Innovative FinTech startups operate in a highly regulated environment. They are required to know and clearly identify their customers. In this context, one comes across the buzzword “KYC” repeatedly. KYC means “Know Your Customer” and refers to the identification and verification of a company’s customers. KYC is an essential part of how fintech companies combat money laundering, and compliance is mandatory for many participants in the financial sector.
KYC consists of several steps – these include identifying the customer’s details, verifying the customer’s information about their identity, and conducting background checks based on proof of identity and other relevant information. On the one hand, many of these checks are required by law, but at the same time, these procedures are often particularly data-intensive and involve categories of data that reach deep into customers’ privacy.
In this context, FinTech companies regularly find themselves in an area of conflict that is not easy to resolve. On the one hand, a large amount of data about customers must be collected for verification and risk minimization, while on the other hand, data protection law requires that as little personal data as possible be processed in the interest of data minimization. In order to meet both financial regulatory requirements and those of data protection law, it is important to take data protection requirements into account from the very beginning. This avoids high costs later on due to complex changes in processes and software systems.
In this blog post series, we discuss the most important data protection points that startups in the FinTech sector must consider in their KYC processes. In doing so, we focus on three main aspects:
- Know the data: What data may be processed in the first place? How do I handle identification documents? How do I avoid collecting categories of data that are not permitted?
- Follow the data: What are the requirements for the processing software and other tools in terms of data integrity? What do I need to consider when selecting service providers? How is data shared and transferred to third parties or abroad in a legally compliant manner?
- Manage the data: How do I properly inform the data subjects? What technical and organizational measures should I take? How and where do I store the data securely and when do I have to delete it? What rights do my customers have in KYC processes?
Know your data
Define the purpose of each KYC data point
The first step is to determine which data is needed for which purpose. The purpose is often specified by the relevant regulatory law. Only information that relates to an identifiable person (personal data) is covered by the GDPR and the new Swiss Data Protection Act. Therefore, the regulations do not apply to the data of legal entities. However, the concept of personal data is relatively broad, so even a business letter from a company, for example, in which the name of the contact person can be derived from the e-mail address, contains personal data.
In accordance with the principle of data minimization and necessity, no more data may be processed than is necessary for that purpose. Thus, if there is an obligation to identify or verify, then necessary personal data may be, for example, name, date of birth, place of birth and nationality. Necessary documents for verification are, for example, ID cards, eIDs or video ID procedures. Furthermore, additional documents such as excerpts from the commercial register, or a power of attorney may sometimes be necessary to verify authorizations. More precise details can be found in the relevant laws, such as the Money Laundering Act, and may vary in detail from company to company.
Minimize KYC by-catch data, and if non-avoidable plan for its handling
Such data may and must be processed regularly for the purpose of identification. A data protection challenge, however, is how to deal with person-related data that is collected as “by-catch”, so to speak. For example, birth names sometimes reveal marital status, or photographs and video recordings reveal health characteristics (e.g., glasses, hearing aids), ethnicity and possibly religion (e.g., in the case of religious head coverings). According to the most recent ruling of the ECJ, such data may even constitute “special categories of personal data” requiring special protection, the processing of which is strictly limited.
The collection of such indirect data as “by-catch” cannot always be avoided, as there is often a legal obligation to store, for example, a copy of an ID card. It is therefore important to establish a process that, on the one hand, excludes the possibility of such data being actively requested or stored as a separate data category. On the other hand, it should also be prevented as far as possible that such data is collected along the way from other sources (registers, service providers, public sources). In this respect, there is great potential in the automation of KYC processes, as certain characteristics which are not necessary for identification can already be anonymized automatically at the time of collection.
Document the data-capturing process for your company and potential authority reviews
It may also be that legal requirements demand further data collection, such as degrees of relationship and personal data from third parties (family members) in the case of politically exposed persons as defined by money laundering laws. In this case, it must be clearly documented and limited from which persons such data is to be collected and on what legal basis this is done. If these data are drawn from databases, a process should also be standardized that avoids “too much” information (e.g., historical information that is not necessary) as well as false positive extracts (e.g., in the case of name matches). Many databases make it possible to minimize such “by-catch” through intelligent report building. This is not only necessary from a data protection point of view but is also advantageous in the context of data quality for the company’s own databases. The same applies to the legal obligation to determine the origin of assets and beneficial owners.
When defining the KYC process for the first time, it should therefore be documented in a comprehensible manner which data is requested and stored for which purpose and under which considerations. This also enables supervisory authorities to determine retrospectively why certain datasets are processed. When selecting sources for identifying a person, preference should be given as far as possible to publicly available data or self-disclosures.
Data Protection by design for KYC processes
As part of the development of a KYC process, data protection aspects should play a role right from the start in order to avoid complicated and expensive subsequent changes to databases and structures. In this way, one also fulfills the requirements of the GDPR and the new Swiss data protection law regarding the principle of “privacy by design”. In terms of defining what data is collected and how, the following points should be considered:
- Define exactly which personal data categories are needed, on which legal basis this is done, and how these categories can be assigned to a clear purpose (“Which data do I absolutely need?”);
- Define appropriate documents for verification of the respective required data categories (“Which documents do I absolutely need to verify the data?”);
- Take the principle of data minimization into account in your considerations, for example, through inspection instead of recording and through automated processes in which data that is not required is anonymized right from the start;
- Limit false data and impermissible, sensitive “by-catch” through clear processes, for example with the help of intelligent report building.
In the next blog article in this series, we will take a further look at the KYC process from a data protection perspective and address the topic “Follow the data”. We will analyze, for example, the means of processing (third-party software tools and databases) and the transfer of data (need-to-know principle, transfer, and storage in third countries).