Banks and other financial institutions are increasingly caught between the Wwft (the Dutch anti-money laundering legislation), which requires them to carry out extensive Know-Your-Customer screening, and the GDPR, which requires them to store only the absolute minimum of sensitive customer data. The result: banks must sift through hundreds of thousands of files to ensure that all personal data is stored in accordance with the rules.
A recent ruling appeared to give the banks some respite, but those hopes were soon dashed. The culprit is the Burgerservicenummer (Citizen Service Number, or BSN). This issue has long held the financial sector hostage and is the subject of heated debate. To store data or not – that is the issue. Earlier this year, Kifid, Dutch Institute for Financial Disputes, has issued a binding judgment on the matter. Banks may indeed request, record and store the BSN, but a copy of the ID may not be stored unprocessed. Such muddled legislation is characteristic of the friction between a tightening of the gatekeeper role of financial institutions on the one hand and the increasing privacy protection of consumers on the other.
Jump for joy
Compliance officers who might have jumped for joy after reading the ruling soon had their feet back on the ground. Although banks may continue to process the BSN, the photo on the ID must always be blurred. Likewise, the ID document must always be watermarked. The only ground on which banks are allowed to process the BSN is because they are legally obliged to state the BSN when providing information to the tax authorities. In addition, due to the deposit guarantee scheme, they must share the BSN of their account holders with the Dutch Central Bank.
In many other cases, financial service providers are not allowed to process the BSN at all. Mortgage lenders, for example, are only allowed to process a BSN if the mortgage has been definitively approved. So as long as the mortgage offer has not been accepted by the new customer, the lender is not allowed to process the BSN of that possible future customer under any circumstances. Not even if the customer gives permission to do so. In practice, this means that consumers actually have to scratch out the BSN themselves before sharing documents with mortgage lenders. Industry organizations have therefore called on payroll services providers to make documentation available with and without BSN. UWV (the Employee Insurance Agency) and Stichting Pensioenregister (a platform of the joint pension providers) have started doing this.
But that’s only part of the problem. Another part is: what to do with legacy data that is already in a digital archive? Decades of privacy-sensitive customer data are stored in digital archives of financial institutions. But these institutions are no longer allowed to store this data, so it must be made illegible. To manually search all this data would require an average effort of about ten minutes per customer file. If you extrapolate this to the total of just under five million mortgage holders in the Netherlands, manual processing does not seem an option. However, due to the limited availability of the required technology, this is seen by many banks as the only solution. As a result, the Dutch Central Bank estimates that more than 20% of all bank staff is active in the field of compliance.
The solution: Blurrify
Manual processing looks like an unworkable solution. Not only because of the time it takes, but also because of the limited reliability of the routine work and the fraud risks that banks expose customers to when manually going through their most sensitive financial data. For this reason, the financial sector is increasingly looking for automated solutions to comply with laws and regulations. The market for these solutions is now so large that it has a separate name: regulatory technology (regtech).
One of the players in this market is the Dutch fintech Hyarchis. After the introduction of the General Data Protection Regulation (GDPR) in 2018, Hyarchis developed an application that meets the requirements of the recent Kifid ruling. Adriaan Hoogduijn, CEO of Hyarchis, who masterminded the application, says: “Since the introduction of the GDPR, we have closely followed the somewhat surreal discussion about the citizen service number. About 85% of all Dutch mortgages are in our systems. Despite mortgage lenders being very different, we decided, based on our interpretation of the GDPR, to develop a solution for compliance – Hyarchis Blurrify. The European Union has supported this with a substantial subsidy with which we have developed an AI-driven application in collaboration with several European universities that is now being used in the Netherlands, Belgium and Germany to comply with European privacy legislation.”