The impact of GDPR on KYC checks - what you need to know

Are we any closer to understanding the impact on GDPR on KYC? We examine what you need to know, what it means and how it can affect you.

The impact of GDPR on KYC checks

The GDPR (General Data Protection Regulation) came into force in May 2018, and after two years, are we any closer to understanding its impact and how it is affecting businesses especially when it comes to KYC regulations?

Under GDPR, organisations that carry out identity checks, and hold potentially sensitive information about customers have to be completely transparent about what happens to the data after use. At the same time, KYC check and procedures are powerful risk management tools.

Banks and financial institutions have been verifying client and customer data well before GDPR came into force. For banks, they needed to be following rules on AML (anti-money laundering) and combating any potential financing of terrorist activities. The rise of cyber-attacks meant that businesses needed some form of KYC to protect their interest, such as perform an online background check on customers, with their consent.

What is a KYC check?

KYC, or Know Your Customer, is the process of identifying and varying the identity of a client or individual. For example, banks undertake these checks when someone opens up a new account. It’s a mandatory process used to identify customers as part of a due diligence process and will include customers providing proof of identity and other relevant documents.

So if companies need to gather large amounts of personal data from individuals to perform the check, doesn’t GDPR and other data protection laws then restrict how they can use this information?

Is there a conflict of interest between consumer data privacy and KYC?

The easy answer is no; there isn’t. At first glance, it might look there is a contradiction, but data protection will never stop companies conducting due diligence. Still, the regulations are in place to offer best practice advice on how to gather data safely.

GDPR and KYC

Who needs to perform KYC checks?

Any firms that are in a regulated sector, such as financial institutions are required by law to screen customers and clients as part of their KYC checks. The ultimate aim for screening is in the name – know your customer – it is essential to see if individuals are linked to activities such as money laundering, bribery or corruption.

These businesses commonly include:

  • Banks and credit institutions.
  • Asset managers.
  • Legal professionals.
  • Estate agents, plus many others.

But we are increasingly seeing different types of checks being done on customers, clients and even candidates applying for roles. There are many kinds of background checks that companies and employers can perform on an individual, including:

Criminal history check

A criminal background check could be used to determine whether a person could create an unsafe work environment, or potentially cause reputational risk to a company.

Previous employment, and education

Typically done by an employer, verification of previous employment would flag up any gaps and reveal insights into their job stability.

Reference checks

It’s common practice for employers to ask for a reference check from applicants. But can also be used when moving into a new rented home.

Drug screening

Although this is more common in industries like driving or aviation, periodic drug and alcohol testing will determine whether an employee can be trusted to perform.

Credit background check

A credit background check will look into a persons credit history, and credit agencies like Experian or Equifax can provide reports.

Social media and internet reputation check

These can be useful in obtaining information about a person, or candidate, to help determine any potential reputational risk they may pose. For example, a comprehensive reputation check from companies like Yoono may save time and money in the long run.

GDPR and KYC

The main impact of GDPR on KYC

There are a variety of different types of KYC check, and each does have its benefits depending on the situation they are needed in. Businesses and individuals can see the impact of GDPR on KYC through the stringent security measures that companies have put in place and how customers have more control over their information.

Increased security requirements for KYC data

Under the general data protection regulation – GDPR- financial institutions, and businesses have needed to be very clear about their data storage policies, as they are subject to stringent GDPR requirements.

Companies are still not being careful enough with their record-keeping. Recently we’ve seen H&M being fined over £32 million for violating privacy regulations and keeping excessive records and personal information on employees. This is the second-largest fine a single company has faced since the laws came into place.

More control

After KYC onboarding, customers, clients and individuals have more control over their information. By having customers be able to have a say in what is collected and how it is stored, it means that companies need to keep precise records, and it means that users have the option to delete some or all of the data.

The increased use of automation

The amount of digital data that can be shared has created a problem in terms of GDPR compliance. Automation will, and has helped this process. It automates the gathering, storing, monitoring and management of data and reduces employee error or mistakes.

Companies need thorough checks to ensure compliance, and they need to invest in technology to protect the data. Still, an automated data collection will help with the portability of data which is another aspect to GDPR compliance.

No matter where a business or organisation is in the world, if they can capture data from someone based in the EU, like during a KYC check, then they have to be compliant with regulations.