Rating: +0
I believe I know the response to the below but I want to double-check.
Here's the scenario:
Bank A has a subsidiary that has been sold to Bank B. If the information from the subsidiary that has been sold to Bank B is being stored (retained) is being segregated from Bank A's information, and Bank B allows Bank A to store the subsidiary's data:
1) Are there any regulations that would prevent Bank A (located in the US) to store the data in one of its international databases? In other words, Bank A wants to move the former subsidiary's data (with Bank B's permission) to one of its overseas databases/storage facilities?
2) Are there any regulations that would not allow this?
Regards,
Kelly
HI Kelly,
Let me paraphrase this back to make sure it's correct. You have "Super Bank", who sells its mortgage division to "Little Bank". Super Bank is retaining mortgage information in their databases so they need to segregate the mortgage data from their investment banking group who pools and securitizes mortgages, since they compete with the investment bankers at "Little Bank". Now Little Bank, not having a large IT foot-print asks "Super Bank" if they would mind keeping the mortgage data within their systems, they figure leave well enough alone, they know what their doing; we'll just pay them a fee to store it for us. Now, to better segregate the mortgage data, Super Bank wants to move the mortgage information across the pond to their London data center. If this is the scenario, the wonderful answer is "it depends". The crux of the answer lies in "what’s the data". The biggest concern that I would raise is every financial institutions legal obligations to protect NPI and PII. Non-Public Information (NPI) and Personally Identifiable Information (PII). If this data contains information appearing on applications for obtaining financial services (credit card or loan applications), or on account histories (bank or credit card) or names, addresses, telephone numbers, Social Security numbers, PINs, passwords, account numbers, salaries, medical information, and account balances, its regulated. And you have to be careful as NPI is very broad brush and covers lots of data. PII is more specific, and applies to any piece of information that can be used to uniquely identify, contact or locate a single person. A single piece of medical information, contained in employee records for example can fall under HIPAA privacy rules, etc. You read about financial institutions all to often losing a backup tape in transit, which contained millions of account numbers. This should be considered especially if shipping hard-drives or tapes but also, even if transporting the data across a wire encryption should probably be used to secure the data. Also, another consideration is that once the data lands in another country it may become subject to more stringent data protection laws, in Europe for example the Data Protection Act has a higher level of security standards than most of the world. There are lots of possibilities to be explored, but a lot of it depends on the business aspects of the information.
Good Luck,
Peter
October 2008