39
World Bank Fast Payments Toolkit
5.2.1. Cyber Resilience and Data Management
Data
Manange-
ment
•
RTP Operating Rules include provisions regarding the treatment of confidential information by TCH and participating FIs including encryption
requirements for the storage and transmission of RTP message data
•
Participating FIs holding customers’ accounts are subject to existing consumer privacy laws regarding the proper use of consumer data and
restrictions on disclosure of such information to third parties. Participating FIs are subject to the Gramm-Leach-Bliley Act, which governs the
treatment of nonpublic personal information about consumers by financial institutions and requires financial institutions to safeguard the security and
confidentiality of customer information
•
Additionally, the PSP compliance criteria require PSPs that access the RTP system through banks to develop and implement administrative, technical,
and physical safeguards to protect the security, confidentiality, and integrity of customer information, as well as to ensure the proper disposal of
customer information
Cyber
Resilience
• TCH monitors its system and its procedures for security breaches, violations, and suspicious activity, including suspicious external activity
(unauthorized probes, scans, or break-in attempts) and suspicious internal activity (unauthorized system administrator access, unauthorized changes to
its system or network, system or network misuse, or theft or mishandling of customer information)
• Industry-standard information channels are monitored by TCH for newly identified system vulnerabilities regarding the technologies and services
(including application software, databases, servers, firewalls, routers and switches, hubs, etc.) and fix or patch any identified security problem as soon
as commercially reasonable, based on TCH’s determination of the severity level of the security problem
• TCH maintains and implements appropriate plans to assure its continued operation. These plans shall include the following: recovery strategy,
documented recovery plans covering all areas of operations necessary to delivering services as required by the RTP Operating Rules, vital records
protection, and testing plans
• The plans shall provide for backup of critical data files, customer information, application software, documentation, forms and supplies. The recovery
strategy shall provide for recovery after both short- and long-term disruptions in facilities, environmental support, and data processing equipment
• TCH shall continue to provide service to a participant if the participant activates its contingency plan or moves to an interim site to conduct its business,
including during tests of the Participant’s contingency operations plans
• TCH’s contingency plans for disruptions in facilities, environmental support, and data processing equipment provides the ability to bring any impacted
operations that are necessary to delivering services as required by the RTP Operating Rules up to full capacity at its back-up site within 60 minutes of
a declared disaster
As per the RTP Operating Rules and RTP Customer Information Security Standards and Requirements, TCH has established guiding principles for
ensuring the cyber resilience and data privacy. It has also obligated participants to follow certain guidelines for safeguarding the sensitive information
Source: RTP Operating Rules | RTP Playbooks