Thanks for the answers Daniel. Some interesting positives and some further concerns.
‘The app is given a signed S3 URL to upload the video directly to.’
Nice touch.
Could Monzo explain what safeguards are in place to
(1a). Restrict and audit access to this data store (In this case, bucket).
(1b). Restrict the ability for someone to change the access methods on the data store?
(1c). Does anyone/an automated process review the audit log for discrepancy patterns?
Context: if Monzo are storing our “fraud-in-a-box” in an S3 bucket, one S3 action or IAM policy by a Monzo admin or an unwitting Amazon S3/support team member changing one setting on the bucket could consequently make all of that PII anonymously world-readable. What mitigates this?
Any individual identity submission may be sent to no third party suppliers, one third party suppliers, or multiple third party suppliers depending on a variety of factors.
This is where I most wish for detail.
Could Monzo please elaborate on;
(2a). The original question - “What parts of this are shared outside of Monzo control (Or stored in a 3rd party ID verification SaaS product) and with whom?” - I feel this is as-yet unanswered.
(2b). Which suppliers depending on which variety of factors?
Context: I have already established a solid level of trust in Monzo but I (Potentially?) do not have a relationship with your third parties. I wish to know which suppliers my PII may be transferred through, so that I can research these suppliers. I understand you have placed controls upon them but I would like to decide for myself whether their data handling professionalism (A sensational example here but still an example) meets my interpretation as a competent standard.
We have data retention policies set with these third parties that require them to delete data after a time period has elapsed.
Fantastic – and – a great clear answer. Monzo_reputation++
Yes. They are only allowed to process the data in ways stipulated in our contract.
Fantastic again. Monzo_reputation++ again.
Once the process is complete (whether successful or not) we retain the document + selfie as per UK regulation.
The dreaded “as per < insert offload here >”
I understand retention of the identity document is required by legislation. However, I dispute your assertion that the selfie (Video and audio) is also required. Please can you back this up with a documented reference.
(3). What piece of legislation are Monzo interpreting in what manner that leads to this position. Please could you specify the precise document and numbered terms within it so I can read further, ideally via http://www.legislation.gov.uk
Context. My high street banking provider do not keep me in branch after they have verified my identity. I leave and continue my daily whereabouts. The identity document is retained but my in-person presence is not.
I have an additional question that arises from this.
(4). Please can you provide a detailed technical explanation of where this information is stored for X years/indefinitely. If it lives in the original S3 bucket then we have probably addressed this already, otherwise, please could you elaborate on how it is stored and re-apply questions 2a/2b above as well.
Thank you for your answers so far. I appreciate these are not quick questions and that the answers are probably distributed across multiple individuals.