Hi,
I’ll try to add as much detail as I can, let me know if I can clarify anything. This matches the current implementation of the in-app flow but naturally this might change over time.
Where is it stored and in what form (file/blob/hashed/together/separated/emailed in a zip file to the fraud team mailing list)
The app is given a signed S3 URL to upload the video directly to. The video is then downloaded and processed within our infrastructure when submitted.
What parts of this are shared outside of Monzo control (Or stored in a 3rd party ID verification SaaS product) and with whom?
How do those third parties store/retain above data and for how long?
We use a mixture of in house tooling and third party suppliers. Any individual identity submission may be sent to no third party suppliers, one third party suppliers, or multiple third party suppliers depending on a variety of factors.
We have data retention policies set with these third parties that require them to delete data after a time period has elapsed. I believe this is 3 months but I have not double checked this. The retention policy is a trade off between reducing the impact of a data breach and being able to investigate operational issues with the provider. Now that our integrations have been running successfully for a while we may look at reducing the retention policies.
Do you have agreements with said 3rd parties that restrict their use of and retention of [my|our] PII data?
Yes. They are only allowed to process the data in ways stipulated in our contract.
Then, after verification, what from the above is stored and how long is it retained for:
If a successful ID verification is completed
If a verification is failed
Once the process is complete (whether successful or not) we retain the document + selfie as per UK regulation. We will usually keep this data for 6 years from when an individual leaves the bank but if they have been investigated then we are required to keep it for 20 years.