The digitization of business processes in regulated sectors is growing fast. Regulators have therefore strengthened and clarified their requirements throughout Europe. These companies are legally required to know their customers (KYC). Today, online customer onboarding must be done with a trusted solution and authentication means. However, identity verification involves the processing of personal and sensitive data. In this context, regulations already require, and will require more, solutions that comply with security and data protection requirements.
What are the challenges for KYC solutions in terms of personal data protection?
Today, more and more companies must implement a KYC (Know Your Customer) process to meet regulatory requirements. This process consists in verifying the identity of customers, most often when they subscribe to a service in person or remotely. Indeed, to benefit from a service or a product, the customer must create an account. And it is during this account creation that identity verification is required. KYC is a process that can be essential in different cases: to comply with regulations such as the anti-money laundering directive, to fight against fraudulent acts, to verify the age of the service subscriber or to improve the customer experience and simply extract data.
With the explosion of the Internet and remote services, the KYC process has evolved and strengthened significantly. In order to better control a customer’s identity, the solutions implemented must collect personal information from an identity document for analysis. In addition, a biometric facial recognition process is often added to ensure that the person is who he or she claims to be. This combination of ID verification and video facial recognition is explosive in terms of personal data sensitivity.
When implementing a KYC solution, it is therefore critical to ensure that the data received from your customers, whether biometric or non-biometric personal data, is protected and not at risk of leakage. To avoid this, make sure you choose a provider that meets the regulatory requirements on data protection. But what exactly are these requirements?
GDPR, Cloud Act, eIDAS: what do the regulations currently require in terms of personal data protection?
Today, the question of data collection, management and storage is no longer a detail. The protection of company data must be thought through and respond to a plan that is rigorously applied. Following the arrival of the cloud act adopted in 2018 – a federal law in the United States on access to communication data (personal data), particularly operated in the cloud – the issue of data protection is then questioned. Indeed, a company that hosts its data on an American platform cannot declare itself GDPR compliant today.
Some service providers choose European sovereignty, i.e., to store their data in Europe under the control of companies not established in the United States. However, there is a third solution: at ARIADNEXT we are sovereign by design. This means we have complete control over the data we process and avoid the potential risks associated with the sovereign cloud. When a company’s core business requires it to handle sensitive and personal data on a daily basis, KYC solution providers can choose to operate their own infrastructures.
The European market is governed by various regulations to which companies must comply, including issues related to data protection and GDPR compliance (General Data Protection Regulation). This European regulation aims to regulate the processing of personal data on the territory of the European Union and requires companies to protect the personal data they handle and the privacy of EU citizens. The GDPR concerns all transactions that take place within Europe and also all entities that process personal data belonging to EU residents. Under these conditions, companies that do not comply with the regulation can face heavy fines. Indeed, the penalty can be up to 4% of annual turnover.
In the context of a KYC process, the data collected, relating to identity (name, first name, date of birth, etc.) clearly enter into this category of data to be protected. In addition, biometric data, which are physical or biological characteristics that identify a person, are also subject to this regulation. This can be fingerprints, facial recognition, …etc. In this context, the KYC solution provider you choose to work with must be in full compliance with the General Data Protection Regulation.
In order to increase confidence in electronic transactions within the internal market, another regulation is imposed on all trust service providers or Certification Authorities: the eIDAS Regulation. This regulation defines three levels of reliability and guarantee for identification processes. The “low” level refers to an electronic identification means that reduces the risk of identity theft, but with a limited level of trust (login and a password are the only requirements). The “substantial” level refers to an electronic identification means that aims to improve the risk posture. the signatory must have an identity document issued by a member state and have demonstrated its possession, as well as proof that it belongs to him. And finally, the “high” level requires that the person is in possession a biometric or photographic identification element recognised by the Member State receiving the application for an electronic identity and that this element needs to match the alleged identity.
Today, France has been inspired by the eIDAS regulation for the transposition of the 5th AML/CFT Directive (Anti-Money Laundering/Combating the Financing of Terrorism). Among several requirements, this directive asks companies to use a substantial level of identity verification provider in order to effectively fight against fraud risks.
If you want to know how reliable your KYC solution provider is, feel free to rely on the 3 levels defined within the eIDAS regulation.
How do KYC solutions meet the challenges of personal data protection today?
KYC is today the starting point of the customer onboarding and the solution provider. Its role is to build the necessary trust between the two parties and it has to respond to the different challenges. To be a trusted actor, identity verification solution providers must today fully comply with the requirements on personal data processing. This includes the analysis, storage and archiving of sensitive data processed as part of a KYC process.
Regarding the analysis, today some solution providers offer a verification of the identity document in less than 10 seconds. During this time, the software processes the information, verifies its authenticity and returns a verdict to the customer. The collected data is then destroyed to avoid any risk of leakage. It sometimes happens that during a remote identification, the user does not possess the documents at the moment. In this case, the KYC solution provider may decide to temporarily store this data until the final customer journey is validated.
When the automated verification cannot be finalized or is incomplete, a manual verification is performed. Experts trained in fraud detection complete the verification. Whether the document is processed automatically or manually, it is important to know where the customer’s data is being transmitted and where it is stored. In the case of manual verification, it is also important to ensure that the data collected is processed in a center in Europe.
It is also important to look at the overall level of trust of the company you choose as a KYC solution provider: its values, its certifications (ISO 27001 for example, or very soon compliance with the ANSSI reference framework for remote identity verification service providers, or FIDO for biometrics), as well as the audits (penetration tests, GDPR compliance, etc.) to which the company may be subject by obligation or by choice, and which may justify the degree of reliability of the company. The purpose of these different audits is to test the reliability of information systems and associated processes in order to find possible vulnerabilities.
At ARIADNEXT, as a KYC solution provider, we ensure compliance with the fundamental principles of the General Data Protection Regulation and the eIDAS Regulation. We are currently working towards PVID (Remote Identity Verification Provider) compliance and aim to be among the first to obtain this certification. We guarantee complete confidentiality and protection of all analyses in order to offer our customers a service that is fully compliant with market requirements.