Because of digital developments, including artificial intelligence, the risks surrounding identity fraud are increasing significantly. In recent years, Privacy First Foundation has regularly received signals from citizens concerned about the way financial institutions, such as banks, verify identities.
These signals prompted Privacy First to investigate the background. In the process, we came across much that concerns us, including in case law and decisions by dispute resolution body Kifid.
Invoking the Anti-Money Laundering Act Wwft [*], financial institutions require copies of identity documents to be made without the photograph and BSN being allowed to be taped and sometimes require customers to take photographs or videos of themselves. Financial institutions keep the copies and images for very long periods of time and sometimes ask for identification again during an existing relationship. This poses significant data protection risks to citizens and violates the Wwft and AVG.
Privacy First today sent a detailed reasoned request to banking regulator De Nederlandsche Bank and the Minister of Finance to take action to improve financial institutions' compliance with the Wwft and the AVG and reduce the risk of identity fraud.
Our conclusions and recommendations in this request include the following:
The Wwft provides no basis for long-term retention of copies of identity documents.
The taking of selfies and video recordings is also not prescribed by the Wwft, nor is there any basis for their retention. Their use is allowed only if there is adequate substantiation.
Long-term retention of copies of identity documents, selfies and video recordings leads to increased risks of identity misuse. If there would be a demonstrable need for retention, it should be as short as possible in order to comply with the data minimization principle of the AVG. The copies of identity documents and images should then be deleted as soon as possible.
Pursuant to the Wwft and the AVG, the identification measures of companies subject to Wwft must be demonstrably proportionate and not go beyond what is necessary for the intended purpose. This means that the risks of identity abuse must be mitigated as much as possible and financial institutions must also be able to demonstrate this to citizens.
Financial institutions perform a socially essential function and have become digital enterprises without physical offices. This has encouraged risky identification practices. We believe that financial institutions should be expected to provide low-threshold physical identification options to prevent risky digital operations.
There is a need to radically adjust the approach to identity verification under the Wwft to prevent other Wwft-compliant companies from following the financial sector's bad example.
Our entire request to DNB and the Minister of Finance can be found HERE (pdf).
Our desire is for a movement to improve the data protection of citizens by financial institutions.
We have informed the standing committees on Finance, Digital Affairs and Justice and Security of the House of Representatives about this, as well as a number of other relevant parties.
[*] The Prevention of Money Laundering and Financing of Terrorism Act ( Wwft).
