Additional Benefit from Using RegTechs for KYC – GDPR Compliance
Regulators Encourage RegTech Adoption
Regulators worldwide are strong advocates of RegTech solutions for the simple reason that these solutions provide both wider compliance as well as better compliance.
Wider compliance – because RegTech solutions significantly reduce the cost of compliance; they make it possible for financial institutions to comply with the abundance of regulations which apply to them.
Better Compliance – technology not only makes it easier for financial institutions to comply; it also enables firms to acquire better data from external sources and facilitates better data sharing internally. In addition to reducing human errors caused by repetitive tasks, RegTech solutions free up time for people to focus on judgement calls and the more complex aspects of compliance.
In November 2024, the Hong Kong Securities and Futures Commission (SFC) published a comprehensive “Report on the Adoption of Regtech for Anti-Money Laundering and Counter-Financing of Terrorism”.
The report is part of a campaign by the regulator to boost RegTech adoption in their jurisdiction.
RegTech and Data Protection
An interesting aspect of the report was that it included the results of a survey of 50 financial institutions, who were asked, among other things, what concerns they had regarding the adoption of RegTech solutions.
Around 35% of the respondents mentioned data privacy and security concerns;and rightly so, as data privacy and security are vital parts of the governance framework of any financial institution.
However, the adoption of RegTech solutions should not damage an institution’s data protection framework. In fact, it can actually significantly improve it. Here’s how.
Security < Protection > Privacy
Before we continue any further, it’s worth noting that, generally speaking, data privacy revolves around how people who havea right in relation to the data should treat it (for example, decide what data is collected, where is it stored, how is it used etc.); information security revolves around making sure people who do not have a right in relation to the data, will not be able to access it, delete it, etc.
This article deals specifically with how the adoption of RegTech solutions can help with data privacy. However, it is worth noting that it can also improve your information security in several ways, the simplest being that if you manage your data on your provider’s system, it will be the provider who will take on the burden of a SOC 2 or ISO 27001 certification (which should cover the relevant pillars of DORA), thus helping you improve your information security. Therefore, in terms of information security, one should always look for these certificates as a sign of commitment to information security.
Another key point relates to the term “GDPR”.
The EU’s General Data Protection Regulation (GDPR) is the most influential data privacy framework globally. As such, it has influenced countless similar legal framework worldwide and in many places “GDPR” is used as a colloquial name for data privacy laws.
We will therefore refer here to the GDPR, as we know it from EU legislation; however, much of what is said here will also be generally true in relation to any data privacy legal framework.
GDPR Compliance as a By-product of Compliance with Other Regulatory Requirements
“RegTechs” are companies that help firms manage their regulatory compliance obligations. In the context of financial and other institutions RegTechs are often used for the fulfilment of regulatory tasks in the following verticals:
A selection of RegTechs can help firms fulfil their regulatory obligations whilst also offering other “accompanying” benefits relating to regulatory requirements, such as privacy requirements.
For example, KYC solutions (or client onboarding solutions, KYC/KYC/AML/CFT solutions, Client Lifecycle Management solutions, and other similar names) will often store private information of their clients’ clients. As this is the case, a GDPR compliant framework of data management will need to be established between the institutions and the RegTech – and the RegTech will of course have such a framework “ready-made”, saving the institution the need to crate itself, often “from scratch”.
Here are four specific areas in which the adoption of a RegTech solution – especially KYC / AML related solutions, as they tend to be quite private-data-handling “heavy” – can also have a positive “side effect” of improving your GDPR compliance.
1. RegTechs Help You Keep Your Data Up-to Date (GDPR Article 5(d))
Almost 70% of the respondents in the survey by the Hong Kong SFC stated that the adoption of RegTech solutions has “reinforced the auditability and governance of their compliance processes”, as well as “improved the standard and quality of data maintained within the firms”.
In other words, RegTechs help firms handle their data in a more organised, methodical, and easily retrievable manner. This has an immense positive impact on data management as a whole. GDPR Article 5(d), for example, requires firms to make sure data is “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”.
If, for example, a financial institution contracts with a RegTech for KYC services, the client will be automatically monitored on an ongoing basis, which will of course immensely help with fulfilling this obligation.
2. RegTechs Help You Minimise Your Data (GDPR Article 5(c))
GDPR Article 5(c) requires firms to make sure data is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”.
RegTech solutions provide any organisation with a double opportunity to comply with the minimisation requirement:
- First, the implementation of a RegTech solution provides the perfect opportunity to re-organise the data-related processes, making sure they are adequate and relevant and limited to what is necessary.
- Second, the right RegTech solution should excel in data organisation, in a way that will allow you to gather and/or keep only the relevant data.
The right RegTech solution, therefore, should be one that not only provides you with a comfortable framework for re-organising your processes, but also with a good data structure that allows you to minimise your PII.
3. RegTechs Help You Manage Audit Trail and Consent
Maintaining a full audit trail of all the actions that were performed in relation to the data is a major hassle. The correct RegTech solution will have a built-in audit trail, which will be both client-facing AND backend-facing.
This will allow you to easily demonstrate to any data privacy auditor that “Controller” title is not just your legal title – but you are actually in control of the data and how it is handled, both internally and externally.
4. Data Subject Rights Made Easier (GDPR, Ch. III)
Chapter III GDPR, “Rights of the data subject”, specifies the rights data subjects have in relation to their personal information. Among those rights – the right to access the data and receive information about it (Articles 13, 15), the right for the data to be erased, known as the “right to be forgotten” (Article 17), and the right to data portability (Article 20).
If a RegTech holds a good portion of your client data, it is advisable – and, in fact, required – to make sure the RegTech is capable of providing you with the option to uphold these obligations. However, that should not be a problem – most top RegTechs are built to handle data this way, and you can therefore benefit from their existing processes and infrastructure for this purpose, without needing to set up your own.
Data is King – And RegTechs Rule the Kingdom
If it is correctly gathered, classified and stored from the start, anything else in the data lifecycle becomes easier, including GDPR compliance. Financial institutions are, in many ways, data companies – but the data they are built to process is not PII (Private Identifiable Information), but rather financial transactions and countless technical parameters.
RegTechs, on the other hand, are built to handle PII. They are built to gather it, classify it, process it systematically and store it safely. Therefore, adopting RegTech solutions to handle various regulatory compliance tasks can have a positive impact on the GDPR compliance of financial institutions as well.
By ensuring your RegTech solution addresses these aspects, your financial institution can not only optimize GDPR compliance but also build a solid foundation of trust and security with customers, maintaining competitiveness in a dynamic and regulated market.