The Presidents / Chief Executives
All Banks / DFIs
Dear Sir / Madam
MAINTAINING FIDELITY AND SECRECY OF CUSTOMERS’ INFORMATION
Section 33A of the Banking Companies Ordinance, 1962, inter alia
, requires that bank / financial institution shall not divulge any information relating to the affairs of its customers except in circumstances in which it is, in accordance with law, practice and usage customary among bankers, necessary or appropriate for a bank to divulge such information.
2. It has, however, been observed that the above directives envisaged under the law are not being meticulously followed. The centralization of core banking systems of banks has now made customers’ data accessible across the bank. This access, however, needs to be suitably managed to ensure that only authorized officials access this confidential data for specified purposes. Instances of accessing customer related information by irrelevant bank officials and divulging of same to unauthorized persons have been noted. Such practices on part of banks / DFIs are not appropriate and have been viewed seriously.
3. Accordingly, all banks / DFIs are strictly advised to incorporate necessary controls, checks and balances in their policies and procedures to stop such practices and ensure meticulous compliance of Section 33A of the Banking Companies Ordinance, 1962 in letter and spirit.
4. In addition to above, the banks / DFIs are advised to take following additional measures:
The directives under Section 33A for safeguarding the customers information should be reinforced, and proper training / instructions should be provided to all staff members for not disclosing confidential information of customers to unauthorized persons.
The right to access of information pertaining to the customers account balance and other important information should only be available to the relevant bank official(s) on need basis, and in accordance with the approved authority, which should be properly documented.
In case of change in role or responsibilities of a staff member, all IT access rights no more required for new role should immediately be deleted, and any additional rights should be assigned through approved process. In addition, regular reviews of staff IT access rights should also be carried out to ensure that there are no anomalies.
The complete log of all the activities relating to viewing of account balances and / or account statements should be maintained for a certain period, as decided by the bank. Such logs should be regularly monitored by the senior management and reviewed by the internal audit to point out any irrelevant access to the customers’ information.
5. Any deviation from Section 33A including the above-mentioned instructions shall render the concerned bank / DFI and delinquent officials liable for penal action under the relevant provisions of the Banking Companies Ordinance, 1962.
Please acknowledge receipt.