FINMA: Making Sense of Client Identifying Data (CID)

Data Privacy

In 2013, the Swiss Financial Market Supervisory Authority (FINMA) finalized a version of an Operational Risk at Banks Circular. It sets requirements for managing operational risk and preserving the confidentiality of private clients. In addition, it contains a new Annex 3, with principles around handling electronic client data and the risk involved with banking relationships in or out of Switzerland. The circular was implemented and enforced on January 1, 2015.

Why is Client Identifying Data (CID) Significant?

The Operational Risk Circular focuses on financial institutions in Switzerland responsible for maintaining bank-client confidentiality and data integrity concerning privacy, access limitation, and transfer of specific data.

Regarding client identifying data (CID), the rulings force banks to categorize electronic client data. This first requires organizations to determine client-identifying data which is any data that can show the identification of a client or their relation to a financial institution, like a credit card number or date of birth.

According to the Federal Act on Data Protection, Article 3, there are three kinds of CID:

Direct CID

All identifiers that allow for direct identification include personal identification, company identification, electronic identification, and Physical address.

  • name
  • email
  • social media ID’s
  • company name
  • signature

Indirect CID

Data that allows identification of a client only when combined with other pieces of information, including Customer identifiers, career data, and Personal IDs.

  • Credit Cards numbers
  • Tax ID, SSN
  • Passport ID
  • Account number
  • Safe Deposit number
  • User ID/Passwords
  • IP Address

Potential Indirect Client Identifying Data

Data that allows identification of a client only when combined with other pieces of information and other unique circumstances, including birth details, family details, personal relationship details, and living situations.

  • birth year
  • age
  • gender
  • nationality
  • zip code
  • credit rating
  • club memberships

Organizations are required to take on the practice of classifying client-identifying data at higher levels of confidentiality and protection.

BigID inventories all personal data across the entire IT landscape to achieve these initial data privacy and protection steps. In addition, BigID discovery methods cover several types of data — ranging from the discovery of data assets to the discovery of CID through full detailed scans. BigID’s data discovery capabilities allow organizations to inventory, map, classify, and align data to regulatory policies, specifically FINMA regulatory policy.

The Challenge of CID Compliance

CID compliance comes with stringent requirements and, according to the principles within the regulation, holds c-level management responsible for managing operational privacy risks. The principles require that financial institutions take a standardized approach to data management with IT infrastructure in place to identify, limit and monitor risks correctly.

Here are the specific challenges:

  • Data Discovery & Governance: Identifying, classifying, and cataloging all direct, indirect, and potential CID across all applications and systems.
  • CID Regulatory Risk: Handling indirect CID and potential CID can lead to combinations that could be identifiers, making that data risky.
  • Data Growth & Ownership: There needs to be an established framework for protecting the confidentiality of data, which requires an independent supervisory entity that is tasked with managing the internal and external processing of electronic customer data.
  • Cross-Border Data Transfer: All CIDs from Switzerland must be assigned as Swiss data residency data across files and objects. Which also requires the management of data flows and enforcing data residency requirements.

Taking Access to Zero Trust for CID Compliance

Some of the strictest requirements for data protection relates to the access level of CID’s. Client data needs to be protected during the entire data lifecycle through organizational and technological measures of protection at all times:

  • Raising security requirements for privileged and underprivileged users
  • Access policies, controls and processes to ensure correct access rights
  • Limiting electronic and physical access to client data
  • Deletion of data based on legal prohibition, retention, and minimization
  • Implement confidentiality and data protection standards for external third parties (outsourcing, partnerships) that have access to client data.
  • An organization must also monitor the data usage of third parties and enforce how CID should be managed and protected.

FINMA CID vs. GDPR Personal Data Standards

The specifications of FINMA regulation on CIDs are similar to GDPR data privacy standards on personal and sensitive data – and data considered identifiable data, whether direct or indirect.

Article 9 of GDPR has a unique requirement for “special categories of personal data” that indirectly reveal a consumer, which is prohibited as certain conditions must be met for the data to be processed.

GDPR Personal Data & Identifiers:

  • PII (Personal Identifiable Information): name, phone number, social security numbers, alien registration numbers, or driver’s license numbers, location data, IP Address
  • Special Categories: Genetic data, Biometrics, Religious, Ethnic/Racial, Political Affiliations

Due to similar nuances between FINMA CID & GDPR data, implementing an equivalent data privacy and protection strategy for both regulations will ensure compliance.

How BigID Helps with Client Identifying Data (CID)

BigID enables organizations to meet and manage Client Identifying Data requirements with an automated, scalable approach to discover, classify, and collect personal information that falls within the scope of CID. With BigID, organizations get:

  • Targeted Data Discovery: The FINMA regulates customer identifiers whether direct or indirect. BigID helps to build a comprehensive data inventory to discover, map and classify CID related data to better prepare for regulatory audits.
  • Accurate Classification: With exact value matching, BigID graph based technology can identify and classify CIDs in any data environment like email, shared drives, databases, data lakes, and more.
  • ML-based Data Access Management: For full compliance with FINMA, BigID helps mitigate risk with significant open-access requirements to remediate file access violations on CID’s across all data environments.
  • Validated Data Transfers: Create policies and assign Swiss residency to data sources and individuals data to enforce data residency requirements, monitor and alert on cross border data transfers.
  • Effective Remediation: BigID helps to define the remediation action related to CID data to provide audit records with integration to ticketing systems like Jira for seamless remediation workflows.

Can you meet the expectations of FINMA’s ruling? See how BigID helps organizations find critical customer identifiers, limit or restrict access to CID data, and remediate with audit records to stay compliant with Switzerland’s changing privacy regulations. Get a 1:1 demo with data privacy experts.