Recommendations for banks and NFIs: preventing leakage of customer data via email
The Bank of Russia issued recommendations for banks and non-bank financial institutions (NFIs) advising on how to verify whether an email address belongs to the customer to whom they send an email containing confidential information (e.g. payment data, account statements, OSAGO e-policies, etc.). This is communicated in the regulator’s information letter sent to credit and non-bank financial institutions.
Such checks will help counter fraudulent schemes which use ‘stolen’ or incorrect email addresses of real customers in order to, for instance, forge payment orders or steal important data. Also, it will prevent cases where strangers gain access to confidential data of bank and NFI customers.
Primarily, banks and NFIs are advised to check whether the phone number they have in the database belongs to the customer to whom they intend to send a message, and to make sure that the email address to which they plan to send a letter does not coincide with email addresses of other customers. After that, it is suggested that they send a unique link for verification to the customer’s email and a text message with a password that allows following the link. Additionally, to protect information from an automated password or phone number mining, a graphic code is used.
If they follow the Bank of Russia’s recommendations, credit and non-bank financial institutions will raise protection of personal data of their customers and the security of their money.