The Central Bank implemented resolution no. 6, which talks about sharing data to combat fraud in the financial sector, generating debates about compliance with the Data Protection Law
By Patricia Peck e Leandro Bissoli, DPO, founding partner and partner at Peck Advogados respectively
From November 1st, a new determination by the Central Bank (Bacen) intends to be an ally in the journey towards a culture of greater security in transactions. On this day, the BACEN Joint Resolution No. 6, published together with the National Monetary Council (CMN). The document establishes criteria for “sharing data and information on signs of fraud to be observed by financial, payment institutions and other institutions authorized to operate by Bacen”.
This sharing must be carried out through an electronic system that includes the recording of data and information on signs of occurrences or attempts of fraud identified by institutions in their activities; the alteration and deletion of recorded data and information and the consultation of recorded data and information.
“Banks, fintechs, credit and payment companies are one of the main targets of cybercriminals in the country. The manipulation of images to try to impersonate another person, including deepfake, facial identity and document fraud, are some of the tactics used in the application of scams to obtain unauthorized access to banking applications, so at this point Bacen resolution 06 will be beneficial in helping to combat fraud”, says Dr. Patricia Peck, lawyer specializing in Digital Law, CEO and founding partner of Peck Advogados. Last year alone, the estimated losses resulting from fraud were R$2,5 billion in the national financial system.
“As soon as it comes into force, institutions authorized by the BC to carry out financial activities must share information on signs of fraud among themselves, with the aim of increasing the visibility of other players in this market on profiles that indicate a greater propensity for risk in commercial operations”, adds Leandro Bissoli, partner at Peck Advogados.
But for the specialist in Digital Law, “on the issue of Open Banking, for example, if I already have the premise that that customer is a customer of the financial system based on legal obligation and that there would already be exceptions to consent under articles 7 and 11 of the LGPD, why now bring consent to enter the anti-fraud database required by Bacen?”, asks Leandro Bissoli, partner at Peck Advogados.
It is at this point that Dr. Patricia Peck sees how part of the resolution may be in disagreement with the General Data Protection Law (LGPD).
Regarding the use of data, Joint Resolution No. 6 provides for the need to comply with applicable data protection legislation when sharing data and information for the purposes of preventing and combating fraud (art. 2, § 6 and art. 3 of the Resolution). According to the General Personal Data Protection Law, the processing of personal data can be justified by the legal hypotheses of exception to consent (art. 7 and art. 11 of the LGPD). The legal basis for fraud prevention is expressly provided for as justification for the processing of sensitive personal data in processes of identification and authentication of registration in electronic systems (art. 11, II, g of the LGPD).
In this sense, Joint Resolution No. 6 goes against the LGPD, by providing that the sharing of data and information to prevent fraud is justified by prior and general consent. “The ideal would have been harmonization with the LGPD, taking advantage of compliance of the principle of transparency (prior notice, awareness, provided for in article 6. Paragraph 6), and the application of the exception of consent to compliance with a legal obligation, without the need for consent, which brings an additional burden, not even foreseen by the LGPD”, highlights the lawyer specializing in Digital Law.
However, given the above purpose, the CEO and founding partner of Peck Advogados envisages, in this context, a hypothesis of exception to the LGPD's own principle of data minimization (art. 6): combating fraud requires a large volume of historical data qualitative criteria to determine misconduct, requiring continuous and permanent processing of such data and information.
To resolve the incompatibility, Dr. Patricia Peck indicates that institutions must keep at the disposal of Bacen documentation and information related to the electronic sharing system, shared data, as well as records and information on monitoring and control mechanisms, as they must make every effort to conduct its activities in compliance with current legislation and regulations, safeguarding the duty of secrecy, the protection of personal data and free competition.
“Institutions need to be ready to face new technological challenges and adopt practices that reinforce their internal controls, thus strengthening their cyber resilience as well as ensuring the protection of their assets and the interests of their stakeholders”, he warns.
Source: Gazette of the Week