.svg)
An investigation has been opened against Brazil’s Banco Banese, after local media reports of a personal data leakage from customers of various financial institutions involving the country’s new instant payments service, PIX.
According to the Ministry of Justice and Public Security, more than 395,000 PIX Keys were registered by users on the bank's platforms and may have been exposed.
“What’s more, other banks could be subject to an investigation,” according to Viviane Giglio, compliance and research lead at VIXIO, who previously worked in compliance for a payments institution in Brazil.
PIX Keys are a stand-in for a customer’s bank account that consumers can register that allows them to make a transaction using a personal identifier, such as mobile number, email address, or tax registration ID, otherwise known as a CPF.
“Essentially, my CPF is my PIX user address which allows me to make PIX transfers from different banks and institutions,” explained Giglio.
Banco Banese, whose largest shareholder is the Brazilian state of Sergipe and is located in the north-east of the country, will now be notified by the Brazilian government to provide clarifications within 15 days.
The bank must clarify whether the data has been leaked from its databases or from operators that process data upon its request. Questions such as how long the data was exposed for; what data would have been accessed; as well as what operational measures have been taken to mitigate the effects of the data leakage; and what actions are being taken to eliminate failures in the provision of the service. It is also unclear whether bank account information linked to the PIX Key has also been exposed.
The 62-year-old bank will also need to show how it will improve privacy security for the data that it stores.
According to the ministry, official letters have also been sent to the Banco Central do Brasil (BCB), as well as the country’s National Data Protection Authority.
PIX was launched at the tail-end of 2020 and is operated by the BCB. In its short existence, it has been a phenomenal success, helping to grow digital payments in the country and supporting financial inclusion. As of the end of August 2021, 321m PIX Keys had been registered, or roughly 1.5 keys per person.
In the first ten months of existence, PIX already boasts 4.9bn transactions. To put this in perspective, the UK’s Faster Payments scheme which launched in 2008, had 2.9bn transactions at the end of 2020. At current rates of growth, PIX could finish its first full year as the third-largest real-time payments system globally, behind India’s UPI, and China’s IBPS.
