Brazil: New data protection regulations for banks
The rules for banks in Brazil are changing, with new rules and regulations for such institutions to abide by. Ana Carolina Ferreira de Melo Brito, Rodrigo da Fonseca Chauvet, and Fabiana Cicchetto, from Trigueiro Fontes Advogados, discuss these developments and their impact.
The Brazilian Federation of Banks ('FEBRABAN') is the main entity representing the country's banking sector. It is a private nonprofit association with the objective of strengthening the financial system by representing its members in all spheres and with regard to the main stakeholders. Its declared missions are:
- improvement of the normative system;
- improvement of banking services; and
- reduction of the risk levels.
According to its website, among the 155 financial institutions operating in Brazil, 119 are members of FEBRABAN, accounting for 98% of the total assets and 97% of the equity of Brazilian banking institutions. These numbers show the relevance of its representation.
Established by FEBRABAN, the Bank Self-Regulation System ('SAB') is composed of the rules established by the banks themselves, for the purpose of creating a more favourable environment for the achievement of the four main principles that underpin the association's actions:
- ethics and legality;
- respect for consumers;
- efficient communication; and
- ongoing improvement of services.
By means of the SAB, banks establish voluntary conduct commitments that, together with other applicable rules, contribute to improve the functioning of the financial market, and more broadly the nation’s economy.
The normative and administrative body of the SAB is the Bank Self-Regulation Council, which is composed of 16 members, eight of them representing Signatory Financial Institutions ('the Sectorial Councilors') and the other eight representing civil society ('the Independent Councilors').
Since the approval of the Code of Ethical Conduct and Bank Self-Regulation ('the Code'), in 2008, there has been a significant expansion of the scope of the SAB, which has established complementary rules on themes related to the 'prevention and combat of money laundering and financing of terrorism' and 'socio-environmental responsibilities', among others. Besides the Code itself, to date 25 Standards have been approved and many decisions have been issued by the Self-Regulation Directorate and Self-Regulation Council, in harmony with governmental legislation.
Because of the high level of regulation, the banking sector has rigorous rules to be observed in banks' activities. The adoption of the Code serves the purpose not only of guiding the conduct of the members, but also of establishing uniform measures regarding effective competition and excellence of services. The observance of the Code is obligatory for all financial institutions associated with FEBRABAN.
The SAB reflects the public commitment to adopt the best practices in the market, including regarding privacy and treatment of customers' data. Inspired by international standards, a sectorial standard has been established with the goals of fostering healthy competition and protecting data subjects.
All the members of FEBRABAN must abide by the Bank Self-Regulation Standard 025/2021 ('SARB Standard 025/2021'), in force since 18 February 2022, which establishes minimum procedures regarding protection of personal data. Among these minimum requirements are the formulation and implementation of a privacy governance program ('the Program'), which specifies the minimum content that must be observed by all Brazilian financial institutions, namely:
- Privacy applies to all personal data treated by institutions. This means safeguarding not only the data of customers, but also the data of all other individuals that Interact with the customers.
- Technical and administrative measures must be created to prevent damages resulting from security incidents, both accidental and illicit.
- Concepts of Privacy by Design and Privacy by Default must be followed in all banking services.
- Each banking institution must formally establish a plan for response to and remediation of security incidents.
- Policies must be adopted, maintained, and disclosed regarding compliance with the rules on data protection, including good market practices.
- Among these policies that must be adopted is a Policy on Information Security and Privacy and/or Protection of Personal Data.
- There must be formal adoption of a workflow for complying with the rights of data subjects.
- Educational actions for protection of data and information security must be created, involving not only training or instruction of employees and executives, but also adequate orientation to customers.
It is interesting to note that although as yet there are no regulations from the Brazilian data protection authority ('ANPD'), SARB Standard 25/2022 determines customers' right of portability, with disclosure to customers of all the personal data treated by the bank, upon request of the customer.
Another obligation that banking institutions must satisfy is the adequacy of contracts with their service providers and/or commercial partners that interact or can interact with consumers. This means amending all such contracts to include specific clauses on treatment of personal data, as well as training on serving persons considered vulnerable. This training must cover themes such as protection of data and preparation for fair, equitable, and nondiscriminatory treatment of people considered potentially vulnerable.
On the matter of potentially vulnerable people, Bank Self-Regulation Standard Standards 024/2021 and 023/2021 establish the obligation to classify and manage risks and adopt measures for protection of the elderly and other vulnerable people. Vulnerable consumers are defined as people who, due to their personal condition, have less capacity of comprehension and discernment for analysis and decisions, or are unable to represent their own civil interests. The personal conditions that must be considered when evaluating vulnerability of consumers are:
- existence of a physical or mental disability;
- existence of a grave disease (as defined in social security legislation);
- low schooling level;
- poor digital skills and/or maturity;
- youth or advanced age; and
- and low income level.
The two Standards deal with sensitive data. According to the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'), such data can only be treated with the specific and highlighted consent in writing of the data subject, or for compliance with a legal or regulatory requirement of the bank. There also must be a guarantee against fraud and of security of the data subjects, to safeguard their fundamental rights. It is therefore important for banking institutions to review their mapping of data and methods to evaluate the impact on data protection, to update their legal authorisation and the risks involved in treating sensitive data.
With regard to interaction with data subjects, the members of FEBRABAN must appoint a data protection officer ('DPO'), and make available to the public at least one channel for response to data subjects. Until this obligation is regulated by the ANPD, we believe that the DPO can have foreign domicile, since there is no legal prohibition in this respect. However, in light of the functions and duties of the DPO and the rules that govern the theme, the DPO must be able to communicate in Portuguese and be familiar with Brazilian legislation to satisfy the minimum functions set by the LGPD.
Besides the standards set by the SAB described here, it should be noted that the Central Bank of Brazil ('BACEN') is evaluating the impact of the LGPD on its regulation and supervision of the financial and payment system. The BACEN is a federal entity, created in 19641 linked to the Ministry of the Economy, responsible for regulating and overseeing the national financial system. In questions involving the LGPD, the BACEN advises data subjects to seek satisfaction through the response channels of the financial institution or consumer defence agencies. If the matter is not resolved, the BACEN will accept complaints from data subjects. It then forward them to the relevant financial institutions, which are subject to regulatory sanctions imposed by the BACEN if they do not comply with the requirements for response to complaints. However, the ANPD is now operating, and can help data subjects who have not been treated fairly by data treatment agents (controllers or operators).
Further regarding response to data subjects who are also consumers, two points should be considered. The first is that besides appointing a DPO, financial institutions must enroll in a platform2, regarding interaction with their customers3. If they fail to obey this command, the banks can face administrative proceedings, possibly resulting in fines of up to BRL 10 million (approx. €1,892,000). The second is that attention should be paid to the recent Federal Decree 11,034 of April 5, 2022 ('the Decree'), which establishes new obligations for companies regulated by the executive branch, as is the case of banking institutions, and will take effect on October 2, 2022. Regarding the Decree, we highlight:
- obligation to establish a call centre, without prejudice to other interaction channels;
- obligation to maintain recordings of telephone conversations with consumers for at least 90 days;
- time limit for response of seven days to all complaints from consumers; and
- access to the history of the response to the consumer, within five days.
In our view, the self-regulation system of FEBRABAN is efficient and has applied suitable penalties when detecting irregularities4. In this sense, CARB Standard 21/2022 reiterates and adds to the requirements contained in the LGPD, prompting financial institutions to achieve, as soon as possible, international standards and better governance regarding data protection.
Nevertheless, banking institutions and firms in and other regulated sectors need to pay close attention to the other rules, especially on protection of consumers. In particular, there are federal decrees that impose obligations and shorter time limits for responding to complaints by data subjects when they are considered consumers of products or services. Therefore, until new legislation is enacted or regulations are issued by the ANPD, financial institutions should be prepared to respond to data subjects at least within the time frame established in the LGPD. For this purpose, the institutions need to review their policies and procedures, to enable them to adequately guide responses to solicitations from consumers involving protection of personal data.
1. Law 4,595 of December 31, 1964. Only available in Portuguese at: http://www.planalto.gov.br/ccivil_03/leis/l4595.htm
3. GAB-SENACON/SENACON/MJSP Edict 12 of 5 April 2021. Only available in Portuguese at: https://www.in.gov.br/en/web/dou/-/portaria-gab-senacon/senacon/mjsp-n-12-de-5-de-abril-de-2021-312825057
4. The cases of applying administrative penalties on banks for irregularities in offering 'consigned' credit [loans with automatic installment repayment from salary or pension benefits, which have lower interest rates than regular personal loans] more than doubled in 2021 with respect to 2020 (from 247 to 585, an increase of 137%). The number of warnings also increased (from 134 in 2020 to 245 in 2021) and the number of penalties of prevention to act in name of banks (from 9 in 2020 to 26 in 2021). Only available in Portuguese at: https://economia.uol.com.br/noticias/redacao/2022/03/21/febraban-aplica-23-sancoes-por-fraudes-de-ofertas-de-consignados-em-janeiro.htm