Skip to main content

What consumers need to know about KYC and the protection of personal data in the new digital environment

ECC-Spain commemorates World Consumer Rights Day by calling for a safer and more transparent digital environment.
What consumers need to know about KYC and the protection of personal data in the new digital environment

Online shops, banking and digital services have become an essential part of our daily lives. However, it should be noted that - in this new digital environment - there are certain risks such as identity theft, personal data theft or payment fraud. To counter these threats, many companies are implementing Know Your Customer (KYC) procedures and policies to verify the identity of consumers before completing a service or making an online purchase. Among the most commonly used techniques are two-factor authentication, electronic identification procedures and digital signatures. And while these checks can help protect both consumers and businesses, they also raise questions about data protection and consumer rights.

 

On the occasion of World Consumer Rights Day, the European Consumer Centre in Spain (ECC-Spain) calls for a safer and more transparent digital environment to meet these challenges, and addresses everything consumers should know about checking their identity and their rights under EU data protection legislation.

 

What is ‘Know Your Customer’ and why is it used?

‘Know Your Customer (KYC) is a policy widely adopted by companies to verify the identity of their customers to comply with regulations. It is an increasingly important and evolving process, especially in today's digital context. Its aim is to be able to apply a series of controls to prevent criminal activities such as theft of personal data, fraudulent payments, or money laundering; and to make it easier for consumers to prove their identity in a secure way. In this way, the company must make sure that the customer's identity is real, understand the nature of the operations to be carried out and -when necessary- share this information with the Administration.

 

Personal data typically collected by merchants and service providers include:
- Name and postal address.
- Email address and telephone number.
- IP address and device type (PC, smartphone, operating system).
- Payment card or bank account details. 

 

With this information, many companies use scoring systems to assess the creditworthiness and reliability of customers.

 

This is a common practice in the financial sector and is increasingly used by e-commerce companies and telecommunications providers. And while the main purpose is to verify consumer identity and prevent criminal activity, it is also used to assess the creditworthiness and reliability of customers and, in the marketing sector, to segment consumers. In this way, based on their purchasing behaviour, companies can send personalised offers to consumers, deny them access to certain payment methods or even restrict their accounts. As a result of these practices, the European Consumer Centres Network (ECC-Net) has detected an increasing number of complaints about companies ‘blocking’ users accounts, without clear justification, just because the consumer exercises their right to complain or their right to return a product.

 

On the other hand, the procedure for performing this KYC check may vary depending on the Member State concerned. For example, in Spain, it is compulsory in the financial sector where most of its customers have carried out the KYC check in person. In other words, the data and documents submitted are checked in person by a representative of the institution. However, the option of performing KYC identity verification online has also been made available. For example, by means of a video call in which the user shows his or her identity documents and verifies their authenticity with a facial check. In the same way, technological advances also make it possible to incorporate other biometric tests, such as fingerprint identification or facial recognition tests. It should be noted that, currently, any industry can benefit from and support its protocols in this type of verification, which provides added value compared to other identification systems where the information is not contrasted.

 

Recommendations from ECC-Spain

  • Watermarking. If an identity document is to be provided to a company, it is recommended to use watermarking tools to superimpose a text to indicate its purpose. For example, ‘this copy is only to verify my order no. x with seller x’ or a date delimiting the period of validity. This helps to prevent unauthorised use of personal data.
  • Processing of personal data. Attention should be paid to the type of company and the purpose for which personal data are requested. According to EU data protection law, personal data can only be processed in certain situations and under certain conditions, so not all companies are legally allowed to request copies of identity documents. Furthermore, the collection and processing of data must be necessary, proportionate and transparent. It is therefore important to know why we are being asked for personal data and how it will be processed. And if personal data are being processed unlawfully, it is necessary to complain to the data controller (the person or body processing the data). In any case, consumers have the right of access to data, the right to rectification and erasure, the right to restriction of processing, as well as the right to data portability.


What's new: European digital identity wallets
The upcoming European digital identity wallet will enable secure mobile phone-based identification and access to public and private services, as well as the storage and display of digital documents such as driving licences and educational credentials. It will also enhance privacy by sharing only the exact information agreed. Consumers will also be able to easily sign documents electronically, or control how much information is shared and with whom. This new personal digital wallet will be available to EU residents and businesses who want it and can be used to access services both online and offline, throughout the EU.


About World Consumer Rights Day
On 15 March 1962, President Kennedy, before the United States Congress, enunciated for the first time in the world the rights of citizens as consumers. Since then, this event has been regarded as the starting point for the protection of consumer and user rights at the international level, so that this date was adopted to commemorate World Consumer Rights Day.

Related documents

Help us to improve