Customers who pay bills for utility services or children’s groups do not understand why the company needs to know about their and their relatives’ party affiliation and earned income.
I was surprised by the questionnaire
Customers of the company “One account” applied to “Kaunas day”. They were outraged that the company required them to fill out a customer identification form. Otherwise, it will not be possible to use the services and pay all the bills with a few clicks.
Readers of the daily wondered why the company needs data on how much a person earns, whether he belongs to which political force, or whether he holds the position of a civil servant. In other words, are they politically vulnerable? Not only that, the questionnaire also asks to reveal the names, surnames and dates of birth of relatives if they work in the civil service.
“Why does a company need such data?” This is not a bank. We simply pay official service providers for the services they provide. I have a few utility bills, kids’ club bills, and a phone and internet bill in my cart. After all, you will not transfer money to terrorists through “One Account”. Therefore, the requirement to disclose information both about yourself and about your family members is really inappropriate.
In my opinion, One Account collects redundant data about its customers by asking them to fill out a know-your-customer form. The company really does not need to know so much data about people who only pay bills and do not make any serious financial transfers,” Mindaugas, a client of “Vienas konto” told “Kauno dienas”.
The man wondered whether such a questionnaire violates the General Data Protection Regulation (GDPR), because the customer-knowing questionnaire also contains very sensitive questions related to family income. According to the client, revealing the name, surname and date of birth of close wives just to pay the bills is incomprehensible and baseless.
Infuriating: residents are convinced that it is not necessary to indicate the income received and whether they are not a civil servant in the profile of the “One Account” client. / “Kauna dienos” readers’ photo.
Questionnaires may vary
In our country, the supervision of financial institutions is carried out by the Bank of Lithuania. Its representatives confirmed to “Kauno diena” that “One Account” has a payment institution license, and the requirements for the prevention of money laundering and terrorist financing, including knowing the customer, apply to all payment service providers.
However, the Bank of Lithuania noted that each financial institution decides on its own which questions to submit in the customer familiarization questionnaire.
“Financial market participants are obliged by law to properly know their client and monitor business relations (operations, transactions performed by the client). Legislation specifies certain data that all financial market participants must obtain when establishing a business relationship with a client (for example, identifying the client, whether he is a politically vulnerable person, etc.), but there is no exhaustive list of this information.
What information to request from customers is decided by the financial institutions that assess the risk themselves. As a result, the amount and nature of the information may differ in individual cases”, said Giedrius Šniukas, the spokesperson of the Bank of Lithuania.
He indicated that the Bank of Lithuania has drawn the attention of financial institutions that financial institutions should request as much information as is sufficient in a specific case to manage the risk of money laundering and terrorist financing.
“It is important for financial institutions to ensure that their customers do not use the financial system for illegal purposes, but they should not create obstacles for customers to use services. Information protection requirements are applied to data received for the purposes of preventing money laundering and terrorist financing, so financial institutions cannot use the received confidential information for other purposes. Financial institutions have the right to disclose this information only to third parties established by legal acts and only in the cases and procedures provided for in them”, G. Šniukas commented on the fact that institutions must handle customer data responsibly.
Data protection
Karolina Grobovaitė, head specialist of the Legal Department of the State Data Protection Inspectorate (VDAI), also provided an explanation to “Kauno diena” about the data collected in the client profile and whether the collection of such information violates the GDPR.
“The GDPR does not prohibit the processing (as well as the collection) of personal data, but the most important thing is to comply with the principles related to the processing of personal data, established in Article 5 of the GDPR, and when such processing of personal data can be justified by at least one condition of legal personal data processing, provided for in GDPR 6 and 9 articles, taking into account the category of personal data being processed”, said the specialist.
The requirement to reveal such information about yourself and your family members is really inappropriate.
She taught that Article 6, Paragraph 1, Clause 1 of the GDPR stipulates that data processing is lawful in the event that data processing is necessary to fulfill the legal obligation applicable to the data controller, i.e. the obligations provided for in legal acts. The VDAI lawyer noted that the Law on the Prevention of Money Laundering and Terrorist Financing determines the entities subject to the obligation to collect personal data on the basis of this law: financial institutions and obligated entities. According to the Bank of Lithuania, the company “One account” is a payment institution, therefore the provisions of the law apply to it.
“For example, financial institutions and other obliged entities must identify the client and beneficiary, carry out continuous monitoring of the client’s business relationship and, in order to ensure that the documents, data or information provided during the identification of the client and beneficiary are appropriate and relevant, they of financial institutions and other obliged entities must be constantly reviewed and updated.
Pursuant to this law, financial institutions and other obligated entities must collect not only customer and beneficiary data such as name, surname, personal identification number, but also other information that would allow determining, for example, whether there are circumstances to apply enhanced customer identification. The purpose of all these duties is to ensure prevention, preventing the use of the financial system for the purposes of money laundering and terrorist financing.
Thus, taking into account the above, UAB “One account” has the right to request the submission of personal data of its customers and beneficiaries to the extent necessary to fulfill the obligations set out in the law”, stated K. Grobovaitė, chief specialist of the Legal Department of VDAI.
Just the information you need?
Aušra Čiuplienė, general director of the company “One Account”, told the newspaper that such questions are not the first time, but she noted that only those data that are necessary for financial institutions are collected.
“It’s good to see that the public is critical and cares about the security of their personal data. While monitoring this, we pay special attention to data security, encryption, and storage, and we can responsibly say that we collect only the information that is necessary to fulfill the requirements of the financial institution.
I want to reassure you that any request for personal data does not mean that the customer is suspected of something. “One Account”, like other financial institutions, does not collect customer data on its own initiative, but because it is obliged by law. This is a standard process for all financial institutions required to comply with the Money Laundering and Terrorist Financing Prevention Act. “One account”, acting as a payment institution, is also not an exception”, commented A. Čiuplienė.
She explained that even if the client can only pay the bills of service providers on the “One Account” platform, in compliance with the requirements of legal acts, the company must prevent money laundering and terrorist financing and apply the “Know your client” principle in its activities.
I want to reassure you that any request for personal data does not mean that the customer is suspected of something.
“This principle obliges us to collect the necessary information about customers (such as data on the sources of income, their size) so that we can properly respond to unusual activities related to their transactions. The aforementioned law states that politically vulnerable (affected) persons are natural persons who are or have been entrusted with important public duties, as well as their close family members or close assistants.
Current legal acts oblige us as a financial institution to ask for information about politically vulnerable (affected) persons, therefore we aim to determine whether the client and his relatives are politically vulnerable persons (ie whether they hold important public positions). If we determine that a person is politically vulnerable, we must comply with other additional obligations, as such clients are considered high risk in the context of money laundering. All this is done in order to limit any possibility of making payments for a purpose other than that intended for our platform,” said the head of “One Account”.
Unusual operations
According to the interlocutor, all financial institutions, including “One Account”, in order to prevent money laundering, use various technical and organizational measures to stop and unaccount unusual transactions.
“Delivery of money, its separation and legalization are common stages of money laundering, during which criminally acquired funds are integrated into circulation, and any financial institution can become a participant in this process without even suspecting it. Naturally, Single Account takes the necessary measures to avoid becoming part of such a scheme.
The information provided is encrypted and stored in our system. For the customer, every time he makes payments, this available data allows him to properly monitor the operations performed by the customer and assess whether they are typical for him, whether the amount of payments is similar to what the person indicated in the questionnaire, or whether it corresponds to other personal information provided. In case of suspicions or inaccuracies with the data held by the financial institution, “One account” has the right to demand the provision of more detailed information so that the money can be credited, therefore it is very important to indicate relevant and accurate information in the client’s information form”, said A. Čiuplienė.
According to her, legal acts, establishing strict customer identification requirements, also provide for enforcement measures that “One Account” can apply if the customer avoids or refuses to submit a completed customer identification questionnaire at the request of “One Account” and within the set deadlines.
“If the client does not fill out the client identification form on time, “One Account” may refuse to provide part or all of the services. The customer will be able to use the services again when he submits a completed customer identification form. At the moment, there are no plans to narrow the scope of collected data, as the collected data is necessary to ensure compliance with the obligations established by legislation,” noted the manager of the “One Account” company.
A. Čiuplienė noted that the “One Account” platform is not an electronic store, but a financial institution that has a payments license and is supervised by the Bank of Lithuania. “Therefore, we are obliged to comply with strict legal requirements, and our clients can feel safe that we will ensure a smooth process of collecting and distributing contributions,” the interviewer added.
“Kaunas dienos” readers’ photo.
