Handling of PII regarding ID verification

When performing the current account upgrade in-app, I am asked to upload ID and a video. The app does not make clear how you store this information or who you share it with. I was not able to find this in the Monzo terms or privacy statement either.

This post on Android verification from @tristan was the most detail I could find so far. There was also press release regarding a third party provider but not published by Monzo.

I’ve asked questions to in-app support and while they were helpful, phrases such as “it’s a mixture”, “it’s done through our systems” and “I can assure you we look after it” are vague and did not provide the level of confidence I was looking for.

Please can a Monzo rep/leader/staff member who is able to talk in specific facts (Not assumptions or generalisations) about ID verification and PII explain the account ID verification process, specifically covering but not limited to these points;

Once video and ID is captured

• Where is it stored and in what form (file/blob/hashed/together/separated/emailed in a zip file to the fraud team mailing list)
• What parts of this are shared outside of Monzo control (Or stored in a 3rd party ID verification SaaS product) and with whom?
• How do those third parties store/retain above data and for how long?
• Do you have agreements with said 3rd parties that restrict their use of and retention of [my|our] PII data?

Then, after verification, what from the above is stored and how long is it retained for:

• If a successful ID verification is completed
• If a verification is failed

I am aware of enhanced KYC regulation in the UK and Europe. I understand why you are asking for ID, I understand the convenience it provides digitally. What I would like to know is if/after I give you a package of my video/voice and ID (fraud-in-a-box ) in digital form - which is much more concerning to me than my high street banking provider taking a scan of my ID in-person - how you are handling my PII and how you are setting controls for the providers you select to share my PII with.

Thank you.

I’d really like to see a level of explanation as per this excellent breakdown regarding contact sharing: “The nitty gritty details” which inspired me to opt in to that feature. The context is different but the explanation of detail is a good example.

(This is a separate comment because “Sorry, new users can only put two links in a post” )

Fantastic, well thought out question. Interested to hear Monzo’s response.

Personally I would like to see all PII destroyed after verification. With GDPR looming in 2018 only the foolhardy or very rich would want to keep PII.

Hm… how they will verify you then? Restore access to account for example?

A very good question and one that really reflects upon the design of their system security. What is their strategy for breach remediation etc.

If there are suitable, sufficient and audited controls around the process, it ought to be possible to record that “ID was verified” and “what was provided”, perhaps keeping non identifiable parts or slices of scans, and use that to confirm that the check was done. It reduces the toxic liability of having to protect that information.

Just to let you know that we aren’t totally ignoring this.

Given the depth of information you’ve requested, I’d like to get the right person in the company to answer your questions.

Great question - also would really like to know this and I think monzo should do it’s best to explain what happens to all of our data.

Thanks for the acknowledgement Richard.

I appreciate the not-insignificant effort it may take to build an answer to the same granularity of the question and also that I asked it at the dog-end of the week.

Hi,

I’ll try to add as much detail as I can, let me know if I can clarify anything. This matches the current implementation of the in-app flow but naturally this might change over time.

Where is it stored and in what form (file/blob/hashed/together/separated/emailed in a zip file to the fraud team mailing list)

The app is given a signed S3 URL to upload the video directly to. The video is then downloaded and processed within our infrastructure when submitted.

What parts of this are shared outside of Monzo control (Or stored in a 3rd party ID verification SaaS product) and with whom?
How do those third parties store/retain above data and for how long?

We use a mixture of in house tooling and third party suppliers. Any individual identity submission may be sent to no third party suppliers, one third party suppliers, or multiple third party suppliers depending on a variety of factors.

We have data retention policies set with these third parties that require them to delete data after a time period has elapsed. I believe this is 3 months but I have not double checked this. The retention policy is a trade off between reducing the impact of a data breach and being able to investigate operational issues with the provider. Now that our integrations have been running successfully for a while we may look at reducing the retention policies.

Do you have agreements with said 3rd parties that restrict their use of and retention of [my|our] PII data?

Yes. They are only allowed to process the data in ways stipulated in our contract.

Then, after verification, what from the above is stored and how long is it retained for:
If a successful ID verification is completed
If a verification is failed

Once the process is complete (whether successful or not) we retain the document + selfie as per UK regulation. We will usually keep this data for 6 years from when an individual leaves the bank but if they have been investigated then we are required to keep it for 20 years.

Does this imply that you are keeping the video selfies on the same S3 infrastructure as the payment receipts? (ie. with the same URL structure)

They are in an entirely separate bucket.

Every time an internal tool needs to display one of them it has to obtain a short lived signed URL to read it.

Thanks for the answers Daniel. Some interesting positives and some further concerns.

‘The app is given a signed S3 URL to upload the video directly to.’

Nice touch.

Could Monzo explain what safeguards are in place to
(1a). Restrict and audit access to this data store (In this case, bucket).
(1b). Restrict the ability for someone to change the access methods on the data store?
(1c). Does anyone/an automated process review the audit log for discrepancy patterns?

Context: if Monzo are storing our “fraud-in-a-box” in an S3 bucket, one S3 action or IAM policy by a Monzo admin or an unwitting Amazon S3/support team member changing one setting on the bucket could consequently make all of that PII anonymously world-readable. What mitigates this?

Any individual identity submission may be sent to no third party suppliers, one third party suppliers, or multiple third party suppliers depending on a variety of factors.

This is where I most wish for detail.

Could Monzo please elaborate on;
(2a). The original question - “What parts of this are shared outside of Monzo control (Or stored in a 3rd party ID verification SaaS product) and with whom?” - I feel this is as-yet unanswered.
(2b). Which suppliers depending on which variety of factors?

Context: I have already established a solid level of trust in Monzo but I (Potentially?) do not have a relationship with your third parties. I wish to know which suppliers my PII may be transferred through, so that I can research these suppliers. I understand you have placed controls upon them but I would like to decide for myself whether their data handling professionalism (A sensational example here but still an example) meets my interpretation as a competent standard.

We have data retention policies set with these third parties that require them to delete data after a time period has elapsed.

Fantastic – and – a great clear answer. Monzo_reputation++

Yes. They are only allowed to process the data in ways stipulated in our contract.

Fantastic again. Monzo_reputation++ again.

Once the process is complete (whether successful or not) we retain the document + selfie as per UK regulation.

The dreaded “as per < insert offload here >”

I understand retention of the identity document is required by legislation. However, I dispute your assertion that the selfie (Video and audio) is also required. Please can you back this up with a documented reference.

(3). What piece of legislation are Monzo interpreting in what manner that leads to this position. Please could you specify the precise document and numbered terms within it so I can read further, ideally via http://www.legislation.gov.uk

Context. My high street banking provider do not keep me in branch after they have verified my identity. I leave and continue my daily whereabouts. The identity document is retained but my in-person presence is not.

I have an additional question that arises from this.

(4). Please can you provide a detailed technical explanation of where this information is stored for X years/indefinitely. If it lives in the original S3 bucket then we have probably addressed this already, otherwise, please could you elaborate on how it is stored and re-apply questions 2a/2b above as well.

Thank you for your answers so far. I appreciate these are not quick questions and that the answers are probably distributed across multiple individuals.

I understand retention of the identity document is required by legislation. However, I dispute your assertion that the selfie (Video and audio) is also required. Please can you back this up with a documented reference.

I would also love to know the answer to this.

I would question Monzo’s need for this in the first place.

Ignoring the fact that sending you a video of myself saying that I want a Monzo account is weird in the first place, hearing that you will keep it for at least 6 years is even more worrying, which unfortunately have prevented me from upgrading to current account so far.

That’s pretty obviously legitimate. They can see a real human saying something almost impossible to get someone to accidentally say and they can match up that real human with the photo on the ID shown. It serves a clear, necessary ID verification purpose.

That said, I’m not sure it needs to be retained as long as the ID copy itself does, just like a bank doesn’t retain a video of you signing up, they only have to see you signing up, and retain a copy of the ID. I’m also not as worried as some (I’m not at all worried), the whole idea behind the video is that it should be something very unique. No other bank will verifiy you with ‘My name is --------- and I want a Monzo account’.

That’s pretty obviously legitimate. They can see a real human saying something almost impossible to get someone to accidentally say and they can match up that real human with the photo on the ID shown. It serves a clear, necessary ID verification purpose.

Why just say it? Wouldn’t it be better to sing it, maybe with a provided music track in the background?
There are more standard ID verification methods, which seem to work just fine for other financial institutions.

Yes, it would be (more unique), but then you start to increase potential accessibility issues.

But they don’t work just fine for all people, for example asking questions from a credit report is tricky for people with thin files. This is an easy process that works well.

But they don’t work just fine for all people, for example asking questions from a credit report is tricky for people with thin files. This is an easy process that works well.

Seems like it doesn’t work well for everyone, otherwise I would have already upgraded.

Why did it not work well for you? My impression from your post was that you just didn’t want to do it, which isn’t the same as it not working well for you.

If you do have a need that makes it physically difficult, why not contact Monzo? One, they seem really responsive. Two, under the Equality Act 2010 they have to figure out a way to accommodate you if you have a disability that makes this impossible and there is a reasonable accommodation possible.