Because one of the key aspects I will discuss in my dissertation is “Framework design by adapting international standards to local needs, including measures such as data protection impact assessments and operational security measures,” I thought—why not take you along on my mini-exploration of which countries already have practical guidelines for PSPs (Payment Service Providers)?

In this blog post, I want to share what I’ve found! This time, I looked into three central banks: the European Central Bank (ECB), Qatar Central Bank (QCB), and the Bank of Thailand (BoT), focusing on their approaches through the lens of “people, process, and technology.” And here it is..

Central Bank People Process Technology Notes
ECB
  • Obligation to obtain explicit consent from users to process personal data
  • Service providers must train staff to recognize and prevent privacy violations
  • Implementation of the principles of privacy by design and by default involves all internal parties in system operations
  • Compliance with GDPR principles, including data minimization and purpose limitation
  • Obligation to report security incidents to supervisory authorities (e.g. competent authority)
  • Internal monitoring and auditing processes for data access by third parties (PISP, AISP)
  • Use of Strong Customer Authentication to secure transactions
  • Restriction on storage of sensitive data by third parties such as PISPs and AISPs
  • Implementation of systems and technical controls to protect user data from unauthorized access
 The Guidelines do not refer to a specific ISO, giving PSPs the opportunity to use any method that is in line with GDPR.
QATAR
  • Board and management must have representatives with cybersecurity expertise, and form cross-functional committees (IT, HR, Risk, etc.)
  • Employees must be trained and aware of cyber risks and digital fraud
  • End users and customers must be educated about security risks and how to report fraudulent activity
  • Implementation of technology risk management framework and regular security incident reporting procedures
  • Internal security evaluations and audits and monitoring of third-party vendors must be conducted periodically
  • Establishment of data privacy policies, data retention and consent for use of personal data in accordance with Qatar Law
  •  Use of strong authentication (Strong Customer Authentication) to secure transactions
  • Restriction on storage of sensitive data by third parties such as PISPs and AISPs
  • Implementation of systems and technical controls to protect user data from unauthorized access
  • If PSP outsources the system to a third party, the contract must include security standards that are in line with ISO 27001 and NIST.
  • The use of encryption must refer to industry standards such as ISO/IEC 19790, NIST SP 800-57, etc.
  • Although it does not mention a specific standard, the direction is clearly to ISO/NIST.
  • Although this is more of a security testing standard, it still shows that QCB emphasizes compliance with international standards.
THAILAND
  • Financial institutions must have leadership and governance responsible for data protection
  • Increased data literacy and staff training in managing data and protecting consumer privacy
  • Institutions must comply with Thailand’s PDPA in the collection, use and disclosure of personal data
  • There must be a formal data governance policy including data classification and data lifecycle management
  • Implementation of appropriate access controls to protect data from unauthorized parties
  • Use of technology that supports data security, quality, and interoperability
  • The central bank has issued a data governance policy framework and acknowledged the role of personal data protection, although it has not regulated the technicalities in depth.
  • BoT has shown the direction in that direction through this policy, and added to it the “Your Data” initiative and public consultation on secure and consent-based data sharing mechanisms.

You might be wondering: why only these three?

Well—I WAS JUST AS SURPRISED! Turns out, many central banks around the world do not have specific frameworks for data governance tailored to PSPs, especially in the context of user personal data. For example:

  • Canada is only planning to start regulating PSPs in 2025.
  • India hasn’t issued derivative regulations yet—it’s still relying on broader government-issued data protection laws.
  • The U.S. doesn’t regulate this via its central bank, but rather through separate authorities.

Among the three I explored, Thailand doesn’t yet have a comprehensive guideline on data protection, but they’re getting there! They’re currently implementing the “Your Data” project, giving consumers the ability to control and modify their data protection preferences. They’ve also released a Consultation Paper on the draft regulation regarding mechanisms that enable customers to exercise their data-sharing rights with financial service providers (within the Your Data Project, under the Bank of Thailand). This will eventually support the development of more structured personal data regulations.

On one hand, I’m proud that Indonesia is acting quickly on this front. On the other hand, it’s a wake-up call—we have to move fast, because our country is often an easy target for cyber threats. Regardless, I believe that the project I’m working on will benefit both my organization and—more importantly—Indonesia.

Let’s keep going. 🚀

People, Process, Tech: What PSP Data Governance Looks Like Globally / Nadia Nur Amalina / Future Governance: KIPP & Futures Project (2024-25) by is licensed under a