Identity-Centric Bank & Finance Regulations - Asia-Pacific

In Asia, Japan, and the Pacific (APJ), the heterogeneity of identity-centric bank and finance regulations distinguishes this region from the rest of the world. Given the many countries and diverse makeup of the region, the regulatory framework is more favorable to innovation and identity plays a more central role in driving such progress. 

Patricia Or and Vicky Cheng, Regulatory Affairs Specialist at Bloomberg, explain the distinctive nature of financial services regulations in the region, stating:

Thus, the regulatory landscape regarding digital identity and access management (IAM) in the financial services space varies throughout the APJ region. However, such regulations ensure compliance and safeguard consumer data privacy as the industry grows increasingly digital.

Regulations governing the activities of financial services providers in Asia, Japan and the Pacific stem from national laws, international standards, and frameworks established by regional corporations. This creates a dynamic environment for providers operating in multiple countries, as they must achieve compliance with the unique laws in each jurisdiction.

The following are some of the main regulations, frameworks, and government agencies that touch IAM and digital identity in the APJ region.

Consumer Data Right (CDR)

The Consumer Data Right (CDR) is a legislative, regulatory, and standards framework for consumer data portability in Australia.

It allows consumers to securely share their personal information with trusted third-party providers (TPPs) in banking and energy, or Data Recipients. The purpose of the CDR is to provide convenience and better services for consumers. It gives individuals more control over when and how they share their personal data, helping them receive better offers and personalized services customized to their identities.

The Australian Treasury leads the CDR policy and program delivery. It also works closely with the Office of the Australian Information Commissioner (OAIC) and the Australian Competition and Consumer Commission (ACCC) for enforcement and compliance of the policy. 

The CDR policy is obligatory for Australian banks and energy retailers with more than 10,000 customers, which are considered Data Holders. Consumers can opt into the framework, and Data Recipients can participate by getting accredited by the ACCC.

When consumers visit an accredited Data Recipient’s website or application, they can consent to share their data with them. The consumer will then be prompted to verify their identity with the current Data Holder. Upon successful authentication, their data is securely made available to the Data Recipient via financial-grade API (FAPI). Data Recipients must offer users a summary of the data they’ve consented to share and allow them to withdraw this permission at any time.

Risk Management in Technology (RMiT)

Risk Management in Technology (RMiT) is a policy released by the Bank Negara Malaysia (BNM), which also oversees its enforcement. The policy went into effect in January 2020. RMiT outlines the minimum regulatory standards financial service providers in Malaysia must meet regarding technology risk management.

The policy aims to encourage public confidence in the country's financial services and mitigate the risk of cybersecurity threats that could allow unauthorized access to consumer data. 

RMiT applies to licensed banks, insurers, electronic money issuers, and payment system operators in Malaysia, among others. These providers must take the appropriate measures to keep customer information and IT systems secure, continuously assess their risk profiles, and implement dedicated programs for combatting cybersecurity risks.

The BNM released an RMiT policy document in June 2023, providing further guidance and updates to the regulation. The document clarifies requirements and provides recommendations for access controls, password policies, and authentication mechanisms to prevent system vulnerabilities.

Data Transfer Rules

The Asia-Pacific Economic Cooperation (APEC) has a few systems in place relating to privacy protection of data transfers between different countries in the region. This includes the APEC Cross-Border Privacy Rules (CBPR) and the Privacy Recognition for Processors (PRP), which require participating businesses to abide by certain data privacy policies across jurisdictions.

However, an update to this framework is currently underway. Referred to as the Global Cross-Border Privacy Rules (CBPR) Framework, it will include countries outside of the APEC region, such as the United States, Canada, Mexico, and the United Kingdom.

The basis for the new framework is that the Internet has supported unprecedented connectivity between providers and consumers around the world, resulting in the necessary sharing of data across borders. The framework hopes to enable seamless cross-border data transfers to support commerce while upholding consumer data privacy to build trust in digital transactions. 

Among other requirements, the Global CBPR Framework requires participating Members to implement reasonable security safeguards to protect data privacy and prevent its misuse. They must also clearly state the type of data they’re collecting and for what purpose and give consumers the choice to opt out of certain data collection and transfers.

National Digital ID (NDI)

The National Digital ID (NDI) in Singapore helps consumers and businesses more easily transact with the federal government and privately owned businesses. 

Singpass is the national digital identity scheme that was released in 2003 as part of the NDI initiative. Today, users can manage their digital identity and securely access online services by logging into the app. Specifically for financial services, the Singpass app supports one-tap access to Internet banking services and managing insurance policies, among other use cases.

To use the app, consumers must verify their identities using biometric authentication, a six-digit PIN, or multi-factor authentication. This helps to keep their private data secure and supports a passwordless environment.

Singpass also makes it more convenient to sign up for new services. Consumers can enter their personal information into the app once. Then, they can provide consent to digital and in-person service providers to retrieve the personal data required to fill out forms or paperwork. 

Businesses like financial service providers can also use the app as an authentication gateway for customers. This prevents consumers from needing to remember individual credentials for each service provider, supporting a more seamless customer experience.

Personal Data Protection Act (PDPA)

The Personal Data Protection Act (PDPA) 2012 is a Singapore law that governs the collection and use of consumer information. This is the first piece of legislation of its kind in the country. The Act recognizes providers’ need to access and share personal data while also protecting individuals’ right to privacy.

Under the PDPA, companies must obtain consent from individuals to collect, use, or disclose their data. Consumers have the right to withdraw their consent at any time. Companies should also only collect and use data that a reasonable person would consider appropriate. In addition, providers need to employ security mechanisms to prevent unauthorized access to personal data.

Recent amendments took effect in 2021 and 2022, which updated requirements of the Act to include consumer notification of a data breach and increased financial penalties for noncompliance.

Another amendment surrounding data portability has yet to come into effect. However, it will require organizations to transfer any data specified by the consumer to the appropriate receiving organization.

Despite the varied nature of identity-centric laws in APJ, a few underlying principles tend to influence the regulations in the region. Like the regulatory framework in other areas, such as the European Union, the United States, Canada, and the United Kingdom, laws and guidelines in the APJ region are designed to uphold financial market integrity and protect consumers. 

However, the area also has a central focus on encouraging innovation, more so than other regions around the world. Many of the nations in APJ view modern fintech solutions as the key to offering better and fairer financial services to citizens, which many of the regulations in these countries reflect.   

Regulations that create national identity schemes, like Singpass in Singapore, make it more convenient for consumers to sign up or log into online services and securely share their information with their chosen providers. Similarly, the CDR in Australia gives consumers more control over how and where their data is stored and transferred. 

While these regulations are customer-centric and lean into digital identity at the center of financial services, providers must meet strict requirements regarding consent management, access controls, authentication mechanisms, and other cybesecurity standards to achieve compliance.

The APJ region is vast, and its flourishing financial services sector and citizens have benefited from its innovation-friendly regulations. However, as the space becomes more digital and consumer identities play a central role in financial services, providers must adhere to identity-centric requirements to ensure customer data remains private and secure. 

To comply with such regulations and ensure a seamless customer experience, financial services providers in APJ can adopt a robust IAM solution, like that offered by the Ping Identity Platform. 

Ping Identity supports compliance with the CDR, RMiT, the new Global CBPR Framework, NDI, and PDPA with features like consent management, granular access controls, strong user authentication mechanisms, and more.