Protecting our customers’ personal data and privacy is a top priority at UOB and essential to maintaining their trust in us. We are committed to meeting industry best practices and complying with the Personal Data Protection Act of Singapore. Banks such as UOB and other financial institutions host important and sensitive information about customers and trust in such institutions can be quickly eroded in the event of a breach. In addition, with the behavioural shift toward digital channels, it is imperative to have robust security controls in place.
How we approach this topic
Data Privacy We have policies and processes in place to ensure the confidentiality and security of our customers’ information, including our Personal Data Protection Policy. In tandem with rising international data privacy standards, we also conduct regular reviews on our policies and processes to ensure that our data processing evolves in line with applicable data privacy laws. Line data protection officers at functional and business levels in Singapore and locally appointed officers at overseas locations ensure that personal data is safeguarded. These officers report to the Franchise Data Protection Officers in Singapore, who in turn report to the Group Operational Risk Management Committee. Our line data protection officers ensure compliance with local regulations and Group requirements, assisting in the investigation of alleged breaches as and when required. Group Operational Risk Management and the Data Protection Office review any incidents and corresponding action plans are developed by the business and support units. Significant incidents are escalated to relevant senior management committees. UOB’s Enterprise Data Governance and Data Quality team governs the data life cycle from creation, transformation, consumption to eventual deletion. This function brings together subject-matter experts from across UOB to focus on the continuous improvement of data health, powered by innovations in processes and technology. Data privacy impact assessments are integral to our business and product development process to ensure that data protection is embedded in the services we provide and in every aspect of our operations. We respect our customers’ preferences regarding the receipt of marketing information and will seek customer consent to receive telemarketing calls. Customers may also withdraw their consent at any time. We facilitate our customers’ requests to access and to correct their personal data through various channels such as mail, email or at our branches.
Information on our approach to privacy and data protection and contact details for our Data Protection Officers are available on our website. Our UOB Privacy Notice is also available online and at all branches in Singapore.
Information security We use technology to provide a borderless, reliable and efficient service, and are committed to protecting our customers’ and the Bank’s data and assets from cybersecurity threats. The Group Technology Risk Management Framework and IT Security Management Policy outline our cybersecurity policies, guidelines and tools to protect our data and assets. These ensure that cybersecurity risks are identified and managed in a consistent way across the Group.
The Group Technology Risk Management Framework also incorporates comprehensive control requirements set out by key regulators in the Asia Pacific. Our dedicated Security Operations Centre specialists monitor, detect and respond to potential cybersecurity risks and threats. We also continually upgrade our security capabilities to respond to the evolving threat landscape by partnering leading cybersecurity providers and enhancing our security technology. Recognising that everyone plays a role in data protection and cybersecurity defence, we regularly train our people on information security and cybersecurity risks.
Our targets
Protect and secure the Bank’s and customers’ information by continually deepening our cyber security capabilities to counter threats and to address an evolving security landscape.
Create strong cyber and information security awareness with a “security is everyone’s responsibility” mindset and maintain 100 per cent completion rate for employee security training.
Our performance in 2019
In 2019, there were no legal proceedings taken against UOB in respect of any data privacy breach, nor any fine or other sanction imposed on the Bank by the Singapore Personal Data Protection Commission (PDPC). We worked with the PDPC to address concerns about use of personal data raised by our customers. During the year, 11 incidents were referred to us by the PDPC, of which one valid complaint was identified, which was addressed and resolved. We continue to develop our cybersecurity capabilities and to enhance our operating models to strengthen our defences and to keep pace with the dynamic threat landscape. Through these efforts, we contribute to the security and stability of the financial system and trust in the banking environment. As we advance our digital capabilities, we remain committed to increasing our investments in our cyber resilience and security. In 2019, the Group had no material security incidents to report and 100 per cent of employees completed the security training module.
Partnership for the Goals
UOB, in collaboration with MAS and other financial industry partners, has been an active contributor to create a framework known as Veritas with the aim to promote responsible adoption of ethical best practices when employing artificial intelligence and data analytics. Further, UOB is one of two banks in Singapore that is working in conjunction with the MAS and an established global artificial intelligence service provider to develop end-to-end methodologies and operating processes around the Veritas framework. On the information security front, UOB collaborates with ABS and participates in the Financial Services Information Sharing and Analysis Center (FS-ISAC) to strengthen the industry’s collective defence against cyber attacks by sharing information on potential threats and best practices with our industry peers.
CONTRIBUTION TO THE UN SDGs
Ethical use of data
The drive for the ethical use of data is quickly gaining momentum; thought-leaders, industry experts and data practitioners have produced guidelines and publications addressing and highlighting its importance of late. With the advent of artificial intelligence and data analytics, UOB has embarked on its own journey of responsible and ethical use of data across its businesses. In 2019, a new Enterprise Data Ethics team was formed to ensure the responsible use of data in line with UOB’s values, with advisory and technical support from our customer advocates, data governance specialists, legal officers and data scientists to drive ethical behaviour across our data community. The principles of Fairness, Ethics, Accountability and Transparency (FEAT) as envisioned by MAS – coupled with UOB’s values and Code of Conduct – are embedded in our modelling and analytics processes. We have developed a balanced operating model and operationalised it across the Three Lines of Defence to provide robust challenge as well as assurance in the ethical handling of data and its outcomes.
The importance of data quality for data security
Quality data is critical for efficient decision-making at the highest levels. Our regional data quality initiatives not only provide assurance to the regulators, senior management and risk professionals; they also ensure that accurate and timely data can be obtained for analysis and reporting. Our Data Quality Centre of Excellence, which was formalised in 2019, actively pursues enterprise data quality concerns; deep dives into the associated data management and technical processes; determines the root cause of data quality gaps and collaboratively drives long term, preventive resolutions across our complex data management landscape.
Secure cross-border data sharing
In 2019, a framework and guidelines were put in place to govern cross-border transfers of personal data between UOB Group companies worldwide. Enabling responsible and secure cross-border data sharing is of key importance to UOB. Our cross-functional group comprising experts from across the data, risk and business domains has developed guidelines, procedures and processes to guide all data users in responsible cross-border data sharing. This has significantly improved the communications and assignment of responsibilities in cross-border data sharing practices, taking into account the complex regional regulatory and data privacy landscape, as well as internal business confidentiality aspects.
Promoting awareness of information security
We keep our people informed of developments and share best practices with them through our intranet. We also conduct activities such as anti-phishing exercises, password strength assessments and internal cyber-security training to raise awareness and to test our employees’ vigilance and understanding. In 2020, we will broaden our security awareness initiatives to include tailored role-based training programmes for selected high-risk employee groups. To raise our customers’ awareness of cybersecurity so they can also help protect themselves from cyber attacks, we provide them with regular updates on cybersecurity tips and threats via our website, social media channels, electronic mailers, text messages and mobile apps. In addition, our UOB BIBPlus customers can download security software to improve the security of their online banking experience.
Preventative actions we have taken against phishing
Enhanced monitoring for suspicious access patterns
End-user browser updates to warn of phishing sites
Monitoring of re-directed traffic back to our Personal Internet Banking (PIB) website for potential fraudulent sites
Intelligence gathering and coordination to detect and shut down phishing sites and to block fraudulent transactions
Bolstering e-mail authentication to reduce ability of spammers to impersonate the Bank
UOB Personal Data Protection Policy Principles
Personal data must only be collected and used for purposes for which the customer has been notified and has consented to, or are permitted by law
Personal data is used responsibly in accordance with our ethical standards and corporate values
Access and disclosure are strictly on a need to know basis
Integrity and security of personal data are paramount
Personal data that is no longer required for legal or business purposes must be securely destroyed, in accordance with document retention policies