The KYC Confusion: Where Privacy and Identity Collide

We’re used to providing proof of our identity for things like opening bank accounts and setting up new phone contracts. What we pay less attention to is what businesses do with this evidence once we’ve shared it with them. This has been brought into sharp focus following recent significant data breaches.

Identity verification checks — sometimes referred to as “know your customer” (KYC) — are part of anti-money laundering (AML) controls and are mandatory in some sectors. These checks confirm an individual is who they claim to be. Typically, this includes things like national identity documents, passports, driver’s licences, social security details.

Historically, many organizations have kept copies of individuals’ identity documents as part of this process, storing them for many years. There’s often confusion between retention obligations defined across different legislation that leads organizations to keep hold of information, believing it’s the right thing to do.

The challenge across much privacy and AML legislation is the lack of clear retention standards for KYC and identification information, and whether retention of identification information is necessary at all once someone’s identity is confirmed.

In the case of identification information, Australia’s Attorney General, said the Australian government was considering whether companies “should be permitted to go on keeping data when the purpose of collecting it in the first place might have been no more than establishing someone’s identity.”

The Australian government’s digital ID system allows organizations to refer to it to confirm a registered individual’s identity. This centralized approach for AML and KYC checks greatly reduces the need for businesses to gather and store this information themselves.

The potential losses resulting from data breaches are significant, both for companies and affected individuals. When that information is identification information, the resulting identity fraud adds to those costs. The victims of identity fraud often end up out-of-pocket as a result. It often falls to victims to obtain new identification documents themselves and leaves them fearful and, in some cases, embarrassed.

Globally, legislators and regulators need to provide clarification around KYC, stating exactly how and what organizations need to capture and retain once an individual’s identity is confirmed.

Organizations have a huge responsibility to protect such sensitive data. As a first step, businesses need to identify any KYC data they hold, understand why they have it and ensure it is stored securely. If it isn’t needed any longer, because identification checks are completed and it serves no other purpose or mandatory retention periods have passed, deleting this information is the next step. Data discovery and management solutions, such as Ground Labs’ Enterprise Recon support automating these processes so they can be performed regularly.

Finally, businesses should confirm with local authorities and regulators exactly what they need to capture, record and retain for their KYC checks, and whether other sources such as a government or centralized ID system can be used instead, then modify their processes accordingly.

To find out more about Enterprise Recon and how data discovery can help your business, book a call with one of our experts today.