Kifid's Disputes Committee recently ruled again on how a bank should implement the identification requirement. In this complaint case, the Disputes Committee distinguished between having to identify and verify the customer's identity on the one hand, and recording and storing the customer's data on the other. To (re)identify and verify the identity of the consumer, the bank may request a photo or scan of an unprocessed ID proof. However, to capture and retain a copy of this ID proof, the bank must shield the passport photo and apply a watermark to prevent misuse. If the bank fails to do so, it is in violation of the General Data Protection Regulation (AVG), according to the ruling published today.
A consumer with a checking account at ABN AMRO will be asked by the bank in September 2020 to provide her identity document again. This will allow the bank to comply with the tightened requirements of European anti-money laundering rules. The consumer provides the bank with a photo of her ID proof, with the Citizen Service Number taped off and the front and back of the ID proof with adhesive tape bearing the text 'ABN AMRO'. The bank informs that the photo of its redacted ID proof is not satisfactory. The bank demands a scan or copy of an unedited ID proof. The consumer does not agree and states that a photo or scan of her edited ID should be sufficient as long as all her personal data are visible. She then complains about this to Kifid.
The main question before the Disputes Committee is whether the bank may request, record and retain a photograph or scan of an unprocessed ID card for customer research purposes. To answer this, both the Money Laundering and Terrorist Financing Act (Wwft) and the AVG are relevant. According to the AVG, data processing must be limited to that which is necessary for the purpose of data processing. To answer the question "whether an unprocessed ID proof is necessary to comply with the anti-money laundering rules," the Disputes Committee distinguishes between, on the one hand, the identification and verification obligation and, on the other hand, the obligation to record and retain customer survey data.
Financial service providers are required by law to verify the identity of new and existing customers. The bank must be sure that the customer is who he says he is. The bank does this by automatically checking the authenticity characteristics of the ID proof. This requires an unprocessed ID proof; with a processed ID proof, the authenticity features are not easily readable. This leads the Disputes Committee to the conclusion that the bank may request a photo or scan of an unprocessed ID proof for the purpose of identifying and verifying the consumer's identity. Only then can the bank comply with the legal obligation of identification and verification.
The Disputes Committee is not convinced of this necessity when it comes to capturing and retaining the unprocessed ID evidence. What purpose is served by this? A financial service provider must record and retain data from the customer survey in order to be able to report unusual transactions to the central reporting point. And the data must be kept to comply with an order from an investigative organization when necessary. Article 33 of the Wwft states what data must be recorded and kept for this purpose. Given the premise of minimal data processing in the AVG, data not mentioned in article 33 of the Wwft may only be processed if the financial service provider motivates why this is necessary, according to the Disputes Committee. It does not follow from the Wwft that it is necessary to record and keep the passport photo on the ID proof. And in this complaint case, the bank has not made sufficiently clear why it should process more data.
The Disputes Committee ruled that before capturing and storing a copy of the ID proof used, the bank must shield the passport photo on it. The bank must also prevent misuse of the captured copy of the ID proof, for example by applying a watermark.
The final conclusion is that for the purpose of identifying and verifying a customer's identity, the bank may require an unprocessed copy of the ID proof. However, the bank may not capture and retain an unprocessed copy of a consumer's ID proof; if the bank does, it violates the minimum data processing requirements under the AVG.
According to the AVG, processing of the Citizen Service Number is only allowed when required by law. Banks are required by law to provide the Citizen Service Number when providing information to the tax authorities. And because of the deposit guarantee scheme, banks must share the Citizen Service Number of their account holders with De Nederlandsche Bank. This leads to the conclusion that the bank may request, record and retain the consumer's Citizen Service Number. The bank does not have to shield the Burgerservicenummer for recording and keeping the copy of the ID-card. However, the bank is obliged to inform the consumer that the Citizen Service Number is only processed for the aforementioned legal obligations.
The ruling GC 2022-0013 in this complaint by a consumer against ABN AMRO is binding.
