Blog article
See all stories »

GDPR and Onboarding

Conforming to GDPR across the Customer Lifecycle

One of the most talked about regulations in recent years has been GDPR (General Data Protection Regulation). This EU law was adopted in April 2016 and came into force on 25th May 2018. As well as providing data protection and privacy rights to EU residents, it has wide reaching implications globally as it covers the export of personal data outside the EU.

This presents a game changer for financial institutions in how they acquire and manage customer data.

Prior to this regulation, customer data was typically stored either in paper or electronic format somewhere in the financial institution’s filing, being dusted down when required to open or maintain an account, or to use in marketing campaigns and sales promotions. Most customers were probably not aware of the information their financial institutions had accumulated over time. GDPR has changed all of this and customers now have rights to access the personal data on file, amend such data, and even have information deleted (i.e. the “right to be forgotten”).

Given the importance and implications of GDPR, there has been a lot of analysis done on the various Articles within the regulation and there is a wealth of opinion on how financial institutions can evidence compliance. Since its implementation, individuals have been bombarded with consent notifications from lots of companies in all sorts of industries (e.g. Healthcare, Insurance and Financial Services).

Since they gather and manage large volumes of customer data, banks have been working hard to become compliant with GDPR by its effect date – and to do so they have been forced to change their systems and processes in various areas of their activities.

GDPR and Onboarding 

One of the areas where banks have had to consider the implications of the regulation is the onboarding process, where by ‘onboarding’ we mean the activities necessary to start a business relationship with new customers. However, it is undisputed that GDPR covers also other aspects of the whole customer lifecycle management, such as the review of existing customers.

During onboarding, where the initial due diligence on the customer takes place, data is usually in the form of identification and verification, and for entities also, more importantly, beneficial ownership confirmation of the natural persons behind what can be multi-layered ownership structures. During this process the banks need to satisfy the requirements of AML and CTF regulations.

This has resulted in a dichotomy between the need to gather and store data on individuals in order to satisfy KYC requirements on one side, and the comprehensive privacy rights granted to these individuals by GDPR, on the other side.

Historically, banks have tended to accumulate data, at times even before the formal onboarding of the customer, not knowing how they would use it for KYC purposes, a sort of “the more, the merrier” approach, based on the false conviction that more data meant per se more chances to get the “bad guys”, or at least to prove to regulators that the onboarding process is robust and efficient.

GDPR has now put a stop to this “gold rush” of data, with a framework of six principles for processing personal data. These are:

1)      lawfulness, fairness and transparency;

2)      purpose limitation;

3)      data minimisation;

4)      accuracy;

5)      storage limitation;

6)      integrity and confidentiality.

Prima facie, these principles seem to create a conflict with the collection and processing of information required to combat money laundering and terrorist financing. But, do they?

One key aspect of the regulation is that unless there is one of the legal basis laid out by article 6 of GDPR, personal data may not be processed.

Now, it could be argued that banks are allowed to processing customer data because such legal basis is “a legal obligation” or a “legitimate interest” or even because they carry out “a task … in the exercise of official authority vested in the controller” which justifies the processing of personal data (the latter opinion rests mainly on an industry view that regulators have too often pushed down to banks their AML/CTF responsibilities, practically enlisting banks as another type of police force). Regardless of which legal basis is identified, the argument that the prevention and detection of money laundering and terrorist crimes undoubtedly constitute a lawful reason to process customer data is strong.

Nevertheless, some banks have played it safe and have used the first legal basis in article 6, i.e. explicit consent, and have taken the path of sending privacy notes to customers which are very detailed, explicitly mentioning the KYC identification and verification processes as well as the background screening for PEP and sanctions.

Whatever is the approach taken, it is important that in order to satisfy GDPR banks document the legal basis for processing personal data.

However, the lawfulness does not entirely cover the matter of ‘GDPR and Onboarding’, because before processing data logically comes the acquiring of such data. So, let’s look at another principle, the data minimisation.

GDPR asks for data to be “adequate, relevant and limited to what is necessary in relation to the purposes for which” it is processed. This requirement blatantly clashes with the breadth and depth of data collected for AML and CTF purposes.

However, here the risk-based approach taken by latest AML regulations could indeed be the keystone to bear the weight of the tension between the two regimes. It can be argued, in fact, that the AML checks and hence the data required to fulfil them abide by GDPR whenever they are proportionate to the risk profile of the client and the characteristics of the product or transaction executed. Therefore, as long as the due diligence procedures do not objectively exceed the minimum required by AML and are justified by the risk profile of the customer or the bank’s AML Policy and risk appetite, there is no risk that they violate any GDPR article.

We  have yet to see rulings from the relevant authorities to solidly know where and how the balance between the two regimes can be stricken, but in the meantime the risk-based approach could be a sound one banks can take and defend in front of regulators.

Onboarding procedures are a powerful AML/CTF tool, but like that famous often-quoted saying: “power is nothing without control”. So GDPR, with its limitations to the ‘why, when, how’ trinity of processing data, constitutes that control. Hence, on the back of the regulation, banks now need to perform due diligence in a more selective way, meaning that data being processed must really add value to the KYC process.

Of course, in the pursuit to be compliant with GDPR, policies and procedures are not enough as banks need to demonstrate that they actually do what they claim they do on paper. And so, banks should also look for customer lifecycle management solutions that can handle the challenges posed by the regulation.

The chosen solution should support an end-to-end onboarding – from the customer’s first request for a product, to gathering the data, to the risk assessment itself, and finally to approval of the relationship. Throughout the various steps (all with an audit trail) it must have embedded the “privacy by design” principle, so that, for example, only the data truly indispensable to satisfy the legal and company’s AML policy based requirements is processed, and the access to information is limited only to those users entrusted to process such data.         


In the customers’ data habitat, AML and GDPR may not be in a situation of perfect symbiosis, but they can definitely co-exist. There is no other choice given that the regulations are now in place and subject to regulatory scrutiny on both sides.

Being compliant with GDPR is not a one-off exercise, satisfied just by producing yet another policy document (which is of little value if then it is not observed in practice), but rather a fundamental – someone may say a “cultural” – change in the mind set of banks and the way they operate. Because, what GDPR protects is not only our data, it is us.

And (almost) all of us, bank employees included, nowadays have a bank account.


Comments: (0)

Fabio Urso

Fabio Urso

Director - Industry principal - CLM and KYC


Member since

29 Jun 2018



Blog posts


More from Fabio

This post is from a series of posts in the group:

Financial Services Regulation

This network is for financial professionals interested in staying up to date on financial services regulation happening anywhere in the world. CFOs, bankers, fund managers, treasurers welcome.

See all

Now hiring