Topic-specific policies
ISO/IEC 27562

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27562 — Information technology — Security techniques Privacy guidelines for fintech services [DRAFT]



“This document provides guidelines on privacy for fintech services. It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to fintech services. It provides privacy controls specific to fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100 and ISO/IEC 27701 and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.”
[Source: SC27 Standing Document 11 (2021)]


The proposed 1st working draft stated:

    “Fintech refers to the use of ICT technologies across all financial service functions, for example, banking, payments and insurance, etc.

    Fintech represents the next wave of innovation for the financial service sector. Strong authentication technologies, emerging decentralized technologies like blockchain, analytical technologies for fraud detection and anti-money laundering compliance are changing digital financial services. Privacy aspects must be the top priority in order to build trust and confidence in fintech services and applications and to protect financial infrastructure and customers. 

    AML (anti-money laundering) rules require the collection, processing and use of personal data as part of Customer due diligence (KYC). Fraud detections require transaction monitoring, behavioral monitoring, internal data sharing (including within a group), external data sharing (including with regulators and other financial institutions), data sharing for outsourced arrangements; and cross-border processing of data (especially for international payments). Consumers want to be able to control access to their information.

    This document should apply privacy principles described in ISO/IEC 29100:2011 as a starting point. The privacy guideline is to use the existing work on privacy framework (including NIST privacy framework: an enterprise risk management tool) and privacy impact assessment in ISO/IEC 29134:2017 to develop the guidelines.

    It will identify all relevant stakeholder and privacy risks, which are related to fintech services. It also considers regulatory requirements, such as those from anti-money laundering and fraud detection.”


Scope of the standard

Privacy aspects for financial services’ IT.


Content of the standard




A New Work Item was proposed approved in January 2021.

It is at 1st Working Draft stage.


Personal notes

None yet.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.