Russian Banks Oppose Bill Granting Security Agencies Access to Client Data

The Association of Russian Banks (ARB), which includes Sberbank, VTB, Gazprombank, Tinkoff, and others, has spoken out against a proposed law that would grant security agencies access to banks’ information systems and client databases. This response comes after the introduction of bill No. 416441-8, submitted by the government to the State Duma in August 2023.

According to the explanatory note, the bill aims to establish a special procedure for processing the personal data of certain categories of individuals, as determined by the President of Russia. Specifically, the Ministry of Defense, Ministry of Internal Affairs, Foreign Intelligence Service, Federal Protective Service, and FSB could be granted the ability to edit or delete information about security service employees who have accounts at various banks.

RBC reports, citing a letter from the ARB to the Ministry of Digital Development and the head of the Information Policy Committee, Alexander Khinshtein, that the ARB sees this bill as a violation of Russians’ constitutional rights and a breach of anti-money laundering laws. The Ministry of Digital Development noted that they have not yet received the letter.

Key Concerns Raised by the ARB

• The bill “creates numerous legal conflicts” and contradicts other laws.
• Its adoption would violate the constitutional rights of Russian citizens by giving security agencies unlimited access to personal data, including data of individuals not classified as security service employees. Banks would be required to provide personal data without client consent or a court order.
• It is unclear how banks would report client transactions to Rosfinmonitoring under anti-money laundering laws if security agencies can edit data without notifying the banks.
• The new requirements would significantly increase labor costs, workload, and expenses.

The banks also raised additional concerns. The ARB believes that unlimited access for security agencies could pose information security risks. They suggest removing the requirement for information system and database operators to provide remote access to security agencies. As an alternative, they propose that interactions with security agencies be conducted through the Federal Tax Service or the Central Bank.

The Ministry of Digital Development responded that law enforcement agencies would interact with banks’ information systems “strictly in accordance with procedures established by the government.” The ministry believes this approach will address all potential risks. They also clarified that access would not be granted to all information systems, but only to those included in a special registry.

The Big Data Association (which includes Yandex, VK, Rostelecom, MegaFon, and others) has also opposed the bill. They argue that its adoption could compromise the integrity of information systems and create risks of violating other laws for businesses.