Financial Information and Services Security
Comparison of the United States and Taiwan
Author: Jou Ting Wu
Professor: Prof. Andrea Matwyshyn
Timeline
Financial information
USA
-
The Glass-Steagall Act
*was passed in 1933
*1980s, the banking system had been seeking to repeal it
-
The Gramm-Leach-Bliley Act (GLBA)
*was passed in 1999
*requires companies defined under the law as financial institutions to ensure the security and confidentiality of this type of information
Taiwan
-
Protection of Computer Processed Personal Data
*was passed in 1995
*in order to join WTO
*refer to Directive 95/46/EC, predecessor of GDPR (General Data Protection Regulation)
*not every industry can use, people always lost the lawsuit
-
Personal Data Protection Act
*was passed in 2010
*every kind of personal information include computer and paper processed personal data
Personal data in a bank: Collection, Processing, Use
Bank itself:
-
Personal Data Protection Act
-
collection: Article 8
-
processing and use: Article 9
Non-government agency:
-
collection and processing: Article 19
-
use: Article 20
Government agency:
-
collection and processing: Article 15
-
use: Article 16
Report to the Investigation Bureau of the Ministry of Justice:
2. Money Laundering Control Act
-
equal to or above the applicable designated threshold:
*Article 9 -
economic crimes:
* Article 10
Key deficiencies:
-
Lack of Oversight by the Head Office.
-
Lack of Compliance Expertise.
-
Conflicts of Interest
-
Poor Internal Controls
-
Suspicious Activities Involving Mega Bank’s Panama Branches
-
Failure to Conduct Adequate Customer Due Diligence
Conclusion
-
fine $180 million for violation Anti-Money Laundering Laws
-
establish effective compliance controls
-
retain independent monitor for two years
Time:
-
19 August 2016
NYDFS:
-
New York State Department of Financial Services
-
responsible for regulating financial services and products, including those subject to the New York insurance, banking and financial services laws
Mega Bank:
-
Mega International Commercial Bank
-
a Taiwan-based international financial institution
Chief Information Security Officer (CISO)
The GLBA Safeguards Rule: Article 314 Paragraph (a)
-
2003
-
financial institution's information security program
-
The financial institution must also designate an employee or employees to coordinate the information security program
-
employee or employees to coordinate your information security program
2. 2021
-
need only be “qualified”, no particular level of education, experience, or certification is prescribed by the Rule.
-
financial institutions may designate any qualified individual who is appropriate for their business, only if the complexity or size of their information systems require the services of an expert
-
this individual was referenced in the Proposed Rule as a Chief Information Security Officer or “CISO”
USA
Taiwan
Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries: Article 38-1
-
2021
-
banking businesses shall assign a manager ranked vice president or above or an individual with equivalent powers to serve concurrently as the chief information security officer
-
shall oversee the implementation and coordination of the information security policy and resource allocation
-
banking businesses shall set up a dedicated information security office, and appoint the chief officer, who shall not be appointed to other posts of information, or tasks with conflict of interest, and shall arrange suitable workforce and equipment
Resources
Professor’s reading materials on syllabus
GLBA
https://www.ftc.gov/business-guidance/resources/financial-institutions-customer-information-complying-safeguards-rule
CFPB:
https://www.consumerfinance.gov/about-us/newsroom/cfpb-outlines-principles-consumer-authorized-financial-data-sharing-and-aggregation/
Personal Data Protection Act:
https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=I0050021
https://www.megabank.com.tw/en-us/english/index/personal-data-protection-act/privacy-statement
Money Laundering Control Act:
https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=G0380131
DFS fined Mega Bank $180 Million Case:
https://www.dfs.ny.gov/reports_and_publications/press_releases/pr1608191
Third Party Company in the U.S:
https://www.ftc.gov/business-guidance/resources/financial-institutions-customer-information-complying-safeguards-rule
CISO
in the U.S.:
https://www.federalregister.gov/documents/2021/12/09/2021-25736/standards-for-safeguarding-customer-information
in Taiwan:
https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=G0380218