Russia: Data Protection in the Financial Sector
1. Governing Texts
Please note that some of the Russian Government's websites are not working, therefore some of the hyperlinks to Government departments and official documents may not be available at the moment.
The core provisions on data protection in the Russian Federation are contained in Articles 23 and 24 of the Constitution of the Russian Federation of 12 December 1993, by virtue of which every individual is entitled to privacy, the inviolability of their personal and family life, and the protection of their honour and reputation. Information on an individual's private life should not be collected, stored, used, or disseminated without their consent. Therefore, it follows that an individual's consent is an implied prerequisite for personal data processing.
Specific laws in the field of personal data include:
- Federal Law of 27 July 2006 No. 152-FZ on Personal Data (as amended) (available in Russian here; an unofficial English version as of 2019 is available here) ('the Law on Personal Data'); and
- the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108').
The Law on Personal Data is the general basis for personal data processing and protection and is applicable to any procedures performed with data in the financial sector. It is the main legislation that should be taken into account by financial sector participants as well as by relevant state authorities.
In the financial sector, disclosure of information related to accounts, transactions, and the deposits of bank clients is expressly prohibited (subject to exceptions set out by law) under Article 26 of the Federal Law of 2 December 1990 No. 395-1 on Banks and Banking Activity ('the Law on Banking Activity').
1.2. Supervisory authorities
The Russian authority in the field of personal data is the Federal Service for Supervision of Communications, Information Technology and Mass Media ('Roskomnadzor'). The authorities involved in data protection in the financial sector are:
- the Government of the Russian Federation ('the Government');
- the Central Bank of the Russian Federation ('the Central Bank'); and
- the Ministry of Digital Development, Communications, and Mass Media ('Minsvyaz')
The Prosecution Service of the Russian Federation, the Russian Ministry of Internal Affairs, the Investigative Committee of the Russian Federation, the Federal Antimonopoly Service, the Federal Financial Monitoring Service ('Rosfinmonitoring'), the Federal Tax Service, and the Federal Customs Service are also involved in data processing in the financial sector to the extent they process personal data to investigate crimes and offences (both committed and contemplated).
2. Personal and Financial Data Management
2.1. Legal basis for processing
Supervising authorities have general access to data processed within the financial sector. This access is premised upon an exemption under Article 6 of the Law on Personal Data. This exemption states that the data subject's consent is not required when the processing of personal data is necessary for the fulfilment of the operator's functions, rights, and duties provided by Russian law. Since most legislation in the financial sector directly (by mentioning personal data) or indirectly (by listing information which cumulatively amounts to personal data) establishes the operator's obligation to liaise with state authorities to provide the latter with client data, there is no need to obtain the data subjects' separate consents for such procedures.
Additionally, the Law on Personal Data stipulates that the data subject's separate consent is not required where there is an agreement between the data operator and the data subject, and the processing of personal data is necessary for the fulfilment of an obligation under such agreement. Accordingly, given that activities in the financial sector are usually governed by contractual relations, data operators are not obliged to obtain additional consent for personal data processing on general grounds. However, it should be noted there are exceptions with regard to sensitive data, biometric data, and the cross-border transfer of data. Furthermore, there are specific rules related to banking secrecy that take precedence in relation to the banking sector. These rules are established in the Law on Banking Activity and the Civil Code of the Russian Federation of 30 November 1994 No. 51-FZ (as amended) (only available in Russian here) ('the Civil Code') and are mainly focused on the grounds for banking data disclosure, the entities involved, and the circumstances under which the data may be disclosed. Moreover, banking legislation also includes information security standards, as elaborated by the Central Bank, related to technical measures of personal data protection.
Article 18.1 of the Law on Personal Data provides that the operators of personal data must have a policy in relation to the processing of personal data, and procedures aimed at preventing and detecting violations. The operator should publish or otherwise provide unrestricted access to such policy.
Information security requirements are set out under Federal Law of 27 June 2011 No. 161-FZ on the National Payment System (only available in Russian here) ('the Law on National Payment System'), Federal Law of 27 July 2006 No. 149-FZ on Information, Information Technologies, and Protection of Information (as amended) (only available in Russian here) ('the Law on Information') and a number of standards and recommendations of the Central Bank.
Basel III is implemented in Russia by the Central Bank.
No period specifically applicable to personal financial data is stipulated in legislation; each type of document is kept within a period prescribed by Decree No. 236 of Federal Archival Agency of 20 December 2019 (only available in Russian here). Having said that, for the most part, documents that may contain personal financial data shall be retained for a period of five years.
Any anti-money laundering ('AML') activities and those with regard to combating the financing of terrorism ('CFT') are exempt from personal data protection legislation, and data subject consent is not required.
Russian Federal Law of 7 August 2001 No. 115-FZ on Combating the Legalisation (Laundering) of Criminal Proceeds and Financing of Terrorism (only available in Russian here) ('the AML Law') obligates data operators to provide Rosfinmonitoring with any data it demands. The AML Law explicitly states that data disclosure in accordance with the law neither constitutes a breach of labour, banking, tax, commercial secrecy, or communication secrecy law (with regard to monetary transfers), nor a breach of personal data legislation (Article 9 of the AML Law).
Notably, Federal Law of 28 June 2014 No. 173-FZ on Peculiarities of Implementing Financial Operations with Foreign Citizens and Legal Entities, on Introducing Changes to the Russian Federation Administrative Offence Code and Invalidating Certain Provisions of Legal Acts of the Russian Federation (only available in Russian here), became effective on 30 June 2014. In substance, no breach of Russian laws on data protection shall occur as a result of Russian banks compliance with US Foreign Account Tax Compliance Act of 2010 ('FATCA') rules.
Information on operations, accounts, and bank deposits of a banks' clients, as well as clients of other credit organisations, providers of compulsory deposit insurance, and by counteragents, constitutes banking secrets (Article 26 of the Law on Banking Activity).
The Civil Code also adds client data to the list of information constituting banking secrets.
Not only are all employees obliged to maintain the secrecy of such data, but also auditors and other entities (including the recently established Banking Sector Consolidation Fund) that come across banking secrets in the course of the performance of their obligations are required to maintain the confidentiality of the data.
The following entities may request disclosure of information on operations and accounts of legal entities/individually owned private businesses:
- legal entities and individual entrepreneurs per se (voluntarily);
- courts and arbitration courts;
- the Accounts Chamber of the Russian Federation;
- tax authorities;
- the Pension Fund of the Russian Federation;
- Fund of Social Insurance of the Russian Federation;
- enforcement authorities;
- providers of compulsory deposit insurance in the case of an insured event; and
- pre-trial investigative bodies (if approved by the head of the investigative authority).
The list of entities that may request data on the accounts and deposits of individuals is more restricted and includes:
- individuals per se (voluntarily);
- enforcement authorities;
- providers of compulsory deposit insurance in the case of an insured event; and
- pre-trial investigative bodies (if approved by the head of investigative authority).
The secrets of individual entrepreneurs, as well as the banking secrets of individuals, may also be disclosed to investigative authorities on the basis of a court decision in cases when there is information on crimes, being prepared or committed, as well as on the individuals involved, where there is insufficient evidence for an indictment.
Moreover, banking data may also be disclosed in compliance with other legal acts of the Russian Federation, including the Federal Law of 25 December 2008 No. 273-FZ on Combating Corruption (only available in Russian here), to ascertain the income, expenditure, assets, and material obligations of individuals related to public posts, legislation on currency regulation and control, customs legislation, and the Russian Tax Code (only available in Russian here).
The Central Bank may disclose the banking data that became known to it from reports submitted to corresponding supervising foreign banks in the course of inter-state exchanges.
A breach of banking secrecy entails civil, administrative, and criminal liability. Under the Civil Code, the client may claim damages.
The Code of 30 December 2001 No. 195-FZ on Administrative Offences (as amended) (only available in Russian here) ('the Code of Administrative Offences') establishes administrative liability in the amount of RUB 5,000 to RUB 10,000 (approx. €57 to €115) for individuals; from RUB 40,000 to RUB 50,000 (approx. €460 to €575) or disqualification for up to three years for officials, and from RUB 100,000 to RUB 200,000 (approx. €1,150 to €2,300) for legal entities. The offending party may also face criminal liability, with the form of punishment depending on the type of indicted crime.
There are no industry-specific regulations applicable to personal data processing and protection in the insurance sector. The Civil Code establishes 'insurance secrecy' which covers data related to the health and matrimonial status of an insured person and of any beneficiary.
The activities of payment service providers are regulated by the Law on National Payment System and by-laws adopted by the Central Bank and the Government. The Law on National Payment System regulates the procedure concerning the provision of payment services and determines the requirements for the organisation and functioning of payment systems.
Financial institutions, as well as other parties who operate with personal data or who have access to personal data, shall not disclose to third parties nor distribute personal data without the data subject's consent unless otherwise provided by law.
In this respect, the Law on Personal Data provides several exemptions where the data subject's consent is not necessary:
- the processing of personal data is carried out in connection with the involvement of a person in constitutional, civil, administrative, criminal, or arbitration court proceedings;
- the processing of personal data is necessary for the execution of a judicial act or an act of another body or official;
- the processing of personal data is necessary for the fulfilment of government authorities and operator functions, rights, and duties under Russian law; and
- when the processing of personal data is necessary for the execution of a contract, the party to which either the beneficiary or the surety is the data subject, as well as for the conclusion of the contract initiated by the data subject or the contract for which the data subject will be the beneficiary or surety, etc.
In cases of unlawful processing of personal data carried out by the operator, the operator shall stop the unlawful processing of personal data or, if impossible, ensure the legality of the processing of personal data. In addition, the operator, within a period not exceeding ten working days from the date of unlawful processing of personal data, shall delete such personal data.
The operator shall notify the data subject or his/her representative about the elimination of the violations or the deletion of the personal data, and the Roskomnadzor (if there was a request of the Roskomnadzor in relation to the breach).
The main requirements for data protection in the financial technology ('fintech') sector are also prescribed by the Law on Personal Data, the Law on Information as well as by-laws adopted by the Central Bank and competent public authorities. These laws set forth that when collecting personal data through the Internet the operator is obliged to record, systematise, accumulate, store, clarify (update, change), extract personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation (with some exceptions).
A bank (or other parties who are obliged to ensure bank secrecy) shall pay upon the demand of the client all damages arising from the disclosure of bank secrecy.
According to the Code of Administrative Offences and the
Criminal Code of the Russian Federation of 13 June 1996 No. 64-FZ (as amended) (only available in Russian here) ('the Criminal Code'), the officials of the party responsible for disclosure may receive an administrative fine ranging from RUB 40,000 to RUB 50,000 (approx. €460 to €575) or a criminal punishment (depending on the type of indicted crime, the penalty may be a fine, deprivation of the right to hold certain positions, correctional or compulsory labour, or imprisonment).
Violation of the AML legislation by institutions engaged in operations with monetary funds or other property may entail a recall (cancellation) of its licence.
Furthermore, depending on the type of violation, the institution or its officials may face administrative (fines, suspension of activities, and/or disqualification) or criminal liability (only for officials) in the form of a fine and/or imprisonment).
Personal data protection
The operator of personal data shall pay damages including for moral harm caused to the data subject by the violation of his/her rights, and for the violation of the rules for personal data processing established by law.
Depending on the type of violation the operator of personal data or its officials may face administrative (fines) or criminal liability (only for officials who may be deprived of the right to hold certain positions, or be subjected to correctional or compulsory labour, or imprisonment).
11. Additional Areas of Interest
Assignment and transfer to the National Bureau of Credit Histories
When assigning monetary claims to a third party (e.g. to collectors or to another bank) the assignor may be bound to transfer information containing banking secrecy and/or personal data.
The transfer of personal data to an assignee is explicitly legitimate, but a transfer of information containing banking secrets is not. There is some positive court practice (see, for example, the Presidium of the Supreme Commercial Court ('VAS') Letter No. 146 (only available in Russian here)), which, however, conflicts with the position of the Russian Federal Service's for Surveillance on Consumer Rights Protection and Human Wellbeing ('Rospotrebnadzor') that assignees are not explicitly listed in the Civil Code and the Law on Banking Activity as persons to whom such information can be transferred. Article 47 of the Federal Law of 16 July 1998 No. 102-FZ on Mortgages (only available in Russian here), and Article 12 of the Law of 21 December 2013 No. 353-FZ on Retail Credit (only available in Russian here) provide that the assignee shall not disclose such information containing banking secrecy which became known to the assignee as a result of the assignment. This implies that such transfer of information containing banking secrets is legitimate, however, the Civil Code and the Law on Banking Activity still do not list assignees as persons to whom such information may be transferred. Despite this, the risk seems insignificant.
Moreover, credit institutions shall transfer information on the credit performance of Russian consumers, including information on their delinquencies on loans together with their passport details, to the National Bureau of Credit Histories. Such information, therefore, contains both, banking secrecy and personal data. Russian law and an explanatory statement provided by the Central Bank provide that such transfer of restricted information is legitimate, and borrowers cannot revoke their consent to this transfer of personal data.