KYC

KYC AML Guide: the Clock shows the average reeding time of the blog14 min Read

-

KYC AML Guide: the Clock shows the average reeding time of the blogJanuary 1, 2025

The Impact of GDPR on KYC Procedure: A Closer Look

As businesses ramp up Know Your Customer (KYC) processes to combat rising fraud and ensure compliance with AML regulations, they face an uncomfortable reality. These measures often clash with the strict data privacy mandates of GDPR, leaving organizations navigating a precarious balance between security and compliance.

Belal Mahmoud

KYC Product Consultant

KYC wants more data; GDPR wants less, so where does that leave businesses?
As businesses ramp up Know Your Customer (KYC) processes to combat rising fraud and ensure compliance with AML regulations, they face an uncomfortable reality. These measures often clash with the strict data privacy mandates of GDPR, leaving organizations navigating a precarious balance between security and compliance.

In 2024, the case of JU v. Scalable Capital GmbH changed how multiple stakeholders looked at KYC procedures under GDPR. After data subjects filed lawsuits against Scalable Capital GmbH alleging harm caused by theft of their personal data, the court referred to the Court of Justice of the EU to clarify whether the compensation should consider punitive damages to the company in question or focus solely on the harm suffered.

The court ruled that Article 82(1) of GDPR is meant to compensate victims for the damage they suffered due to a data breach. It is not designed to punish companies for data protection failures. This means that the compensation is about fairness to the victim, not penalizing the data controller, so does that mean companies face no consequences? Absolutely not.

This case reinforces that under GDPR, companies must take data protection very seriously because even minor breaches could lead to claims for compensation. A company can not simply escape responsibility by claiming negligence by any of its employees.

GDPR vs. KYC: The Central Clash

The General Data Protection Regulation (GDPR) and Know Your Customer (KYC) procedures often find themselves at odds in the context of businesses, especially in financial services.

GDPR, which came into effect in 2018, is a comprehensive data privacy law within the European Union that regulates how personal data is collected, stored, processed, and shared. Its primary aim is to safeguard individuals’ privacy and provide them with more control over their personal information.

On the other hand, KYC procedures are regulatory measures, primarily within the banking and finance sectors. They are designed to verify the identity of customers and prevent money laundering, fraud, and the financing of terrorism. These procedures require businesses to collect sensitive personal information, such as identification documents, addresses, and transaction histories.

The clash arises because while KYC mandates extensive data collection and retention to fulfill regulatory requirements, General Data Protection Regulation imposes strict rules on data storage. It limits how long businesses can retain personal information and under what conditions it can be processed.

To understand the impact of GDPR standards on global KYC Procedures, think of a compass that sets the direction for others to follow. GDPR was introduced in Europe. However, it has impacted the development of data protection laws worldwide.

The USA’s California Consumer Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados (LGPD) came into effect in 2020 and mirror GDPR by applying stringent rules for data collection and processing.

Similarly, GDPR’s influence extends beyond the West. It has impacted privacy laws, such as the Digital Personal Data Protection Act (DPDP) in India and the Personal Information Protection Law (PIPL) in China.

Balancing GDPR Compliance and KYC: Challenges for Modern Businesses

GDPR emphasizes data privacy and transparency, while Anti-Money Laundering (AML) laws demand detailed customer data retention and sharing for compliance. On the one hand, GDPR limits data storage and requires explicit consent from the user. On the other hand, Anti Money Laundering necessitates prolonged retention and data sharing with authorities.

This created a challenge for HSBC’s Global KYC processes, as the two regulations often conflicted. Balancing these demands forced HSBC to redesign its KYC framework, ensuring robust data protection measures while meeting AML compliance.

Similar to HSBC, other financial institutions have had to invest in sophisticated systems to ensure due diligence while also fulfilling data minimization principles. GDPR has significantly reshaped KYC processes, particularly in areas like customer consent, consent mechanisms, and data subject rights.

1. Consent of the Customer (Article 4)

Firstly, GDPR has had a massive impact on customer consent. Article 4 (11) reads: “Consent must be a clear, affirmative act indicating a freely given, specific, informed, and unambiguous agreement to the processing of personal data.”.

This means that businesses need to adopt Know Your Customer measures with opt-in mechanisms that get explicit and informed consent from customers. For example, in 2019, the French regulator CNIL fined Google €50 million for not providing sufficient information about data processing and failing to obtain valid consent for personalized ads.

2. Mechanisms for Asking Consent (Article 13)

Secondly, GDPR emphasizes that companies create user-friendly consent mechanisms that clearly explain to users why their data is being collected and where it will be used. Article 13 of GDPR states, “Customers should be informed about the purpose, legal basis, and duration of data processing.”

Companies often collect user data improperly and negate GDPR’s requirement that consent must be taken in an auditable form. A famous brand, H&M, was fined €35.3 million in Germany for avoiding robust consent mechanisms while handling sensitive data.

3. Data Rights of the Subject (Article 15-20)

Articles 15-20 of GDPR emphasize how businesses need to set up systems that can quickly and efficiently handle customer requests about their personal data. For example, if a customer wants to see what data a company has on them or asks for it to be deleted, the company must respond promptly.

However, there is a catch. Before doing this, the company must confirm the customer’s identity to ensure that the request is genuine and not a fraud attempt.

Additionally, KYC processes should make it easy for customers to transfer their personal data to other service providers if they choose to.

Where Privacy Meets Compliance: The Intersection between GDPR and KYC

GDPR operates like a well-designed security system in KYC procedures. It fortifies personal data against misuse while ensuring that rightful owners can access and manage their information.

Under GDPR’s right to erasure, individuals have the ‘right to be forgotten’ and can request their data to be deleted under certain circumstances. Under the ‘right to restrict processing,’ they can limit how their data is being used. Both these rights pose significant challenges to KYC processes that require access to extensive data.

Here is how GDPR requirements intersect with KYC requirements.

1. Data Collection and Consent

Imagine you are entering a global bank like HSBC to open your bank account. When collecting information, the bank must clearly take your consent and explain why they are collecting your data and where it will be used. They will need you to explicitly agree before the process continues.

Under GDPR, institutions like HSBC need to ensure customer trust while also adhering to stringent compliance standards. Balancing both often becomes a challenge.

2. Data Retention Requirements

KYC regulations under AML laws often require companies to retain data for extended periods of time, such as five years. However, GDPR’s article 5 states that data should be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

To manage this, businesses must implement systems that allow for data deletion when it’s no longer needed for regulatory reasons while still retaining it for compliance.

3. Data Minimization

Here, the clash is between KYC procedures requiring the collection of extensive amounts of data to assess a customer’s identity, analyze financial risks, and detect any suspicious activity. GDPR, on the other hand, promotes the principle of data minimization, which dictates that businesses collect the bare minimum amount of data.

For example, in the FinTech industry, companies must balance GDPR’s push for minimal data collection with KYC’s need for detailed information, such as transaction histories and employment status, to assess money laundering risks.

The High Cost of GDPR Non-Compliance in KYC

On Wednesday, the Dutch Data Protection Authority (DPA) fined Netflix 4.75 million euros because “customers did not receive sufficient information when they asked Netflix which data the company collects about them. These are violations of the General Data Protection Regulation (GDPR)…”

GDPR non-compliance can cost businesses a great deal. Article 83 provides a comprehensive framework for imposing fines and states that these can reach upto €20 million or 4% of the total worldwide annual turnover. Additionally, article 84 allows individual member states to establish additional penalties for non-compliance.

Protecting Privacy and Reducing Risk: KYC in the Age of GDPR

Businesses worldwide are adopting GDPR compliance solutions. Here are some mechanisms that companies are adopting to safeguard their interests.

Mechanisms Details 
Implement Robust Data Minimization Strategies Businesses should collect only the essential information required for compliance. Moreover, they must delete the data once it’s no longer used. 
Establish Clear Data Retention Policies Financial institutions should set clear guidelines on how long customer data is stored based on legal requirements. Once the data is no longer necessary, businesses should remove it from their systems. 
Prioritize Customer Consent and Transparency By using transparent and easily understandable language, businesses can align their practices with GDPR’s principles.
Leverage Secure Technology for Data Protection Adopting encryption, tokenization, and secure authentication methods is essential for protecting customer data and meeting GDPR and KYC requirements.
Regularly Review and Update Compliance Frameworks To stay ahead of regulatory changes, businesses must continuously assess and update their KYC procedures to reflect any shifts in GDPR or other local data protection laws.

Conclusion

In conclusion, GDPR has transformed KYC into a privacy-first process. However, contrary to what many businesses think, aligning KYC processes with GDPR is not very difficult. You can do it by adopting best practices such as transparent consent processes, data minimization, and secure technologies to navigate the complexities of both frameworks.

In today’s interconnected world, businesses that proactively adapt to and comply with these regulations will not only safeguard themselves from legal risks but also develop trust and sustainability in the long term. Ensuring robust compliance is no longer optional; it is a strategic imperative for the continuity and growth of businesses.

Share

KYC AML Guide: the Facebook share KYC AML Guide: the Linkedin share KYC AML Guide: the Twitter share
Belal Mahmoud
KYC AML Guide: the Linkedin share

Belal possess over 8 years experience in the KYC Identity Verification industry. He has consulted KYC solutions for over 20 new economy companies at DIFC and ADGM while ensuring a seamless technical integration and helped in jurisdictional compliance audits.