Financial institutions will have to verify the proper identification of borrowers requesting the deposit of pre-approved loans through electronic channels. This measure is aimed at reinforcing security standards. Moreover, banks are required to monitor and control, at least, the main details of contact provided by the borrower and check them to ensure that they have not changed.
Information must then be validated using positive identification techniques, making financial institutions more responsible for detecting social engineering.
Only after verification, the financial institution will inform borrowers—through all the means of contact available—that the loan has been pre-approved and that funds will be deposited over the following 48 business hours. The funds may be credited earlier, if the financial institution receives the borrower’s acceptance of the loan.
All pre-approved loans carried out through electronic channels—automated teller machines (ATMs), self-service terminals, and mobile and online banking—must also be subject to control.
Bank accounts penetration reached 91% of the adult population in December 2020. This figure proves to be very positive, with more than 31 million people having at least one bank account—which lets them use financial services during the social distancing stage.
This new control is in line with the “Minimum Requirements for the Management, Implementation and Control of Risks Related to Information Technology, Information Systems and Associated Resources for Financial Institutions”.
The regulation lays down practices and requirements for financial institutions related to the control of technology and information security risks. In particular, the security management of electronic channels entails compliance with minimum regulatory requirements as follows:
• Awareness and Training: Process related to dissemination, training and education about security practices for internal and external clients aimed at preventing, detecting, and correcting security incidents in electronic channels.
• Access Control: Process related to the assessment, development, and implementation of security measures for identity protection, authentication mechanisms, segregation of roles and functions, among other characteristics connected with the access to electronic channels by internal and external users.
• Integrity and Registry: Process related to the use of techniques for control to ensure the integrity and registry of data and transactions, and to the management of sensitive information in electronic channels, as well as techniques for traceability and verification. This process includes, but is not limited to, transactions, audit trails, and validation schemes.
• Monitoring and Control: Process related to the collection, analysis, and control of events in case of failure, unavailability, intrusion, and other situations that may affect the services provided through electronic channels and potentially damage the infrastructure and information.
• Incident Management: Process related to the treatment, detection, assessment and containment of, and response to, security events and incidents in electronic channels, as well as escalation activities and correction of the technical and operating environment.
July 1, 2021.