The General Data Protection Regulation (GDPR) requires that organisations must secure personal data but also enable data subjects to see what information is held about them such as a Subject Access Request.
How can businesses authenticate that it really is their client who is making a Subject Access Request under GDPR? The ramifications of this are significant for all organisations that store customer’s data digitally.
Within Financial Services there is already a definition of authentication that is referred to as “Strong Customer Authentication” (SCA) defined under the Revised Payments Services Directive (PSD2). This definition will be the authentication basis across GDPR for the Financial services sector.
The clarification of SCA has been outlined by the MIDAS Alliance, who in conjunction with the British Standards Institute have published the code of practice PAS499 on “Digital identification and authentication”. This PAS descirbes the suggested workflows required in order to meet the requirements of PSD2 and therefore Subject Access Requests under GDPR.
Jonathan Williams, Director of Strategy at the MIDAS Alliance suggests, “the problem for businesses is that they have little guidance on how to ensure it is their customer who is making the Subject access request to access customer data. What is clear is that under current regulations when banks need to ensure it is their customer accessing their data, strong customer authentication meets that requirement, as stated under PSD2. What is not so clear is if this would apply for a telecoms or recruitment company that are not governed by PSD2? This is why the MIDAS Alliance was formed, and in particular why we support the British Standards Institution’s Digital Identification and Authentication Code of Practice (Publicly Available Specification (PAS) 499).”
Rif Kapadi, Associate in the Privacy and Information Law Team of Eversheds Sutherland (International) LLP notes, “GDPR applies across private and public sectors beyond the financial services space and will bite retailers, telecoms providers, gaming sector players and many others. Preventing data security incidents and maintaining confidentiality is a fundamental GDPR principle and requirement. Implementing ‘appropriate’ security standards will be an evolving issue for businesses and requires consideration of the state of available technology, risks to the rights and freedoms of data subjects and cost factors; adherence to GDPR certified codes can be a key element to demonstrate compliance.”
Andrew Churchill, lead author of PAS499 states, “Whilst PAS499 is initially aimed at meeting the needs of PSD2, it should have general applicability. By giving clear guidelines on identity and authentication capabilities that can be implemented in a Financial Services scenario, we are also offering other businesses guidance on how they can start solving some challenges created by identity and authentication under GDPR. After all, if a level of security is being applied in one sector to protect a 30 euro transaction, surely this should be a baseline for protecting other sensitive data sets as well”.
Facebanx recognise that if organisations get the customer on-boarding right then everything else falls into place.
This is why Facebanx have spent the last two years developing a unique solution for customer on-boarding that utilises live streaming, biometrics and document image capture in order to create customer accounts that meet the onerous requirements of “Strong Customer Authentication” as defined in PSD2 (Payments Service Directive 2) and the MIDAS Alliance’s definition under PAS499 of “Digital Identification and Authentication”.
By integrating Facebanx’s solution it additionally prevents companies being fined 4% of their global turnover for failing to properly identify customers when they make a “Subject Access Request” under the General Data protection regulation (GDPR).
Onboarding new customers and re-onboarding existing customers using Live video streaming, single or multiple biometrics and Identity Document image capture (OCR).
By linking the SCAuth24 onboarding process to a national database for ID documents it is possible to additionally verify the customer by comparing the data on ID document the customer is presenting to the data held when the ID document was initially created.
Once additional biometric data has been added to existing accounts or used in the process for onboarding new account holders, it is then possible to add a host of new processes for the customer that will allow Strong customer Authentication to take place.
Customers login will become more secure by utilising the additional biometric data from the account onboarding.
Customers will be able to use a single biometric or multiple biometric in order to make a payment or access their account.
Customers will be able to pre-authenticate themselves when in communication with a call centre before being put through to a customer service agent. This increases the security of the call and also prevents the need of the customer to repeat information on themselves such as name and address.
Facebanx has spent the last five years developing technical solutions for
As a consequence Facebanx are uniquely placed to advise organisations on the suite of products and technology that will be necessary in order to meet an organisations regulatory requirements.
Facebanx also work very closely with the regulators to understand how PSD2, GDPR and eIDAS are all interlinked and can offer consultancy on the technology solutions that are necessary to prevent potential fines for any breach of the regulations.
The Facebanx solution will augment a businesses existing customer database that can then be utilised by different business processes and delivered through a variety of channels/devices. The Facebanx solution enables an incremental approach to the onboarding of existing customers whilst ensuring all new customers go through the Strong Customer Authentication process. Existing customers can be onboarded and re-onboarded when they visit the business or invited to register via an onboarding campaign.
The cost of Facebanx’s suite of products can be matched to your requirements. However as a general rule the standard service is:
The costs is very much dependent on the amount of customers that will use the service.