Security, Risk Management, and Data Confidentiality
Note: this document is a reference from the Scheme Business Rules Please refer to Mojaloop Business Docs for more information and context
1.1 Confidentiality and Protection of Personal Information
- Confidential Information of the Scheme that is disclosed to Participants will be held in confidence by Participants and will be used only for the purposes permitted by the Rules. Scheme Confidential Information may include proprietary technology and other matters designated by the Scheme.
- Transaction data will not be owned by the Scheme and will be owned by a Participant as it relates to its Customer's Transactions.
- The confidentiality of Transaction data and any Personal Information processed in the Platform will be protected by the Scheme and Participants according to Applicable Law.
- Statistics or data which identify a Participant or from which the Participant may be identified will not be disclosed to other Participants. The Scheme may prepare for internal use and disclose to third parties for promotional purposes statistics based on aggregate, anonymized data as permitted by Applicable Law.
- The Scheme will make disclosures of Confidential Information to comply with Applicable Law or the directive of a Regulatory Authority.
- The Scheme will protect Personal Information in its possession or under its control from misuse and otherwise treat such information in accordance with Applicable Law protecting privacy of individuals.
- The Scheme will maintain industry leading security measures to protect information from unauthorized access and use.
- Participants will notify the Scheme and acknowledge that the Scheme may notify other Participants, of any Security Incident in the systems or premises of the Participant, its affiliated entities or any third-party vendor engaged by the Participant to provide services in support of the Participant's participation in the Scheme.
- The Scheme may conduct investigations into Security Incidents. Participants will cooperate fully and promptly with the investigation. Such investigations will be at the expense of the affected Participant.
- The Scheme may require a Participant to conduct investigations of Security Incidents and may require that such investigations be conducted by qualified independent security auditors acceptable to the Scheme.
- The Scheme may impose conditions of continued participation on the affected Participant regarding remedy of the causes of the Security Incident and ongoing security measures.
- The investigation and report, as well as remedies that may be required will be held confidential to the extent permitted by Applicable Law.
1.2 Risk Management Policies
This section assumes that the development of risk management policies by the Scheme and its participants will be evolving. This section contemplates that some of these policies will (eventually) be in the Rules; others will not
- Risk management policies and procedures may be stated in the Rules, in Associated Documents, or in other written policy documents created by the Scheme and distributed to Participants
- Risk management policies and procedures will include fiscal soundness, system integrity, compliance with Applicable Law, particularly as to Anti-Money Laundering/Combatting Terrorism Financing measures, privacy of personal information and data security
- Risk management functions include procedures applicable to Participants for monitoring of risks, including reporting requirements and audits
1.3 Business Continuity
- Provisions to ensure business continuity on the part of the Scheme, its vendors, and Participants.
Appendix: Risk Management, Security, Privacy, and Service Standards
Schemes may or may not want to specify standards or require that Participants comply with other established standards. Schemes may furthermore specify different standards for different categories of Participants. The list below is given purely as an example.
Participants must adhere to the following practices of service quality security, data privacy and customer service as they apply to a Participant in connection with the Scheme.
- Participants will establish a risk management framework for identifying, assessing and controlling risks relative to their use of the Scheme.
- Participants will ensure that the systems, applications and network that support the use of the Scheme are designed and developed securely.
- Participants will implement processes to securely manage all systems and operations that support the use of the Scheme.
- Participants will implement processes to ensure that systems used for the Scheme are secure from unauthorized intrusion or misuse.
- Participants will implement processes to ensure the authentication of their customers in creating and approving transactions that use the Scheme.
- Participants will develop effective business continuity and contingency plans.
- Participants will manage technical and business operations to allow timely responses to API calls received from the Scheme Platform or from other Participants via the Scheme Platform.
- Participants will establish written agreements governing their relationship with agents, processors, and other entities providing outsourced services that pertain to the Scheme.
- Participants will develop policies and processes for ongoing management and oversight of staff, agents, processors, and other entities providing outsourced services that pertain to the Scheme.
- Participants will ensure that customers are provided with clear, prominent, and timely information regarding fees and terms and conditions with respect to services using the Scheme.
- Participants will develop and publish customer service policies and procedures with respect to services using the Scheme.
- Participants will provide an appropriate mechanism for customers to address questions and problems. Participants will specify how disputes can be resolved if internal resolution fails.
- Participants will comply with good practices and Applicable Laws governing customer data privacy.
- Participants will ensure that Customers are provided with clear, prominent, and timely information regarding their data privacy practices.