In the previous blog article of this series, we explored the requirements data protection laws put on data collection in regards to KYC procedures. In this one we focus on the standards regarding the means of processing and transfer of personal data, and what FinTech companies need to have in mind when doing so.
Follow the data
Once you know which data you collect from which source, based on which purpose, the next step is to focus on the data processing itself and the tools you use. According to the GDPR and the new Swiss Data Protection Act, FinTech companies are responsible for keeping the integrity of the data they process as well as ensuring privacy by design and by default. This includes especially technical and organisational measures appropriate to ensure the security of the data and compliance when choosing a service provider. Furthermore, companies are subject to inform customers of the processing, a topic we will explore in the next article.
Processing safeguards – the basic principles
Companies must protect their internal data processing activities and ensure that they deploy the necessary measures to protect the KYC data. From a technical perspective, FinTech companies tend to automate their KYC processes in order to create risk-profiles for each customer with the assistance of reliable data sources. By automating the collection, storage, monitoring and management of personal data, you are able to minimize risks to data security, namely due to human error, while also facilitating the exercise of data subject rights (e.g. data portability). This process also gives you the possibility to include workflow and risk-analysis tools to monitor data flows and see potential privacy risks in advance Furthermore, tools such as data discovery and classification technology, and data loss prevention systems can help to better protect personal data from unauthorized access and misuse. Lastly, encryption and the back-up of data plays an essential part too. Following the idea of data protection by design, it pays off to integrate technical safeguards when setting up the companies automated KYC process so you not only keep your data safe but also fulfil your data protection duties.
From an organizational standpoint, a clear distribution of roles and responsibilities is needed. This helps to strengthen trust, a sense of ownership and guaranties the possibility of tracing access and limiting damage in the event of a data protection incident. Furthermore, restricted access to view or edit clients’ data is necessary, especially in what concerns sensitive data. Lastly, having NDAs and regular trainings of your staff in place helps to mitigate potential sources of risk throughout the processing.
Sharing data with third parties
When dealing with KYC procedures, it is frequent for FinTech companies to transfer data to service providers in order to ensure that their operations run smoothly (e.g. specialised external software providers). In most cases, these third parties act in accordance to the instructions provided by your company and process the data according to the purposes and means determined by you. That being the case, the transfer must be governed through a contract – data processing agreement (DPA) – under the GDPR, setting out the specificities of the data transfer. Most service providers offer their own DPAs when you sign the main service agreement. Nevertheless you should check them regularly in regard to their data protection compliance as well as if they fit to your internal companies procedures and needs.
Another important matter to pay attention to when using service providers is related to third country transfers. Data on servers in the EU/EEA or Switzerland can easily be exchanged without any additional transfer requirements. Typically though, service providers either store (some) data in countries outside of this areas or engage sub-processors based in third countries like the US or India. In these cases, data transfers can only be done under certain circumstances. Firstly, when the EU Commission or the Swiss Federal Council have issued an adequacy decision, stating that the third country’s data protection framework is compliant with EU/Swiss standards (e.g. at the moment Israel, Canada, South Korea or the UK). If that is not the case, you need to ensure that the service provider offers sufficient safeguards in regards to the data’s integrity, such as by conducting a Transfer Impact Assessment (meaning, an analysis of the impact and security implications of the transfer by analyzing the third countries legal order), the usage of the EU Commission’s Standard Contractual Clauses (“SCCs”) and other technical means (e.g. encryption) deemed adequate. With this in mind, when transferring data to third countries, it is important for FinTech companies to make a list of all their service providers used and analyse non-EU/Swiss service providers to their compliance with data protection regulations.
Follow the data – the key takeaways
Implementing technical and organizational measures in your KYC data processing set up is not only necessary from a data protection perspective but helps you to manage the data flows in your company and reduce risks for data breaches. These include:
- Automated data management processes with included workflow and risk-analysis tools
- Data discovery and data loss prevention systems
- Encryption and back-ups
- Clear distribution of roles and responsibilities and restricted accesses
- Non disclosure agreements and regular staff trainings
When working with services providers and transferring personal data to KYC solutions contractors, you need to check your cooperating partners also from a data protection point of view. This includes having the right data processing agreements in place and get an overview over data flows to countries outside of the EU/EEA and Switzerland. If personal data is transferred to so called third countries like the US or India, you need to implement safeguards on a contractual and technical basis. Looking into the future, service providers already often use AI to verify identities and analyze data. As the EU is currently planning to regulate AI, it is advised to already have in mind future regulations in this field too when choosing KYC service partners.
In the next blog article of this series, we will take a final look at the KYC process from a “Manage the Data” perspective, where we will analyze methods of ensuring a secure data storage, for how long it should be stored, and the rights customers have in KYC processes.
