These ID checks have to be run under new legislation - you may notice legacy banks ask you to come into branch and show ID even if you have an account already.
I’m not sure why Monzo run the checks they do (and I probably won’t be allowed to tell you when I find out!) but legacy banks have branches you must present ID at in order to open an account, Monzo don’t have branches but to check you’re an alive human being who matches the photo on your ID they ask you to record a video.
Regarding length of time the video is kept, I think this is again a legal requirement for anti-money laundering purposes. Legacy banks probably keep ID on file for similar lengths of time - the only difference being Monzo is very transparent about what they do.
Just to let you know a bit about myself I’m an expert and speaker on cyber and privacy insurance, amongst these things is legislation. Under current regulations Video ID isn’t classed as PII, in fact not many things in the uk are! GDPR changes that slightly. But more heavily amends the use of data on individuals and the reporting. Feel free to message me about it if you would like
I am not sure this is completely accurate. I am not an expert but I believe the bank can choose what checks they perform and be confident those check meet current ligislation. So if another bank that uses credit reports/data feels this is enough they do not need to start asking for videos etc. Where there may ask for this additional info is if the standard process provides insufficient data and ‘additional’ verification checks are deemed necessary.
So mandating ID and a video upload is a business decision based on risk appetite of the business. As is relying on credit report data.
There are no overarching rules around this. Financial institutions are required to comply with legislation, such as the 4th EU Money Laundering Directive.
Whilst the directive itself gives guidance, it doesn’t tell institutions how they must conduct their on-boarding checks. Guidance is just that… a guide!
It will all come down to the risk appetite of the individual institution, in particular, their Money Laundering Reporting Officer, who is legally responsible for ensuring compliance. This is one of the reasons there does not appear to be a common ground in the market, and what is acceptable for one institution may not be for another.
and more to the point their insurers, as many institutions adapt their approach to risk depending on insurances they hold and what the underwriters are prepared to cover and the level of premium they are willing to pay
Yeah this is pretty much the point I was trying to make. It is down to the company to decide. And then should they be brought up on it, evidence why they chose the steps they did.
Unfortunately, the 4th EU AML Directive doesn’t allow for this. When it comes to AML compliance, the institution is solely liable, they can’t insure against it. This is one thing the directive is clear on.
Yes the institution is solely liable but they have often insured themselves to cover any costs incurred, be it errors by the MLRO or other staff. Where institutions have high levels of cover v lower levels of cover this made them less inclined to self impose tighter documentary requirements for applicants.
Really sorry for the delay responding to this thread. Things are pretty hectic at Monzo Towers right now
There are very valid questions in this thread regarding storage, retention, and deletion of data, but we don’t think that this is the best place for us to respond to them all. We’ve decided to publish a blog post early next year that goes into detail about how we handle your data, under what conditions you can request that it is deleted, and how to go about that. Hopefully that will make everything clear.
As @daniel mentioned above, our internal Data Collection and Retention Policy was to keep this information for six years after a customer leaves the bank, providing the customer has not been investigated. This was a typo in the policy , which was always meant to align with what the regulation compels us to do. We’re going to amend the policy to five years, as was always intended. I think this is a great example of transparency being beneficial to everyone; we probably wouldn’t have noticed this error for much longer if it weren’t for this thread
Hi @o99. I’ve merged your thread with the original thread and reopened it. I’ve not seen any such blog posts hopefully @oliver or @bea can find out what’s happened!
FWIW, as the original creator of this thread, I was unsatisfied with the responses provided by Monzo and as a result I searched for and signed up with a competitor who were open about their PII process (*In fairness, they were not storing video and audio recordings of customers, so it was easier for them to qualify a similar topic of questions/answers). Consequently I let my account close when Monzo performed the switchover and stopped recommending Monzo to friends and colleagues until such a time the information was available.
For a provider that were emphasising being open with their customers, it seemed the opposite: “Your call is important to us” but actually it wasn’t. The two weeks(?) of daily promotional marketing email to upgrade my account sent from no-reply email addresses that could not receive feedback about why I was not “upgrading” the account irritated me more each day. A metaphorical PR nail in the coffin. As a customer that message seemed like the 21st century business standard - “conform to our expectations of our one and only customer profile, or we have no time/process for this”.
Hopefully that will make everything clear.
, which was always meant to align with what the regulation compels us to do. We’re going to amend the policy to five years, as was always intended. I think this is a great example of transparency being beneficial to everyone; we probably wouldn’t have noticed this error for much longer if it weren’t for this thread 