The requirements come into force in accordance with the instructions of the Central Bank of the Russian Federation on the basis of the regulation of the Bank of Russia No. 683-P "On the establishment of mandatory requirements for credit institutions to ensure the protection of information in the course of banking activities in order to counteract the implementation of money transfers without the consent of the client". In particular, banks are required to identify the device for conducting banking transactions using remote access.
“Even if criminals lure out passwords and codes for accessing an Internet or mobile bank, they will not be able to enter your personal account from their gadget. As soon as the bank notices the substitution, it will contact you and clarify whether you are logging in from another device”, - the Financial Culture resource created by the Central Bank of the Russian Federation reports (quoted from Interfax).
When conducting banking transactions through mobile applications, banks are required to verify telephone numbers, as well as analyze the nature and volume of transactions conducted by the user. At the same time, the methods and terms for confirming numbers and e-mail are not specified in the document.
“The frequency of this inspection is not established by the regulations of the Bank of Russia. At the same time, we consider it expedient to initially carry out the specified check when identifying a client in the offices of credit institutions, as well as to ensure subsequent periodic checks in order to maintain the existing subscriber numbers of clients to which notifications about banking operations are sent up to date”, - the director of the department information security of the Central Bank Vadim Uvarov explained in a letter sent to the National Financial Market Council (NSFR).
Appropriate protection measures were previously used in some credit institutions, but since October 1, these requirements have become mandatory for all banks.
In addition, from October 1, banks must report information security incidents to the Central Bank, as well as report on measures to respond to them. Credit institutions must also provide the regulator with data on the websites used in banking activities, as well as on the resources owned by them or administered by them in their own interests.