Banks and GDPR, regulations incompatible with banking practices
As mentioned in the previous articles in our dossier on banks and the RGPD, the financial sector has always been very advanced in terms of security and data protection, and in addition to the GPDR, multiple regulations govern it: TRACFIN anti-money laundering and anti-terrorist measures, or more recently the IFRS 9, MIFID II, DSP 2, KYC, Sapin 2 law, Eckert law, or the decree of April 18, 2018 reinforcing France’s anti-money laundering and anti-terrorist financing system.
In addition to some of the banking sector’s own operations, some aspects of this complex legislation may conflict with the requirements of the GDPR, or cause difficulties in its implementation.
Intense data collection in conflict with some GDPR regulations
The Know Your Customer Directive aims to collect a range of information about customers in order to prevent identity theft, money laundering, fraud, and financial crime. Among the data collected, we find: expenses, their amount, their nature, their justification, the origins and destinations of the banking operations carried out by the persons concerned, but also many other types of personal data.
A rather substantial collection that may appear to be in contradiction with the principle of data minimisation imposed by the GDPR… The Eckert law, which aims to prevent bank accounts and savings products from becoming dormant, requires banks to keep certain data for a long time. In the same way, whether following the expiry of their legal retention dates, or through a request for deletion, the deletion of personal data about financial transactions and the individuals involved in them may constitute non-compliance with AML and ATL (Anti-Money Laundering and Anti-Terrorism) provisions.
Banking sector standards, processes or operations that are not easily compatible with the GDPR regulation
This is the case of certain tools and systems used which make it impossible to erase certain data. Credit scoring is a method of assessing customer risk which aims to determine the creditworthiness and repayment capacity of a loan applicant by means of an analysis tool based on certain criteria, via the allocation of a “function score”, and has been a widespread practice in financial institutions for several decades.
It is one of the profiling and automated decision-making activities using artificial intelligence that are strongly regulated by the GDPR. To be authorised, it now requires the implementation of certain measures: explaining the profiling to the applicant, obtaining his or her consent under the General Data Protection Regulation (GDPR), and giving him or her the possibility of reviewing certain automated decisions with a human being.
Digitalisation and the use of personal data have led to an improvement in customer knowledge and the customer experience. A customer experience that has however paradoxically tended to become more complex and extensive following the implementation of all the regulatory texts: data collection for security purposes, collection of consents, GDPR regulations, and obligations to provide a certain amount of information… Banks must therefore rethink themselves in order to overcome this problem.