Handling of PII regarding ID verification


#1

Please can a Revolut rep/leader/staff member who is able to talk in specific facts (Not assumptions or generalisations) about ID verification and PII explain the account ID verification process, specifically covering but not limited to these points;

Once photo and ID is captured

Where is it stored and in what form (file/blob/hashed/together/separated/emailed in a zip file to the fraud team mailing list)
What parts of this are shared outside of Revolut control (Or stored in a 3rd party ID verification SaaS product) and with whom?
How do those third parties store/retain above data and for how long?
Do you have agreements with said 3rd parties that restrict their use of and retention of PII data?
Then, after verification, what from the above is stored and how long is it retained for:

If a successful ID verification is completed
If a verification is failed
I am aware of enhanced KYC regulation in the UK and Europe. I understand why you are asking for ID, I understand the convenience it provides digitally. What I would like to know is if/after I give you a package of my photo and ID (fraud-in-a-box) in digital form - which is much more concerning to me than my high street banking provider taking a scan of my ID in-person - how you are handling my PII and how you are setting controls for the providers you select to share my PII with.

Thank you.


#2

I also would like to know this.


#3

This is also covered by the new GDPR law that gets enforced from May 25th in the EU. they have a legal obligation to tell you how your PII is used and stored and have to give it to you upon request and also delete it on request too, so they should already have the ability to answer these questions.

Maybe not to specific details such as “it’s stored on this specific server” or “we print it out and post it on the office walls” but reassurance that it’s encrypted and stored as safely as other banks would be good. Which I don’t doubt, given that they are regulated the same as physical banks who also take copies of your ID and tbh, I wouldn’t be surprised if traditional banks don’t store it very securely at all given most of their track records :smiley:


#4

I think you’ll find under your country laws (for example the UK) financial services have to retain your data for 6 years after your account is closed. This overrides your GDPR ability in order to prevent fraud and money laundering.

I don’t believe it covers how it’s being stored at all, GDPR just states that there is a requirement to ensure personal data is properly protected using reasonable means, but yes they do indeed have to tell you how it is being processed and under what legal basis they have for doing so.

I’m not sure if this would be worth any salt, if you asked a guy selling snake oil if it was any good, he’d say yes. Regardless Revolut is regulated by the FCA under e-money guidelines and your money is stored in ring-fence accounts with Lloyd’s or Barclays last I checked. This doesn’t include the pooled accounts that are addressed to Revolut Ltd.