When GDPR comes into effect in May 2018, financial institutions are going to feel the impact of this legislation throughout their entire business model, including how they execute and manage Know Your Customer (KYC) processes.
At the moment, we accept that if we want to open a bank account, or get insurance, we have to submit a passport or birth certificate, and various other bits of personally identifiable information.
But what happens to it then? If asked, this is the question that banks will have to answer under GDPR – and they will need to be completely transparent in what they do with it and what they do to protect it
I’m amazed at how often we still have to hand over highly confidential, personally identifiable data to banks in hard copy, but we don’t have a choice about it if we want to be a customer of the bank.
The first question is, do the banks actually need you to send, or take in, physical copies of your ID? It is understandable that banks need to verify who you say you are to reduce risks of Anti-Money Laundering (AML) and fraudulent activities but there are
smarter ways of getting verifiable information to them, without handing it over. I’ve heard the argument that some banks want to get you physically into a branch at least once – but with the number of bank branches rapidly in decline, and the rapid rise of
digital only banks, customer on-boarding processes are already undergoing major change. But whatever the channel – physical or digital – the important question is what do they do with the ‘KYC’ data received and how is it safeguarded?
We have no means right now of really knowing what’s happened to that data. Is it securely stored, or securely destroyed once your details are verified? Who knows, honestly. Even GDPR will make it pretty hard to control what a bank employee does with a photocopy
of my driver’s licence.
And if it’s handled by a third party, what are they doing with it? It’s sitting somewhere else now, outside the corporate governance of the bank, and could be made available to other third parties.
And if, as a bank’s customer, I don’t want that to happen – what can I do about it? Under the GDPR clause ‘the right to be forgotten’ I should be able to demand that my data is deleted. But if it’s not held by the bank in the first place, the reality is
that I’ve got little or no chance of really understanding where my information is held, or by whom. I don’t know what I don’t know. And yet under GDPR, I have the right to know.
Many banks are, of course, well ahead in the planning stages of GDPR in terms of the more straightforward, structured data they hold. But they need to be more transparent about how – and why – they hold data, typically unstructured under KYC, and what’s
done with it once they really do know who their customers are. Because those customers are becoming more aware of the value of personal data, and less willing to give it up. The first cases brought against banks under GDPR next year will be interesting to
watch.