While all businesses collect data about their customers, some did so under stronger oversight than others. Businesses in industries from healthcare to banking have for years collected identification data within a regulatory compliance framework. Now with continuing global alignment of data and privacy laws, companies are facing similar requirements and precise data collection is more important than ever.
Knowing your customer
Banks, accountancies, and other financial services companies must comply with anti-money-laundering (AML) regulations. Among their obligations, these companies must implement, document, and maintain strictly-defined know-your-customer (KYC) rules to ensure their customers are who they say.
The Financial Transactions and Reports and Analysis Centre (FINTRAC) is one of the agencies responsible for enforcing Canada’s AML/KYC regulations. FINTRAC’s guidance spells out the personal data firms must collect as well as firms’ obligation to monitor the accuracy of that information.
A report in The Globe & Mail showed how far beyond the large financial corporations FINTRAC’s regulations extend. An audit of more than 800 small real estate brokers found 60% had significant or very significant AML/KYC compliance problems.
Data rights in Europe
Thanks to the European Union’s General Data Protection Regulation (GDPR), companies big and small must develop similar compliance programs for the personal data they collect. These regulations extend beyond the EU borders.
Elsewhere, the Asia-Pacific economic cooperation (APEC) has rolled out its cross-border privacy rules (CBPR), which ensure effective privacy protections against those who collect, store and process personal information. The key difference being, CBPR members are governed by their own national data protection laws whereas any company in the world that collects the personal data of an EU citizen must comply with the GDPR.
The protection of personal data is a “fundamental right” under the GDPR. That right gives Europeans control over their personal information and places an obligation on companies to protect the data.
Organisations that collect personal information must observe a set of principles that protect those data. The principle of data accuracy, for example, sets the expectation that personal data will be “accurate and, where necessary, kept up to date” and requires companies to ensure inaccurate data is “erased or rectified without delay.”
Of course, data accuracy is important to any business. The GDPR, however, converts data inaccuracy from a business inefficiency into a regulatory compliance risk. A pre-GDPR example shows the consequence of data inaccuracy. IT Governance reported in 2012 that Britain’s Information Commissioner’s Office (ICO) had fined insurance company Prudential £50,000 for confusing two customers’ accounts — and allowing the situation to continue for three years after first being made aware of the problem. In a post-GDPR world, any company may be held to a similar standard.
How much is too much information?
Data accuracy is not the only GDPR principle businesses must adopt. The data minimalisation principle requires collected personal data to be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” An on-going review process must consider whether the purpose is still valid as well as whether the information collected is still adequate and relevant.
These and other processes must be fully documented, reviewed on a regular basis, and communicated to company staff to ensure compliance. The more a company minimises the personal data it collects the less burden the compliance efforts will be, and the less risk the company will face from compliance failures.
The consequences of poor compliance
Even before GDPR went into effect, insurers’ attitudes towards data collection risks were hardening as claims related to personal data breaches drove insurers’ costs. The most recent NetDiligence Cyber Claims Study, for example, found that in the period 2014–2017, companies in the United States and Canada spent an average of $697,000 on regulatory defense costs alone.
In Asia, where regulators are tightening enforcement of data privacy laws, Dell EMC’s Data Risk Management Barometer ranked Singapore as the strictest enforcer. The Strait Times reported “nearly every fine issued by the Personal Data Protection Commission (PDPC) centred around the same type of offence — inadequate security measures for personal data.”
Empowering consumers simplifies compliance
With a digital identity system, individuals control what personal information companies may access. A vineyard, for example, would not need to collect the birthdate of visitors to its website. A query to the person’s identity wallet would confirm the person is older than 18 based on a trusted source.
Another benefit to businesses will be a digital identity wallet’s ability to relay previous identity verifications. Alastria CEO Alex Puig told The Banker how a digital identity can make AML/KYC compliance easier: ”For example, I can prove I am a client of Santander, so BBVA could also accept me as a client without having to go through the KYC process.”
Digital identity accelerates business processes
Today’s verification systems impose significant costs on businesses through inefficiency, fraud and lost sales. A digital identity white paper from Australia Post and The Boston Consulting Group identified billions of dollars in savings and new revenue that a nationwide identity system would generate. Eliminating more than 300 million verification requests every year would save Australian businesses AU$2 billion.
The Japan Times reports that people must wait a week to open a new bank account due to Japan’s current verification system. A blockchain-based identity system under development by Japan’s banks will reduce wait time significantly.
In the future, interacting networks of blockchain-based digital identity systems will replace today’s inefficient verification system. Compliance with digital privacy laws and AML/KYC regulations will happen automatically. And customers will develop a greater trust in the companies they do business with since control of their personal information will be in their hands where it belongs.