On May 9, the Consumer Rights Protection Bureau of the China Banking Regulatory Commission issued a notice: In March 2020, CITIC Bank provided personal bank account transaction details to third parties without authorization from the customer, which violated the confidentiality of depositors In accordance with the principle of suspected violations of laws and regulations, China CITIC Bank will initiate an investigation procedure in accordance with relevant laws and regulations, and will investigate and deal with them strictly in accordance with laws and regulations.

Can I “pull the bank account” by giving money? What personal information protection loopholes still exist in financial institutions such as banks? How should it be blocked? Xinhua News Agency reporters launched an investigation.


Reporter experience: “Pay money to pull bank running water” is true and false

Reporter survey found that some current online platforms have personal “bank running water” information The selling price ranges from 600 yuan to 5000 yuan, and the query period is from 1 month to 12 months. The longer the period, the higher the price. The buyer only needs to provide the ID number of the query object to query.

QQ seller named “Yang Da” told reporters that among the various personal information being sold, financial information such as “bank flow” is the most valuable. He said that all who do this business must be “someone” in financial institutions such as banks.

A reporter’s inquiry to China Judgment Documents Network found that it is not uncommon for banks to be “inner ghosts” to participate in the reselling of personal financial information: Employee Tang Moumou of the Bank of China Wuxi Branch took advantage of work convenience. More than 50,000 pieces of personal personal information obtained by the unit in the process of providing services were illegally provided to others by email; Shen Moumou, the former president of the Yuyao City Construction Sub-branch of CCB, provided a total of 127 pieces of loan customer property information accepted by the bank Used to solicit business for others.

The reporter also found that since most sellers require “first payment and enquiry”, there are also many so-called “detective companies” who use this to cheat money.

The seller named “Yumong Private Detective Company” offered reporters a price of 600 yuan to indicate that they could check the information of a joint-stock bank customer. After the reporter paid part of the deposit, the seller said that relevant flow information will be sent in about 40 minutes. About 25 minutes later, the reporter found that he was “black” by the seller.


Personal financial information protection loopholes still exist in banks

It is understood that relevant departments have discovered andA large number of information systems and security supervision loopholes involving key industries such as finance were notified, and more than 3,000 suspected violations were captured within various industries. However, the reporter’s investigation found that there are still some hidden dangers in the financial institutions such as banks that are worthy of vigilance.

—— Leaving user information for “pulling customers” and “punching performance” violations into some bank “unspoken rules”. Xiao Zhang, the first-line teller of a rural credit cooperative in Zhejiang, told reporters that only the first-line teller in the bank has the authority to query customer flow and other information, and other employees need to jointly authorize the query, and the system will automatically leave traces.

“But if the president-level leader asks to query and export a customer account in the name of business needs, the teller is often difficult to refuse. To” envelope big customers “, help them It is not a secret in some banks to privately pull others into water, “Xiao Zhang said.

—— Vulnerability of bank internal control caused user information to flow into the “black market”. Ms. Zhou, who worked as a first-line teller at a bank in Guangzhou, revealed that the teller at her bank can freely check the transaction flow of customers within six months without authorization.

The reporter also learned that at present some banks have insufficient protection of paper materials recording customer information, and failure to destroy them in a timely manner or out-of-control outflows sometimes occur. Some of the materials that have been “clouded” also have a large increase in the risk of information leakage due to the implementation of operating standards and inadequate supervision.

During the tenure of the business manager of an original telemarketing center of Shanghai Pudong Development Bank, he illegally obtained and stored a large amount of customer personal information, causing all of it to flow into the hands of telecommunications fraud gangs.

—— Some bank apps are suspected of excessively claiming rights, resulting in increased risk of information leakage. The reporter randomly tested a variety of banking apps and found that many of them have different degrees of “inducing” users to authorize access to mobile phone information. If they do not agree to their privacy terms, they cannot continue to use them. Among them, China CITIC Bank, Industrial and Commercial Bank of China and other users are recommended to agree to read the call and call management, photos, media content and files, obtain location information and other information, otherwise related functions will not be available. And this type of authorization belongs to “one-time authorization, long-term validity”, when the system is used later, the system will no longer prompt authorization.

Zang Lei, a senior researcher at the International Center for the Rule of Law at the Beijing Normal University, said that according to relevant national standards, the minimum permission range that financial lending apps can obtain is storage permission. Institutions should follow the principle of minimum claim as much as possible, and try not to affect users ’key functions of the App due to permissions other than storage permissions.

A staff member of a bank ’s risk control department revealed to reporters that most bank apps currently involve technology outsourcing partners. Although some backgrounds and security considerations are taken into account when selecting partners, some employees of the partner companies The risk of leaking information is still not small.

“At present, many bank employees rely on their professional ethics to protect user information. “Ms. Zhou said.


Strengthening protection urgently needs to enhance the protection of “law + technology”

How can we plug personal information security loopholes in financial institutions such as banks? A staff member of a provincial branch of the People’s Bank of China suggested that banks with serious problems should be held accountable for their legal responsibilities, and they could not just “handle internally”.

Experts said that China currently has some laws, regulations and regulatory documents related to criminal protection, internal control protection and technical specifications of personal financial information, and relevant legislation is still in progress .

In February, the Central Bank and the National Financial Standardization Technical Committee issued technical specifications for the protection of personal financial information, which put forward regulatory requirements for the protection of personal financial information by financial institutions. The “Trial Measures for the Protection of Personal Financial Information (Data)” will also be officially released to the public after the end of the consultation.

The Implementation Measures for the Protection of Financial Consumer Rights and Interests of the People ’s Bank of China (Draft for Comment) released in December 2019 requires financial institutions to establish and improve consumer financial information protection mechanisms .

In May 2017, Liang Gao issued relevant judicial interpretations on handling criminal cases of infringement of citizens ’personal information. Those who illegally acquire, sell or provide more than 50 pieces of property information belong to The crime of “infringement of citizens’ personal information” is “serious circumstances” and “punishment of imprisonment of up to three years or detention, with or with a single fine”.

Wang Qinghua, director of the Digital Economy and Legal Research Center of the Law School of Beijing Normal University, said that the current personal information infringement civil remedy mechanism still focuses on making up for actual losses, making it difficult for intentional infringer Form strong legal constraints. It is recommended to set a minimum amount of compensation for illegal disclosure of others ‘information and intentionally infringing others’ information rights, and increase punishment.

Liu Chunquan, a lawyer from Shanghai Duan and Duan Law Firm, suggested that bank screening should be urgedCheck the possible risk points of leakage in the whole process management of personal financial information collection, transmission, maintenance, and leaving traces of itself and third-party cooperative companies, and update security monitoring technologies such as firewalls, identity authentication systems, digital signatures, etc. Regulate operations insiders such as leaks or malicious theft.

(original title: “Should the” vulnerability “of personal financial information in these banks be blocked?”