GDPR and KYC – Living Together in Perfect Harmony?

By Hugo Chamberlain
On: 23 February, 2023,
Categories: Adverse Media, Continuous Monitoring, Explainable AI, Fintech, GDPR, KYC, Regtech

The General Data Protection Regulation (GDPR) and Know Your Customer (KYC) screening are two important regulatory frameworks in the world of data protection and financial services. GDPR and KYC screening can conflict in several ways, particularly in relation to the collection and storage of personal data. However, it is mandatory for organizations to comply with both by carefully balancing the requirements of each and taking appropriate measures to protect personal data.

KYC screening is a process used by financial institutions to verify the identity of their customers and assess any potential risks associated with their business relationship. This involves collecting, storing, and processing a significant amount of personal data, including name, address, date of birth, and government-issued identification numbers.

The GDPR, on the other hand, is a comprehensive data protection framework that applies to all organizations operating in the European Union (EU) and processing the personal data of EU citizens. The GDPR places strict requirements on the collection, storage, and processing of personal data, including the requirement for organizations to obtain informed consent from individuals and to store personal data securely.

Challenge: Personal Data Collection

One of the primary conflicts between the GDPR and KYC screening is the collection of personal data. The GDPR requires organizations to limit the collection of personal data to what is necessary and to only process personal data in a manner that is necessary for the purpose for which it was collected. This can be challenging for financial institutions that need to collect a large amount of personal data for KYC purposes.

Another conflict arises when it comes to the storage of personal data. The GDPR requires organizations to store personal data for no longer than is necessary for the purpose for which it was collected. However, for financial institutions, it may be necessary to store personal data for a longer period to comply with other regulatory requirements, such as anti-money laundering (AML) and counter-terrorism financing (CTF) regulations.

The GDPR also requires organizations to have appropriate technical and organizational measures in place to protect personal data. This can be challenging for financial institutions that need to store large amounts of sensitive personal data for long periods of time, as they must invest in robust security measures to protect this data from unauthorized access and potential breaches.

As regulations continue to change, it is important to be aware of the different technical and organizational measures that will arise.

What does GDPR Say about KYC?

Although KYC is not explicitly mentioned in the GDPR, the GDPR sets out several principles and provisions that are relevant to KYC processes. This may require a reassessment of financial institutions current data protection policies and the implementation of additional security measures to ensure that personal data is protected at all times and avoid legal consequences.

These regulations are having continuous implications for the way that KYC processes are evolving within financial institutions:

  • The GDPR requires that personal data must be processed in a lawful, fair, and transparent manner (Article 5(1)(a)), which is in line with the principle of customer due diligence in KYC processes.

  • The GDPR requires that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5(1)(b)).
    • When financial institutions collect personal data for verifying customer identity and assessing risks, they must be acutely aware of the data’s location and accessibility.

  • Personal data must also be adequate, relevant, and limited to what is necessary for the purposes for which it is processed (Article 5(1)(c)). The GDPR requires that personal data must be accurate and, where necessary, kept up to date (Article 5(1)(d)).
    • Many financial institutions’ processes changed in personal data collection and data storage monitoring/refresh.

What does GDPR say about AI and Automation?

The General Data Protection Regulation (GDPR) sets out specific requirements regarding the use of Artificial Intelligence (AI) and automation in the processing of personal data. 

These requirements are increasingly important to be aware of as KYC automation is becoming more prevalent in the industry:

  • The GDPR requires that personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage (Article 5(1)(f)).
    • Appropriate technical and organizational measures need to be put in place to ensure that personal data is protected and that the processing is secure in the automated processes.

  • The GDPR also requires that personal data must be accurate and, where necessary, kept up to date (Article 5(1)(d)).
    • Results of automated decision-making processes may be affected by inaccuracies in the data, therefore it is more important than ever to ensure data used in AI and automation processes is accurate and up to date.

  • Under the GDPR, individuals have the right to receive information about the logic involved in automated decision-making processes that produce significant legal effects for them (Article 22). The GDPR also requires that individuals have the right to obtain human intervention, express their point of view, and contest automated decisions (Article 22).
    • Individuals must have the opportunity to challenge decisions made by AI and automation processes and obtain human intervention, requiring organizations to have processes in place for dealing with such challenges.

Businesses should continue to use automated AI solutions as a tool and not solely rely on any decisions being made by said tool without human review.

Discover smartKYC

smartKYC’s adverse media screening software is the world’s most advanced multilingual semantic search engine to machine read all online media content for potential negative news about your clients, improving KYC processes and reducing risks. If you’re interested in learning more about smartKYC’s industry-leading multilingual NLP and how it can transform the efficiency and effectiveness of your KYC operations, book your demo today.

Book demo
Adverse Media AI AML Awards Conference Continuous Monitoring ESG Events Explainable AI Fintech GDPR Jargon Buster KYC New Hire Onboarding Partnership Regtech UBO XAI

Keep Reading