Handling of PII regarding ID verification

A very good question and one that really reflects upon the design of their system security. What is their strategy for breach remediation etc.

1 Like

If there are suitable, sufficient and audited controls around the process, it ought to be possible to record that “ID was verified” and “what was provided”, perhaps keeping non identifiable parts or slices of scans, and use that to confirm that the check was done. It reduces the toxic liability of having to protect that information.

Just to let you know that we aren’t totally ignoring this.

Given the depth of information you’ve requested, I’d like to get the right person in the company to answer your questions. :slightly_smiling_face:

15 Likes

Great question - also would really like to know this and I think monzo should do it’s best to explain what happens to all of our data.

Thanks for the acknowledgement Richard.

I appreciate the not-insignificant effort it may take to build an answer to the same granularity of the question and also that I asked it at the dog-end of the week.

1 Like

Hi,

I’ll try to add as much detail as I can, let me know if I can clarify anything. This matches the current implementation of the in-app flow but naturally this might change over time.

Where is it stored and in what form (file/blob/hashed/together/separated/emailed in a zip file to the fraud team mailing list)

The app is given a signed S3 URL to upload the video directly to. The video is then downloaded and processed within our infrastructure when submitted.

What parts of this are shared outside of Monzo control (Or stored in a 3rd party ID verification SaaS product) and with whom?
How do those third parties store/retain above data and for how long?

We use a mixture of in house tooling and third party suppliers. Any individual identity submission may be sent to no third party suppliers, one third party suppliers, or multiple third party suppliers depending on a variety of factors.

We have data retention policies set with these third parties that require them to delete data after a time period has elapsed. I believe this is 3 months but I have not double checked this. The retention policy is a trade off between reducing the impact of a data breach and being able to investigate operational issues with the provider. Now that our integrations have been running successfully for a while we may look at reducing the retention policies.

Do you have agreements with said 3rd parties that restrict their use of and retention of [my|our] PII data?

Yes. They are only allowed to process the data in ways stipulated in our contract.

Then, after verification, what from the above is stored and how long is it retained for:
If a successful ID verification is completed
If a verification is failed

Once the process is complete (whether successful or not) we retain the document + selfie as per UK regulation. We will usually keep this data for 6 years from when an individual leaves the bank but if they have been investigated then we are required to keep it for 20 years.

5 Likes

Does this imply that you are keeping the video selfies on the same S3 infrastructure as the payment receipts? (ie. with the same URL structure)

They are in an entirely separate bucket.

Every time an internal tool needs to display one of them it has to obtain a short lived signed URL to read it.

6 Likes

Thanks for the answers Daniel. Some interesting positives and some further concerns.

‘The app is given a signed S3 URL to upload the video directly to.’

Nice touch.

Could Monzo explain what safeguards are in place to
(1a). Restrict and audit access to this data store (In this case, bucket).
(1b). Restrict the ability for someone to change the access methods on the data store?
(1c). Does anyone/an automated process review the audit log for discrepancy patterns?

Context: if Monzo are storing our “fraud-in-a-box” in an S3 bucket, one S3 action or IAM policy by a Monzo admin or an unwitting Amazon S3/support team member changing one setting on the bucket could consequently make all of that PII anonymously world-readable. What mitigates this?

Any individual identity submission may be sent to no third party suppliers, one third party suppliers, or multiple third party suppliers depending on a variety of factors.

This is where I most wish for detail.

Could Monzo please elaborate on;
(2a). The original question - “What parts of this are shared outside of Monzo control (Or stored in a 3rd party ID verification SaaS product) and with whom?” - I feel this is as-yet unanswered.
(2b). Which suppliers depending on which variety of factors?

Context: I have already established a solid level of trust in Monzo but I (Potentially?) do not have a relationship with your third parties. I wish to know which suppliers my PII may be transferred through, so that I can research these suppliers. I understand you have placed controls upon them but I would like to decide for myself whether their data handling professionalism (A sensational example here but still an example) meets my interpretation as a competent standard.

We have data retention policies set with these third parties that require them to delete data after a time period has elapsed.

:+1: Fantastic – and – a great clear answer. Monzo_reputation++

Yes. They are only allowed to process the data in ways stipulated in our contract.

:+1: Fantastic again. Monzo_reputation++ again.

Once the process is complete (whether successful or not) we retain the document + selfie as per UK regulation.

The dreaded “as per < insert offload here >”

I understand retention of the identity document is required by legislation. However, I dispute your assertion that the selfie (Video and audio) is also required. Please can you back this up with a documented reference.

(3). What piece of legislation are Monzo interpreting in what manner that leads to this position. Please could you specify the precise document and numbered terms within it so I can read further, ideally via http://www.legislation.gov.uk

Context. My high street banking provider do not keep me in branch after they have verified my identity. I leave and continue my daily whereabouts. The identity document is retained but my in-person presence is not.

I have an additional question that arises from this.

(4). Please can you provide a detailed technical explanation of where this information is stored for X years/indefinitely. If it lives in the original S3 bucket then we have probably addressed this already, otherwise, please could you elaborate on how it is stored and re-apply questions 2a/2b above as well.

Thank you for your answers so far. I appreciate these are not quick questions and that the answers are probably distributed across multiple individuals.

12 Likes

I understand retention of the identity document is required by legislation. However, I dispute your assertion that the selfie (Video and audio) is also required. Please can you back this up with a documented reference.

I would also love to know the answer to this.

I would question Monzo’s need for this in the first place.

Ignoring the fact that sending you a video of myself saying that I want a Monzo account is weird in the first place, hearing that you will keep it for at least 6 years is even more worrying, which unfortunately have prevented me from upgrading to current account so far.

That’s pretty obviously legitimate. They can see a real human saying something almost impossible to get someone to accidentally say and they can match up that real human with the photo on the ID shown. It serves a clear, necessary ID verification purpose.

That said, I’m not sure it needs to be retained as long as the ID copy itself does, just like a bank doesn’t retain a video of you signing up, they only have to see you signing up, and retain a copy of the ID. I’m also not as worried as some (I’m not at all worried), the whole idea behind the video is that it should be something very unique. No other bank will verifiy you with ‘My name is --------- and I want a Monzo account’.

4 Likes

That’s pretty obviously legitimate. They can see a real human saying something almost impossible to get someone to accidentally say and they can match up that real human with the photo on the ID shown. It serves a clear, necessary ID verification purpose.

Why just say it? Wouldn’t it be better to sing it, maybe with a provided music track in the background?
There are more standard ID verification methods, which seem to work just fine for other financial institutions.

Yes, it would be (more unique), but then you start to increase potential accessibility issues.

But they don’t work just fine for all people, for example asking questions from a credit report is tricky for people with thin files. This is an easy process that works well.

2 Likes

But they don’t work just fine for all people, for example asking questions from a credit report is tricky for people with thin files. This is an easy process that works well.

Seems like it doesn’t work well for everyone, otherwise I would have already upgraded.

Why did it not work well for you? My impression from your post was that you just didn’t want to do it, which isn’t the same as it not working well for you.

If you do have a need that makes it physically difficult, why not contact Monzo? One, they seem really responsive. Two, under the Equality Act 2010 they have to figure out a way to accommodate you if you have a disability that makes this impossible and there is a reasonable accommodation possible.

2 Likes

These ID checks have to be run under new legislation - you may notice legacy banks ask you to come into branch and show ID even if you have an account already.
I’m not sure why Monzo run the checks they do (and I probably won’t be allowed to tell you when I find out!) but legacy banks have branches you must present ID at in order to open an account, Monzo don’t have branches but to check you’re an alive human being who matches the photo on your ID they ask you to record a video.

Regarding length of time the video is kept, I think this is again a legal requirement for anti-money laundering purposes. Legacy banks probably keep ID on file for similar lengths of time - the only difference being Monzo is very transparent about what they do.

2 Likes

Just to let you know a bit about myself I’m an expert and speaker on cyber and privacy insurance, amongst these things is legislation. Under current regulations Video ID isn’t classed as PII, in fact not many things in the uk are! GDPR changes that slightly. But more heavily amends the use of data on individuals and the reporting. Feel free to message me about it if you would like

2 Likes

I am not sure this is completely accurate. I am not an expert but I believe the bank can choose what checks they perform and be confident those check meet current ligislation. So if another bank that uses credit reports/data feels this is enough they do not need to start asking for videos etc. Where there may ask for this additional info is if the standard process provides insufficient data and ‘additional’ verification checks are deemed necessary.

So mandating ID and a video upload is a business decision based on risk appetite of the business. As is relying on credit report data.

But that’s my point, I’m not sure sure credit report data is legally enough now.

1 Like

There are no overarching rules around this. Financial institutions are required to comply with legislation, such as the 4th EU Money Laundering Directive.

Whilst the directive itself gives guidance, it doesn’t tell institutions how they must conduct their on-boarding checks. Guidance is just that… a guide!

It will all come down to the risk appetite of the individual institution, in particular, their Money Laundering Reporting Officer, who is legally responsible for ensuring compliance. This is one of the reasons there does not appear to be a common ground in the market, and what is acceptable for one institution may not be for another.

3 Likes