By Stuart Richards

There is a great temptation in knowing your customer enough to prevent you – or them – from being defrauded to know far more than you need to in order to sell to them.

 And it’s easily done. Once you’ve acquired the information you need to carry out good anti-money-laundering (AML) and know your customer (KYC) practice, what harm if that data gets leaked to the sales team?

Well, quite a bit of harm. Moral issues aside, it can be financially damaging. Back in 2021 CaixaBank was fined €6 million for doing just that – for improper data processing practices and collection of user data without explicit consent. Most of the time banks don’t get caught and so the temptation to do it continues. We still have an environment where some financial institutions have been reprimanded for not doing enough AML and so they go out and do too much.

Moreover, from a customer’s point of view, if a business is prepared to be secretive about ways it’s exploiting and profiting from its customers’ data, what other corners might it be cutting, and in what other ways might it be placing its own interests ahead of theirs?

So how do you know what’s too much?
The GDPR hangs off seven key principles, including minimisation and limitation of purpose – and it’s perhaps these two principles which are most relevant here. These principles state that you should only collect the information that is absolutely necessary for the purpose and that you should be strictly limiting what you do with that information to the purposes to which it was collected.

When you're identifying necessity, you should be able to tie it back to a specific law and why the law makes that information collection necessary. A good example of this is passports. What the guidance originally said was that a financial institution’s authorisation officer needed to see the ID documentation, verify that it was the customers, and record the fact that they did so. However, it became difficult for banks to demonstrate to regulators that they’d done this sufficiently. So they started keeping copies of the passport as evidence. This is problematic from a privacy point of view and if a bank is hacked, the hacker has access to a lot of information.

The problem of mis selling
Banks are now under greater pressure to avoid mis selling but these days this is being interpreted as not allowing your customer to make any bad choices. This requires collecting a great deal of information about the customer. Much of this information (what your customer spends their money on, and so on) gets fed into a machine and this machine then combines lots and lots of data points drawn from all over the place to decide whether or not you get that loan. This is for reasons of consistency, speed and feasibility. There’s a lot of pressure to ensure banks don’t lend money to people who can't afford to pay it back and this takes data.

Process is key
If your AML process is too intrusive, a proportion of the people who would have opened accounts with you will be put off. The principal way to ensure you don’t hack off your customers is to have privacy people deeply embedded in AML and KYC processes to hold organisations to account.

Redact your documentation wherever possible, watermark for your use, don’t leave them in unlocked folders, don’t ask people to email you documents, don’t use WhatsApp to transmit documents to head office and don’t put them in unsecure file transfer services.

Making it easier on the customer
If somebody steals an Amex credit card, they're not going to use it to buy something for the cardholder’s mother-in-law. If an Amex card is used to buy something from the cardholder’s mother-in-law, it's probably a legitimate transaction. Moreover, if you regularly holiday in Spain then you don’t want your card blocked every time you make a Spanish transaction. But you might want this if your card is used in the Bahamas. There is a question here about whether customers should be put in a position where they can provide information about people with whom they regularly engage in transactions. The job of the financial institution is to reassure them that this data is used only to benefit them, which means you can’t sell it or leverage it for marketing purposes. There’s still a lot of failure by banks to sell the customers on the value of the bank having a better understanding of transactional behaviour. Essentially – people pay for things they believe are worth it – and bolt-on services that provides assurances of identity to other parties, securely, could be a big draw for many customers.

Currently the regulation isn't constructed to permit this level of data collection and it would require a primary change in how the regulator manages KYC and AML responsibility. However, if you tell your customer what you're doing, why you're doing it, why it's in their interest, why they should help you they will usually be on board.