LogoRegulatory Alerts
2021-01-01

Instruction No. 20 of 2021 Regarding Data Confidentiality

The Palestine Monetary Authority issued Instruction No. 20 of 2021 to mandate strict data confidentiality protocols for all licensed Palestinian banks. The regulation requires institutions to implement comprehensive data protection policies, secure systems, and strict internal controls, while prohibiting unauthorized disclosure or misuse of customer information except with written consent, judicial rulings, or specific legal mandates. Additionally, it compels banks to immediately report data breaches and unauthorized disclosures to the Authority and submit monthly compliance reports, subjecting violators to administrative and legal penalties under existing banking and anti-money laundering laws.

Palestine Monetary Authority logo

Palestine

Palestine Monetary Authority

Click to view thumbnail

Palestine Monetary Authority

PALESTINE MONETARY AUTHORITY

Instruction No. (20) of 2021

Regarding Data Confidentiality

Based on the provisions of Legislative Decree No. (9) of 2010 concerning Banks, particularly Articles (32) and (43) thereof, and in accordance with the powers delegated to us, and in pursuit of the public interest, we have issued the following Instructions:

Article (1)

Definitions

The following words and phrases, whenever used in these Instructions, shall have the meanings specified below, unless the context indicates otherwise:

Data
All information, documents, and records pertaining to natural or legal persons, regardless of their form or source, including account transactions, movements, statements, banking and financial dealings, deposits, trusts, obligations, and rented safe deposit boxes that the Bank has accessed or obtained.

Data Confidentiality
Preserving all data obtained by the Bank, as well as financial transactions and movements, and protecting them from unauthorized access and disclosure.

Article (2)

Objective and Scope of Application

  1. These Instructions aim to regulate data confidentiality, enhance the trust of customers and investors, and mitigate risks that the Bank may face.
  2. The provisions of these Instructions apply to all banks licensed by the Palestine Monetary Authority to conduct banking business.

Article (3)

Bank Obligations

  1. The Bank shall comply with the following:
    • Establish a policy and operational procedures to protect data security, and submit a request to obtain the prior approval of the Palestine Monetary Authority for their adoption, provided that the policy includes at a minimum the following: a. Mechanisms for protecting personal, financial, and banking data, whether electronic or non-electronic, across all media, including documenting, storing, transferring, destroying, and managing access rights and usage. b. Mechanisms and procedures for data breach disclosure. c. Mechanisms to identify external entities authorized by law to access or obtain data, and procedures for providing such data to those entities. d. Mechanisms to identify authorized employees within the Bank who may access or obtain data, and controls over them. e. Mechanisms to document requests received from external entities to access data and the actions taken regarding them. f. Standards and controls for administrative and legal accountability against anyone proven to have disclosed data in violation of the law.
  2. Provide the necessary systems, measures, tools, and controls to maintain data confidentiality.
  3. Adopt and authorize a specific mechanism for reporting any violations related to data breach or misuse within the Bank.

Article (4)

Prohibitions and Exceptions

  1. The Bank and its employees are prohibited from disclosing data except based on the customer's written consent or a judicial ruling issued by a Palestinian court. Otherwise, the Palestine Monetary Authority must be immediately notified of any requests from other entities.
  2. The Bank, all current and former board members, senior officials, employees, auditors, consultants, and external retirees of the Bank are prohibited, even after the termination of their employment relationship, from doing the following: a. Providing or allowing any unauthorized person or entity to obtain or access data that was accessed or obtained by Bank employees in the course of their duties. This prohibition applies to anyone who gains access to such data directly or indirectly due to their profession, position, or work. b. Exploiting accessed data during their employment period at the Bank to achieve personal benefits or for the benefit of other parties. c. Sharing any data with unauthorized persons or entities not legally entitled to obtain such data without the customer's consent, unless the sharing is necessary to service the customer.
  3. The Bank may disclose data in accordance with the provisions of Article (32) of Legislative Decree No. (9) of 2010 concerning Banks and its amendments to the entities listed in this paragraph, according to the legal jurisdiction of each such entity.

Article (5)

Disclosure of Financial and Banking Accounts

The Bank is prohibited from providing any entity with the customer's account statement, except as provided in Article (4) paragraph (1) and Article (6) of these Instructions.

Article (6)

Disclosure for Palestine Monetary Authority Requirements

The Bank must disclose data requested by Palestine Monetary Authority employees tasked with performing their duties.

Article (7)

Reporting to the Palestine Monetary Authority

The Bank shall provide the Palestine Monetary Authority with the following:

  1. Any breach or unauthorized access, or any disclosures made to unauthorized parties.
  2. Any disclosures made to exempted entities under these Instructions that exceed their legal jurisdiction.
  3. Administrative and legal measures taken against employees who violate the provisions of these Instructions.
  4. Submission of a monthly report to the Palestine Monetary Authority detailing requests received from courts and entities listed in Article (4) paragraph (3) of these Instructions, in accordance with Annex (1).

Article (8)

Penalties

Anyone violating the provisions of these Instructions shall be penalized in accordance with Article (54) of Legislative Decree No. (9) of 2010 concerning Banks, and Article (44) of Legislative Decree No. (20) of 2015 concerning the Prevention of Money Laundering and the Financing of Terrorism and its amendments.

Article (9)

Implementation and Enforcement

All competent authorities shall implement the provisions of these Instructions according to their respective jurisdictions, and they shall apply from the date of issuance.

Issued in Ramallah on: 14/09/2021.

Dr. Firas Malham
Governor
[Signature]

Note:
www.pma.ps
Ramallah & Al-Bireh Governorate - Palestine P.O. Box 452
Ramallah & Al-Bireh Governorate - Palestine P.O. Box 452
info@pma.ps | Fax: +970 2 2415310 | Fax | Tel: +970 2 2415251 | Tel
Gaza - Palestine P.O. Box 4026
Gaza - Palestine P.O. Box 4026
Fax: +970 8 2844487 | Fax | Tel: +970 8 2825713 | Tel

Share