Data application compliance scheme of a joint stock bank
(I) basic facts and legal service needsBig data precision marketing is an important way of business promotion, upgrading and transformation of financial institutions. It refers to the process of building a group of user portraits on the basis of big data analysis, associating the identification tags in the user portraits with the identification information of Internet users, accurately finding users, and pushing the information of goods or services to users. However, with the promulgation of the network security law, the data security law and the personal information protection law, especially the measures for the implementation of the protection of the rights and interests of financial consumers promulgated by the people's Bank of China and the China Banking and Insurance Regulatory Commission, higher requirements have been put forward for the data compliance of financial institutions from the perspective of industry supervision.
In view of the strong regulatory situation of the government on data security, when a joint-stock bank cooperated with Baidu to carry out big data marketing activities, it entrusted the handling lawyer to issue special legal opinions, and entrusted the lawyer to formulate a data application compliance plan in accordance with the characteristics of the bank.
(2) Lawyer's work content and process
After accepting the entrustment of the bank, the handling lawyers mainly carry out their work from the following aspects:
1. Help banks accurately define business compliance nodes
Through the business exchange meeting with banks and bank partners, the five compliance nodes involved in this business were identified: information collection and entrusted processing; Data analysis; The link between user portrait and identification information; Marketing information push.
2. Collection and assessment of internal and external legal risk environment information
For the external risk environment information, the handling lawyer mainly collected the following information through investigation, interview and questionnaire, including but not limited to: the business model and characteristics of the financial industry; Laws and policies of the industry, changes and hot issues; Relevant regulatory systems, institutions, policies and implementation; Compliance of enterprises in the industry with laws and regulatory requirements.
As for the internal risk environment information, the handling lawyer mainly collected the following information through investigation, interview and questionnaire, including but not limited to: information related to the enterprise and the law, including but not limited to: relevant legal dispute cases and legal risk events that have occurred in the enterprise; Specific events and background information that may cause risks in the internal and external legal environment information of the enterprise; Change information of laws and regulations corresponding to the risk event; The enterprise's control over risk events; The causes, consequences and scope of the risk event.
3. Analysis and demonstration of legal risk and compliance risk
Through the work results of the previous stage, conduct qualitative and quantitative analysis on the identified legal risks, including the analysis on the possibility of legal risks and the impact degree of legal risks, and provide support for the formulation of business compliance plans.
4. Drafting specific compliance plan
(1) Define the protection scope of personal financial information
(2) Build rules for collecting personal information. In the collection of personal information, the principle of information collection shall be clarified, that is, the principle of legality, legitimacy and necessity shall be followed to collect consumer financial information from legal channels, and the principle of informed consent shall be strictly implemented. The handling lawyer shall assist the bank to improve the bank's personal privacy protection policy.
(3) In the process of entrusting a third party to process data, the handling lawyer drafts the agreement with the data processor. Clarify the purpose, scope, processing method and data security protection measures agreed by the data receiver, clarify the data security responsibilities and obligations of both parties through contracts, and supervise the data processing activities of the data receiver.
(4) According to the requirements of information security technology - personal information security specification implemented on October 1, 2020, the handling lawyer suggested that the indirect user portrait scheme should be strictly implemented in the data analysis and use of this business.
(5) In the big data marketing segment, for personalized advertising push, it is suggested that the bank should inform before "targeted push" in accordance with the provisions of the e-commerce law and the information security technology - personal information security specification, and provide a convenient way to close and reject information push.
(6) The content of the compliance program also helped the bank further improve the protection measures for personal financial information and financial consumer rights. Help mutual banks improve their service level while completing the business compliance.
[summary]: under the background of strong financial supervision, data security, anti unfair competition and other strong supervision, banks seek to achieve the balance between convenience and security of financial goods (services) in the process of operation, especially the demand for data compliance and competition compliance of banks is obvious. Legal services should deeply study the legal environment and customer needs of emerging business areas to provide accurate and efficient legal services for enterprises.