NIST RFI on Developing a Privacy Framework: An Enterprise Risk Management Tool
Summary
SIFMA, the Bank Policy Institute (BPI) through its technology policy division known as “BITS,” and the American Bankers Association (ABA), provide collective comments to the National Institute of Standards and Technology (NIST) on its “Request for Information on Developing a Privacy Framework: An Enterprise Risk Management Tool” (RFI).
The Associations believe it is critical that this Framework and any discussion about the use of technical standards and organizational structures account for the existing and effective functioning of the financial system, which currently has the most robust and comprehensive privacy requirements that exist across all industries today.
Excerpt
January 14, 2019
Via Electronic Mail
National Institute of Standards and Technology (NIST)
Docket No. 181101997-8997-01
Request for Information: “Developing a Privacy Framework”
The Honorable Dr. Walter G. Copan
Under Secretary of Commerce for Standards and Technology and NIST Director
U.S. Department of Commerce
Washington D.C. 20230
Dear Dr. Copan:
The Bank Policy Institute (BPI) through its technology policy division known as “BITS,” the American Bankers Association (ABA), and the Securities Industry and Financial Markets Association (SIFMA) (collectively, the Associations) appreciate the opportunity to provide comments to the National Institute of Standards and Technology (NIST) on its “Request for Information on Developing a Privacy Framework: An Enterprise Risk Management Tool” (RFI).
I. Executive Summary
The NIST effort to create a Privacy Framework (Framework) will help “improve organizations’ management of processes for incorporating privacy protections into products and services” across all sectors of the economy and is a critical effort to improve privacy outcomes for consumers and better protect sensitive data. As the Associations noted recently in a submission to the National Telecommunications and Information Administration (NTIA), the financial services sector is strongly committed to the protection of consumer data, privacy, and security. Privacy protections are embedded in the operations and governance structures of financial services firms, in part due to the long-standing and extensive legal and regulatory requirements they must adhere to. Financial firms must comply with comprehensive federal, state and international standards for the management and protection of customers’ personal information and have created robust internal data governance structures that focus on risk management and govern the collection, use, control, and transparency of customer data.