Information Governance and Compliance

People

An offer of employment is extended contingent upon successful review and completion of employment, education verification, and criminal background check. After the offer is accepted, pre-employment screenings are initiated through a third-party background vendor. Contractors are subject to the screening provisions in their contracts.

All new employees or contractors with Finastra’s network access must complete mandatory Compliance training which includes Code of Conduct, Information Security, physical security, privacy and risk within the first 60 days of employment. Annually, all employees and contractors must complete Compliance training. To complete the training you must pass the test. Failure to complete training results in management escalation and remediation.

Additionally, developers and those with privileged access must take role-based training to assure that they understand their responsibilities and the company expectations. Training for developers also includes Secure coding practices.

Risk Assesments

Any developer that wishes to create a FusionCreator application available on FusionFabric.cloud has to undergo a risk and compliance assessment where standard checks in relation to compliance with sanctions, anti-bribery and anti-corruption laws are conducted. Additionally, we request their insurance, financial, policies and any other documentation.

Following the approval of the developer, each application must go through a thorough a security review to ensure that the client data is properly protected and that the appropriate Secure Software Development standards have been met.

Data Management Program

Finastra’s Enterprise Data Management & Governance team is responsible for addressing enterprise risk concerns, maintaining Finastra’s regulatory compliance and supporting the corporate application rationalization program. The team achieves the aforementioned responsibilities by focusing on maintaining data quality, developing overall data architecture strategies, implementing data management best practices, data provisioning, and data integration to ensure data is well-managed as an enterprise asset.

The Program has been developed and is maintained in collaboration with IT Architecture and Practices, Global Risk, Privacy, IT Compliance, InfoSec, Product and Data Security (PDS), Legal, and other relevant Finastra teams. Data Management & Governance team and stakeholders identify where Finastra’s Program stands today; what our requirements are for delivering an Enterprise Data Management and Governance Program; what the future state looks like and how we will get there. Finastra Enterprise Data Management & Governance team’s Data Management & Governance is enterprise in scope, encompassing Finastra products (including FusionFabric.cloud), managed services and corporate applications.

Policy and Legal

Our Approach to Privacy

First, a quick word on our philosophy

10,000 financial institutions around the globe run on Finastra’s software systems. We provide those Finastra systems as either on premise or hosted solutions.

We strongly believe that the future of Finance is open. We want to enable our customers to connect their Finastra systems to other tools and solutions provided by other fintech companies. That is why with FusionFabric.cloud we offer a platform which allows our financial institution customers to integrate and consume additional solutions, called FusionStore applications. The vast majority of applications are provided and operated by third parties which the financial institution choose to cooperate with. In addition, Finastra also offers some apps and financial institutions may build and consume their own private apps. It will always be the financial institutions choice whether or not they connect their Finastra system to another app. We understand that such decision will be based on the financial institution assessment of the provider of the app and the arrangements and safeguards they agree on.

Our Privacy Practices and Policies

We know that our financial institution customers have to comply with a variety of privacy laws and regulations depending on the data they are processing and their place of business. To help them secure and control the data they are processing:

• We provide the tools and practices set out in the Information Governance & Compliance guide.

• We adhere to the Finastra External Privacy Policy for any data we are processing on our platform.

• We train all of our staff regularly on information security and privacy. This includes:

  • GDPR
  • Issue Reporting
  • Data Sharing and Transfer Limitations
  • Individual Rights

For more details, see the Privacy Policy section.

Third-Party Verifications (Partner Enablement)

Application Validation Program

FusionCreator application developers must pass the processes comprising the Application Validation Program to onboard into the FusionStore . These processes allow Finastra to validate the legal entity of the application developer and its security practices annually or every release, the earlier between the two options.

Application Classification

Each application requires a distinct level of access to financial institutions data, and thus, the validation levels are defined in accordance with the access type (for example, read vs. update) and data classification (for example, financial data vs. PII).

Validation Buckets

Each classified application can be bucketed into one of the 3 options – Standard, Advanced, and Premium. Each FusionCreator application has a unique branding in the store, which allows the financial institutions to choose it based on its risk profile. For example, a financial institution that desires to innovate may choose a Standard validated application, while for production it may require only Premium validated applications.

For more information see the App Validation Process section.