What are the data protection challenges and regulations for KYC solutions?

As business processes continue to be improved and enhanced through digital transformation efforts, so too do regulations in terms of strength and scope throughout Europe. Companies from regulated sectors, in particular, are legally bound to adhere to many rules and regulations, such as the Know Your Customer (KYC) check. Today, online customer onboarding, and KYC, must be done via a trusted provider, with solutions that comply with security, data protection and regulatory requirements. 

What are personal data protection challenges for KYC solutions?

A crucial component of the KYC process is to verify the identity of customers, when, for example, subscribing to a service or opening an account. KYC can be done in person or remotely. It is an essential part of the Anti-Money Laundering Directive, and is used to verify the age of subscribers, to improve the customer experience, or to simply extract data.

With the increasing popularity of digital services, the KYC process has had to evolve and adapt alongside technological developments. When implementing a KYC solution, it is therefore critical to ensure that the data received from your customers, whether biometric or non-biometric personal data, is protected and not at risk of leakage. To avoid this, make sure you choose a provider that meets the regulatory requirements on data protection. But what exactly are these requirements? 

GDPR, CLOUD Act, eIDAS: what regulations currently require for personal data protection.

The question of data collection, management and storage is no longer just a consideration, a rigorous and well-thought out strategy for company data storage is now a legal requirement. Following the launch of the CLOUD Act in 2018 – a federal law in the United States regarding access to communication data (personal data), particularly operated in the cloud – the issue of data protection has been front of mind for global businesses.

The European market is governed by various regulations to which companies must comply, including issues related to data protection and General Data Protection Regulation (GDPR). This regulation aims to regulate how personal data is processed in the European Union and requires companies to protect the personal data they handle and the privacy of EU citizens. GDPR requirements concerns all transactions that take place within Europe as well as entities that process personal data belonging to EU residents. Under these conditions, companies that do not comply with the regulation can face heavy fines. Indeed, the penalty can be up to 4% of annual turnover.

In the context of a KYC process, all collected data (name, date of birth etc of applicant) clearly needs to be protected. In addition, biometric data, which can be physical or biological characteristics (fingerprints, facial recognition etc) that identify a person, are also subject to GDPR. In this context, the KYC solution provider you choose to work with must be in full compliance with GDPR. 

In order to increase confidence in electronic transactions, another regulation – eIDAS – is imposed on all trust service providers or Certification Authorities. eIDAS defines three levels for identification processes.

The “low” level refers to an electronic identification process with a low risk of identity theft. In these cases, just a login and password are the only requirements. The “substantial” level aims to improve the risk posture. The signatory must have an identity document issued by a member state and prove that it belongs to him. The “high” level requires the person to be in possession of a biometric or photographic identification recognized by the country that is processing the application.

How do KYC solutions meet the challenges of personal data protection?

KYC is the starting point of every customer onboarding and solution provider. To be a trusted identity verification solution provider, you must comply with all requirements on personal data processing. This includes the analysis, storage and archiving of the personal data processed as part of the KYC process. 

Some solution providers can verify identity documents within a minute or two. During this time, the software processes the information, verifies its authenticity and returns a verdict to the customer. The collected data is then deleted to avoid any risk of leakage. However, if the user does not possess the necessary documents, the KYC solution provider may temporarily store this data until the customer journey is validated.

Sometimes, in high assurance cases, manual verification performed by experts trained in fraud detection complete the process. Whether the document is processed automatically or manually, it is important to know where the customer’s data is being transmitted and where it is stored. In the case of manual verification, it is also important to ensure collected data is processed in a center in Europe. 

It is also important to look at the overall level of trust of the company you choose as a KYC solution provider: its values, its certifications (ISO 27001 for example, PVID, or FIDO for biometrics), as well as the audits (penetration tests, GDPR, etc.) that the company may be subject to. The purpose of these different audits is to test the reliability of information systems and associated processes in order to find possible vulnerabilities. 

At IDnow, as a KYC solution provider, we ensure compliance with the fundamental principles of the GDPR and eIDAS. We are currently working toward PVID compliance and aim to be among the first identity verification providers to obtain this certification.

Paperless. Seamless. Limitless.

Download to discover the hard and soft benefits of implementing electronic signatures.
Get your free copy
Expert guide to digital signatures


Rayissa Armata is Head Of Regulatory Affairs at IDnow

Rayissa Armata
Senior Head of Regulatory Affairs at IDnow
Connect with Rayissa on LinkedIn


Let's talk!