Financial services businesses that handle data during know your customer (KYC) checks must protect this data according to specific information security and data protection regulations. KYC and other anti-money laundering (AML) checks are an essential part of customer onboarding and verifying identity, and are legally required in the UK and many other countries.
Whenever a business is given a customer’s personal data, creating or adding to a data subject, they must abide by the country or region’s data protection regime. The most stringent and far-reaching of these is the UK General Data Protection Regulation (UK GDPR).
In this article, we explore best practice and what financial services businesses can do to navigate complex layers of regulation.
Data protection: the rights of your customer – the data subject – during KYC checks
If a financial business obtains customer and beneficial owner data as part of their KYC identity checks they need the agreement of data subjects first. So your customer, or data subject, must consent to having their data captured, processed and stored.
To comply with data protection laws like GDPR, financial services businesses must demonstrate either a legal obligation or legitimate interest to store customer data. If you do not have a legitimate reason or legal obligation, you must ask the customer to store their data, and they must ‘opt in’.
If a customer opts in, or you have a legal obligation to store data, businesses should be open and transparent about the data being collected. You must explain why the data is needed, how it will be used, and who it is being shared with. In the KYC checks realm, this involves explaining ID and verification practices alongside background screening procedures.
Holding customer data – what are the rules?
Regulations such as GDPR also require financial services businesses to fully understand how much personal data they legitimately need for KYC and AML checks. There must always be a reason for acquiring a customer’s personal data. This policy should be made public.
A second principle is that financial businesses should not store data that is no longer needed and must not hold inaccurate data. As KYC checks are an ongoing process, financial services businesses have to decide what data should be destroyed after onboarding, what should be stored, and what needs to be held after a customer has concluded business.
Data security: avoiding the growing issue of data breaches
In addition to having policies around consent, rationale and efficient minimisation of customer data held, banks and other financial businesses must protect stored data from falling foul of one of the thousands of data breaches that occur each year.
The three main areas of data security are auditing/due diligence, security architecture and staff training.
Firstly, overarching data-driven procedures and policies to carry out due diligence on how customer data is secured are required. Service providers need to carry out regular inventories of data assets, assess their vulnerabilities with an expert and/or specific software tools, and audit their policies.
Businesses should have proper security architecture to support the three-part dictum of confidentiality, integrity, and availability (CIA) in data security. Wherever data is stored, it should be as secure as possible. Access controls and encryption needs to be implemented and audited. Any data storage architecture must be regularly assessed for vulnerability and fixed if necessary.
Finally, businesses should have a person or team leading and overseeing information security training so staff understand how to prevent criminals gaining fraudulent access to customer data through phishing and other psychological attacks.
Best practice for financial services businesses is to become accredited under ISO/ISEC 27001, the international standard on how to manage information security. This requires businesses to examine information security risks, threats, vulnerabilities and impacts; have a suite of
information security controls and/or other forms of risk treatment and a process so controls are maintained on an ongoing basis.
A secure technology platform to simplify onboarding
Using a technology platform lessens the burden of onboarding, KYC and AML checks for customers and companies, allowing financial services firms to devote more time to staying compliant with data protection regulations and keeping data secure.
BONAFiDEE’s digital engagement platform includes a full range of biometric and record checks to verify new customers’ identities in a safe, compliant and fully evidenced way. From the outset, the process is digitally tied to each customer's unique identity, providing evidence that KYC and AML checks have been completed by the same individual. A full audit trail is available of the customer's journey through the consent, identity verification, data capture and document signing stages, all the way through to completion.
Furthermore, to protect our client’s sensitive data, a dedicated team of highly skilled professionals maintains our Information Security Management System (ISMS). Our database and information infrastructure are rigorously tested according to the requirements of ISO 27001 (27001: 72890/B/0002/UK/EN) and ISO 9001 (9001: 72890/A/0002/UK/EN). We are continually improving our knowledge, controls and measures to manage any potential threats.
The on-demand, shared nature of the cloud introduces the possibility of security breaches and security of cloud computing remains a serious concern. As cloud service providers share infrastructure, platforms and applications, if a vulnerability arises at any level, it can affect everyone. As a result, our security policy dictates that BONAFiDEE does not use cloud computing services.
We own and manage dedicated infrastructure in IL3/4 rated data centres in the UK. There is no replication of data worldwide. BONAFiDEE clients can be certain that their data is rigorously protected from threats and vulnerabilities 24 hours a day, 365 days a year.
To find out more about our securely hosted, advanced digital signature and customer verification solutions, download our guide, or contact our team.
