Back

Establish, implement, and maintain a Customer Information Management program.


CONTROL ID
00084
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Privacy protection for information and data, CC ID: 00008

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a customer due diligence program., CC ID: 13618
  • Define and assign the data controller's data quality roles and responsibilities., CC ID: 00085
  • Establish, implement, and maintain customer data authentication procedures., CC ID: 13187
  • Check that restricted data is complete., CC ID: 00090
  • Keep restricted data up-to-date and valid., CC ID: 00091
  • Maintain restricted data in a form that does not permit the identification of data subjects for longer than the processing purpose., CC ID: 00092


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Although the controls in this section only cover consumer data, AIs should consider implementing such controls, where appropriate, to protect customer data other than consumer data. (Annex D. ¶ 4, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Based on the strict confidentiality of customer information, financial institutions must define the person responsible for the management, management method, and procedures related to customer data handling, and conduct the appropriate management. (P69.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • implementing classified management of personal information; (Article 51 ¶ 1(2), Personal Information Protection Law of the People's Republic of China)
  • The Data Processing Center is responsible to ensure personal data that is being processed is regularly updated, relevant, and not excessive by reviewing the register of the Criminal Records Office, the register of pending criminal proceedings at the Ministry of Justice, and other police data banks. … (§ 54.3, § 54.4, Italy Personal Data Protection Code)
  • The data controller must ensure that personal data is kept up to date and incomplete, incorrect, and irrelevant personal data is corrected or erased. (Art 16.2, Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona, Unofficial English Translation November 2008)
  • Unless lawfully erased, personal data must be stored in a way that allows the exercise of the right of access. (Art 4.6, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
  • Firms must identify their customers and, where applicable, their beneficial owners, and then verify their identities. Firms must also understand the purpose and intended nature of the customer's relationship with the firm and collect information about the customer and, where relevant, beneficial own… (3.2.4 ¶ 1, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • Firms should note that CDD measures also apply when contacting an existing customer as part of any legal duty in the course of a calendar year for the purpose of reviewing information which is relevant to the risk assessment of the customer, and relates to beneficial ownership of the customer. (3.2.4 ¶ 2, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • CDD measures must also include taking reasonable steps to understand the ownership and control structure of a customer where the customer is a legal person, trust, company, foundation or similar legal arrangement. (3.2.4 ¶ 4, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • An essential part of information assurance is proper control over the availability and integrity of personal information, which must be available when needed and be of sufficient quality. The organization should be able to trace changes to personal information. The organization must maintain proper … (The IAO in Context ¶ 6, Guidance on the DHR Mandatory Role: Information Asset Owner, March 2009)
  • Sensitive data: abiding by COPPA, and handling user data such as financial information, Social Security numbers, and medical information (TC-IM-220a.1. 6.6, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • Sensitive data: abiding by COPPA, and handling user data such as financial information, Social Security numbers, and medical information (TC-SI-220a.1. 6.6, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • Sensitive data: abiding by COPPA, and handling customer data such as financial information, Social Security numbers, and medical information (TC-TL-220a.1. 6.6, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Test, survey, or other data used in marketing communications should be valid and reliable and produced in accepted research practices. Any claims made should not take the data out of context or distort the data. (§ M4.1, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • Personal data that is not included, inaccurate, incomplete, or disagree with the true situation of the data subject must be included, corrected, updated, supplemented, or cancelled, as appropriate. (Art 40 ¶ 3, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • Personal data systems in the possession of public entities must be governed by a data quality principle. This means that all collected data must be true, pertinent, proper, and does not exceed the purpose and environment that it was collected. Data must be always updated to reflect the data subject'… (Art 5, The Personal Data Protection Law for the Federal District (Mexico City))
  • Ensure additional protection methods for sensitive personal information that is retained. (§ V.B.4, AICPA Red Flag Rule Identity Theft Prevention Program, November 1, 2009)
  • The organization should ensure the privacy policies state that personal information stored by the organization is only as accurate and complete as the information provided by the individual and provide information on how to contact the organization if personal information is incorrect. (ID 9.1.1, AICPA/CICA Privacy Framework)
  • The entity maintains accurate, complete, and relevant personal information for the purposes identified in the privacy notice. (Generally Accepted Privacy Principles and Criteria § 9.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should notify individuals that they are responsible for providing accurate and complete personal information. (Table Ref 9.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • General rule. A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship. (Section 5.C(1), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • Assesses the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks. (Section 6 ¶ 1.C., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
  • If a person requests a consumer report and the request has an address substantially different than the address in the consumer's report file, the consumer reporting agency must notify the requester of this discrepancy (§ 315, Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • If a person requests a consumer report and the request has an address substantially different than the address in the consumer's report file, the consumer reporting agency must notify the requester of this discrepancy. If the user of a credit report has an ongoing relationship with the consumer repo… (§ 605(h), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • Federal agencies may not enter into a contract with a data broker in order to access any fee-based database that consists primarily of personally identifiable information about United States persons (other than telephone directories or news reports), unless the head of the agency or department adopt… (§ 403(b)(2)(E), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • Are there written security procedures for accepting membership applications electronically? (IT - Web Site Review Q 11, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • customer data privacy; (§ 500.03 Cybersecurity Policy (k), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • customer data privacy; (§ 500.3 Cybersecurity Policy (k), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)