federation advocated the transfer of confidential information about subscribers of mobile operators to banks. To do this, it is planned to create a single state system that will act as a large-scale repository, accumulating this information, processing it and sharing it with credit organizations. So far, there are more risks than potential benefits in the project. It seems that it increases the vulnerability of ordinary citizens to all sorts of scammers, experts warn.

The history of the issue goes back to 2018. Then a draft amendment on the exchange of data between telecom operators and banks was submitted to the State Duma by a group of deputies. The initiative did not get past the first reading in 2019, and last year the authorities returned to finalize it – against the backdrop of an explosive growth in Internet fraud and cyberattacks. The current version of the bill deals only with technical information about SIM cards and mobile devices. The regulator proposes to oblige operators to transfer to the EIS PSA system (Unified information system for checking information about the subscriber; under development), including personal data of subscribers.

What is the main purpose of the bill? Among other things, according to the authors, with the help of the EIS PSA, banks will be able to identify users of financial services by phone numbers. This will avoid fraudulent activities using gray SIM cards. The idea is under discussion, and it is highly likely that its consideration in the State Duma will be postponed until the fall. The operators themselves and the FSB are against it, arguing their position with the risks of unauthorized access to important information. According to opponents, it will be easier for hackers to pick up the keys to a single system.

Another important circumstance. Previously, it was assumed that the UIS PSA would become only a gateway through which banks would be able to identify subscribers. However, the new version of the project stipulates that the operator (it is the Main Radio Frequency Center subordinate to Roskomnadzor) will store and process data, which creates an additional threat to their security. The experts interviewed by MK differed in their views on this ambiguous situation.

“The motives of the Central Bank are clear: the regulator needs banks to identify clients as correctly as possible,” said Artem Deev, head of the analytical department at Amarkets. – This is necessary in order to more accurately determine the senders and recipients of transactions. Ideally, all these measures are designed to help the state in the fight against various illegal phenomena, such as money laundering, terrorist financing, and the like. So overall, it’s a good start.”

According to the authors of the bill, technical information about SIM cards and mobile devices is clearly not enough to successfully solve the problems of financial control and monitoring. Moreover, Deev recalls that until now at a number of commuter train stations you can meet people distributing anonymous SIM cards for free. Of course, uploading personal data to the EIS PSA will affect the technical side of the issue: more extensive storages, more advanced protection mechanisms will be needed. And, what is there, the likelihood of a leak will also increase.

“But the truth is that today everyone and sundry collects personal data: from the housing office to online stores. In fact, the only real problem is visible here: such an array of data will allow banks to impose their services on subscribers to an even greater extent than now,” Deev argues.

Since the system is not designed as a gateway, but involves the storage and processing of the received information, it will be necessary to create an expensive, cumbersome, and therefore vulnerable infrastructure. Accordingly, the risks of illegal actions will increase many times over, which will cross out all hypothetical benefits, believes Mikhail Belyaev, candidate of economic sciences, financial analyst. Fraudsters will receive an additional channel of access to personal data. The financial security of citizens will be under threat, and it is precisely the interests of ordinary people, and not commercial structures, that must be observed in this case. As for telecom operators, it is frankly unprofitable for them to share confidential information, and through a new, still untested system, it is also unsafe.

We add that now cellular operators exchange information with banks about registering customers’ SIM cards (or changing a mobile device) on a paid basis. And it is possible that a single operator will want to conduct independent commercial activities, receiving “remuneration” from banks for providing information about subscribers.