In this third and last article of our series, we are going to explore the requirements FinTech companies need to have in mind when managing their KYC data. We want to concentrate on two specific areas you need to be aware of: the retention and deletion of the data, as well as the rights of data subjects.
Data Retention and Deletion of KYC Data
The first element to take into account is to determine how long KYC data will be stored and subsequently when it will be deleted. According to European privacy laws, personal data that is no longer needed for the purposes it was used for should be deleted and thus no longer processed. What this means is that FinTech Companies need to ensure that they only store KYC data that is needed for their operations and for the period strictly needed. This period is dependent on the purpose of the processing but in some case it is set by law. For example, in Germany and Switzerland there are legal retention periods of up to 10 years in what relates to accounting and tax records and the European Anti-money laundering Directive obliges entities to retain a copy of their KYC processes for a period of 5 years after the end of the business relationship or after the date of an occasional transaction. This Directive further obliges entities to keep record of transactions for a period of five years after the end of the business relationship with the customer or after the date of an occasional transaction.
After setting the retention periods, you also need to define a process through which the data is deleted after the set timeframe. There are different methods of deletion, from overwriting, degaussing and physical destruction Especially when you process large amounts of data across multiple systems, automation is one of the best ways to reduce the risk of non-compliance with data protection law, as well as to avoid the possibility of human error. For that reason, you should implement a deletion processes from the beginning into your system, tagging each data set automatically with a future deletion date.
Another possibility companies have is to anonymize the data as data protection laws are not applicable for these data. Sometimes it can make sense to do so as aggregated anonymized data could be needed for statistical purposes. Nevertheless, bear in mind that this is easier said than done as for data to be truly anonymized, there can be no possibility of re-identifying individuals with it by using reasonably available means.
Having this framework in mind, it is advised to have a data retention policy for your KYC data in place, which includes for how long you keep the data as well as the means through which it shall be deleted, considering the period during which the data is necessary for the related operations and the retention periods set out by law.
Rights of Data Subjects
The second important aspect is the rights of data subjects when it comes to their KYC data. According to the GDPR and the FADP, people whose data you process have a set of rights, of which one of the most important is the right to be informed of the data processing (e.g. via a privacy policy).
It is important to make this privacy policy accessible as early as possible in the customer relationship as you need to inform the person at the time you are collection their data. This means that you should make your privacy policy both visible and accessible through your website and app, as well as throughout the client registration process. It is also important for customers to be able to access it whenever they wish.
Also, data subjects have the right to portability in most cases, which means that they may request you to provide their personal data to themselves or to another company in a standard format such as excel. For that reason, it is important for FinTech Companies to implement the necessary technical tools to allow for the extraction of the relevant data in a structured, commonly-used and machine-readable format (e.g. CSV, XML and JSON formats), as well as its safe transfer to the relevant data controller or to the data subject. There are different possibilities of achieving this, namely by directly transmitting the requested data or by providing access to an automated tool that allows the individual to extract the requested data themselves.
Besides the right to be informed and to data portability, data subjects also have various other rights in the KYC process for example the right to access and rectify their data that is stored by you as well as to the erasure of data when it is no longer necessary for the purposes it was collected.
Main Takeaways
As with collecting and following KYC data, managing it also requires special attention from FinTech Companies, mostly when it comes to its storage and complying with data subjects’ requests. With that in mind, it is important to pay attention to:
- Storage periods: personal data can only be stored for as long as it is needed for the purposes it was collected or according to a legal retention period (e.g. Accounting, tax and anti-money laundering laws have various retention periods ranging between 5-10 years). Once that period is over, its processing should be stopped either by deletion or anonymization;
- Data deletion: the deletion of data should be made in such a way as to render it unusable, either by destroying the physical archives or by using automated tools to assist in the deletion of large datasets;
- Retention policy: You should define the retention period for each of the categories of KYC data you process, defining their respective process of deletion and automatically implement it into your systems;
- Data subjects’ rights: You should pay attention to the rights afforded to data subject by data protection laws. In particular, you must inform them of the processing activities their data is subject to (e.g. in you privacy policy). This information should be provided in an accessible and easily-understandable way and in the earliest stage of the KYC process possible. When setting up your processes and systems, you should also implement the necessary technical measures to comply with other rights, such as the right to portability.
