Privacy First calls on De Nederlandsche Bank and finance minister to adjust identification practices of financial institutions
Due to digital developments, including in the field of artificial intelligence, the risks around identity fraud are increasing significantly. In recent years, Privacy First Foundation has regularly received signals from citizens concerned about the way financial institutions, such as banks, verify identities.
Identity fraud risks
These signals prompted Privacy First to investigate the background. In the process, we came across much that concerns us, including in case law and decisions by dispute resolution body Kifid.
Invoking the Anti-Money Laundering Act Wwft [*], financial institutions require copies of identity documents to be made without allowing the photo and BSN to be taped and sometimes require customers to take photos or videos of themselves. Financial institutions keep the copies and images for a very long time and sometimes ask for identification again during an existing relationship. This poses major data protection risks to citizens and violates the Wwft and AVG.
Request to DNB and the Minister of Finance
Privacy First today sent a detailed reasoned request to banking regulator De Nederlandsche Bank and the Minister of Finance to take action to improve financial institutions' compliance with the Wwft and the AVG and reduce the risk of identity fraud.
Our conclusions and recommendations in this request include the following:
- The Wwft provides no basis for long-term retention of copies of identity documents.
- Taking selfies and video recordings is also not prescribed by the Wwft, nor is there any basis for their retention. Their use is allowed only if there is adequate substantiation.
- Long-term retention of copies of identity documents, selfies and video recordings leads to increased risks of identity misuse. If there were a demonstrable need for retention, it should be as short as possible, in order to comply with the data minimisation principle of the AVG. The copies of identity documents and the images should then be deleted as soon as possible.
- Under the Wwft and the AVG, the identification measures of Wwft-regulated companies must be demonstrably proportionate and not go beyond what is necessary for the intended purpose. This means that the risks of identity abuse must be mitigated as much as possible and financial institutions must also be able to demonstrate this to citizens.
- Financial institutions perform a socially essential function and have become digital businesses without physical offices. This has encouraged risky identification practices. We believe that financial institutions should be expected to provide low-threshold physical identification options to prevent risky digital operations.
- There is a need to radically adjust the approach to identity verification under the Wwft to prevent other Wwft-compliant companies from following the bad example set by the financial sector.
Our entire request to DNB and the Minister of Finance can be found at HERE download (pdf).
Our wish is for a movement to improve data protection of citizens by financial institutions.
We have informed the standing committees for Finance, Digital Affairs and Justice and Security of the House of Representatives about this, as well as a number of other relevant parties.
[*] The Prevention of Money Laundering and Terrorist Financing Act (Wwft).
This article was also published at PONT Data & Privacy, see Privacy First calls on De Nederlandsche Bank and Minister of Finance to adjust identification practices of financial institutions - PONT Data&Privacy (privacy-web.nl).