How Private is Your KYC Beneficial Ownership Data?
23 March 2017
As I’ve written in previous blogs (see Regulatory Risk Exposures of New Beneficial Ownership Rules and Are You Stuck in the KYC Beneficial Ownership Quagmire?), evolving Know Your Customer (KYC) beneficial ownership standards and regulations require collecting, maintaining and reporting large volumes personally identifiable information (PII). This raises the specter of ensuring your program complies with regional data protection and privacy laws.
Data protection and privacy regulations
Regulations increasingly limit transferring data between jurisdictions, especially in the European Union (EU). The EU General Data Protection Regulation (GDPR) has defined stringent regulations for the collection, use and storage of information of EU residents. GDPR puts the onus on data collectors (banks) to inform individuals (beneficial owners) when their personal information is going to be collected and/or processed, and for what specific purpose(s).
Under the GDPR, a bank cannot rely on implied consent but must instead receive explicit consent given for each purpose for which the bank intends to use the beneficial owner’s personal data. Further, the GDPR mandates that the request for consent must be clear and concise and cannot be presented in an unusual context.
In the United States there are federal requirements such as Graham-Leach-Bliley Act, but there are also individual state regulations for data privacy. For example, California is a leading proponent of data protection; the state has some of the most stringent data privacy rules in the country. The bottom line is, it is important to consider data privacy laws of the jurisdictions where you are collecting beneficial ownership data.
Technology to the rescue
Managing beneficial ownership data raises a host of information security concerns, as it contains PII. In addition to your ongoing Know Your Customer / Customer Due Diligence programs, beneficial ownership data must be shared for other purposes such as suspicious activity reporting, intelligence gathering, investigations and legal proceedings.
It is likely beneficial ownership data is now being, or is planned to be, collected, used and stored across a wide variety of information systems. The present is a good time to review your technology plan to protect privacy of beneficial owners. It is in your best interest to gain consensus on a very limited number of platform(s) (ideally one) for your program. Ease of use should be top of mind to ensure adoption across all three lines of defense.
How are you controlling, or planning to control, access to your beneficial ownership data? All too often banks rely on ineffective and/or inefficient operational controls such as hard copies, email, disks or thumb drives. The problem with these methods is they do not effectively control opportunities for data leakage.
Banks need to prevent data leaking not only to external parties such as regulators, auditors and other banks but also to employees. All of these stakeholders require proper and compliant access to your data, and you have a responsibility to provide data access in compliance with all applicable data privacy laws.
Even when banks have well-documented information security training programs and procedures, those protocols may not always be followed. When a data leak does occur, you need to notify impacted parties and in some cases make public disclosure. There are often very clear and stringent timelines in which these notifications must be made. So it is best to secure files that contain sensitive data with encryption during all stages of transport, storage and use.
The time to act is now!
A platform that can provide these features will be most helpful in meeting the collaboration needs of the team assigned to support beneficial ownership discovery and verification. For information on how Intralinks can help, please visit Intralinks for Regulatory Risk Management.
Read our white paper: Beneficial Ownership? Not if You’re a Bank!
Watch the webinar “Operationalizing Compliance: Improve Effectiveness While Reducing Cost."
Todd Partridge is Vice President, Product Marketing at Intralinks. He has broad industry experience in the enterprise information management (EIM) space, with deep expertise in all trends and technologies related to information governance, enterprise content management, document management, web content management, business intelligence, team collaboration, e-mail management, and enterprise records management practices. In his previous role at OpenText, Todd held several global positions ranging from sales, marketing, product management, positioning and strategy.