“Subject Access Requests” for GDPR require strong customer authentication

FACEBANX’s Solution:

Subject access request. (SAR)

The General Data Protection Regulation (GDPR) requires that organisations must secure personal data but also enable data subjects to see what information is held about them such as a Subject Access Request.

How can businesses authenticate that it really is their client who is making a Subject Access Request under GDPR? The ramifications of this are significant for all organisations that store customer’s data digitally.

Within Financial Services there is already a definition of authentication that is referred to as “Strong Customer Authentication” (SCA) defined under the Revised Payments Services Directive (PSD2). This definition will be the authentication basis across GDPR for the Financial services sector.

The clarification of SCA has been outlined by the MIDAS Alliance, who in conjunction with the British Standards Institute have published the code of practice PAS499 on “Digital identification and authentication”. This PAS descirbes the suggested workflows required in order to meet the requirements of PSD2 and therefore Subject Access Requests under GDPR.

Jonathan Williams, Director of Strategy at the MIDAS Alliance suggests, “the problem for businesses is that they have little guidance on how to ensure it is their customer who is making the Subject access request to access customer data. What is clear is that under current regulations when banks need to ensure it is their customer accessing their data, strong customer authentication meets that requirement, as stated under PSD2. What is not so clear is if this would apply for a telecoms or recruitment company that are not governed by PSD2? This is why the MIDAS Alliance was formed, and in particular why we support the British Standards Institution’s Digital Identification and Authentication Code of Practice (Publicly Available Specification (PAS) 499).”

Rif Kapadi, Associate in the Privacy and Information Law Team of Eversheds Sutherland (International) LLP notes, “GDPR applies across private and public sectors beyond the financial services space and will bite retailers, telecoms providers, gaming sector players and many others. Preventing data security incidents and maintaining confidentiality is a fundamental GDPR principle and requirement. Implementing ‘appropriate’ security standards will be an evolving issue for businesses and requires consideration of the state of available technology, risks to the rights and freedoms of data subjects and cost factors; adherence to GDPR certified codes can be a key element to demonstrate compliance.”

Andrew Churchill, lead author of PAS499 states, “Whilst PAS499 is initially aimed at meeting the needs of PSD2, it should have general applicability. By giving clear guidelines on identity and authentication capabilities that can be implemented in a Financial Services scenario, we are also offering other businesses guidance on how they can start solving some challenges created by identity and authentication under GDPR. After all, if a level of security is being applied in one sector to protect a 30 euro transaction, surely this should be a baseline for protecting other sensitive data sets as well”.

Facebanx recognise that if organisations get the customer on-boarding right then everything else falls into place.

This is why Facebanx have spent the last two years developing a unique solution for customer on-boarding that utilises live streaming, biometrics and document image capture in order to create customer accounts that meet the onerous requirements of “Strong Customer Authentication” as defined in PSD2 (Payments Service Directive 2) and the MIDAS Alliance’s definition under PAS499 of “Digital Identification and Authentication”.

By integrating Facebanx’s solution it additionally prevents companies being fined 4% of their global turnover for failing to properly identify customers when they make a “Subject Access Request” under the General Data protection regulation (GDPR).

Facebanx’s product suite:

Facebanx’s IDAuth.me onboarding

Onboarding new customers and re-onboarding existing customers using Live video streaming, single or multiple biometrics and Identity Document image capture (OCR).

Facebanx’s IDAuth.me Verification

By linking the IDAuth.me onboarding process to a national database for ID documents it is possible to additionally verify the customer by comparing the data on ID document the customer is presenting to the data held when the ID document was initially created.

Facebanx’s IDAuth.me Authentication

Once additional biometric data has been added to existing accounts or used in the process for onboarding new account holders, it is then possible to add a host of new processes for the customer that will allow Strong customer Authentication to take place.

Customers login will become more secure by utilising the additional biometric data from the account onboarding.

Customers will be able to use a single biometric or multiple biometric in order to make a payment or access their account.

Customers will be able to pre-authenticate themselves when in communication with a call centre before being put through to a customer service agent. This increases the security of the call and also prevents the need of the customer to repeat information on themselves such as name and address.

Why use Facebanx.

Facebanx has spent the last five years developing technical solutions for

  • Video chat
  • Live streaming
  • Single biometrics
  • Multiple biometrics
  • Servicer set ups
  • Digital payments solution
  • Flash player to RTMP transitioning
  • OCR data capture
  • Liveness detection

As a consequence Facebanx are uniquely placed to advise organisations on the suite of products and technology that will be necessary in order to meet an organisations regulatory requirements.

Facebanx also work very closely with the regulators to understand how PSD2, GDPR and eIDAS are all interlinked and can offer consultancy on the technology solutions that are necessary to prevent potential fines for any breach of the regulations.

Benefits to the financial services industries of using Facebanx’s solutions:

  • Compliant for Strong customer Authentication under PSD2
  • Compliant for Subject Access Request under GDPR
  • Compliant for eIDAS
  • Compliant to prevent any accusation of not protecting customers data under GDPR
  • Allows banks to easily bank the unbanked
  • Provides the ability to sell strongly authenticated accounts to third parties if given customer agreement
  • The ability to generate huge NEW revenue streams from selling customer data to merchants who need to know that the customer is in fact who they say they are.
  • Easily allow customers to increase credit limits
  • Mortgage and loan applications processes streamlined
  • Quickly and efficiently re-onboard millions of customers
  • Enriches existing customer databases across existing business
  • Reduces fraud
  • Increases security
  • Prevents CEO fraud
  • Reduces ID theft
  • Prevents multiple account fraud
  • Data cleansing

Benefits to non-financial organisations

  • Compliant for Subject Access Request under GDPR
  • Compliant for eIDAS
  • Compliant to prevent any accusation of not protecting customers data under GDPR
  • Offers strong KYC and AML
  • Quickly and efficiently re-onboard millions of customers
  • Enriches existing customer databases across existing business
  • Reduces fraud
  • Increases security
  • Prevents CEO fraud
  • Reduces ID theft
  • Prevents multiple account fraud
  • Data cleansing


The Facebanx solution will augment a businesses existing customer database that can then be utilised by different business processes and delivered through a variety of channels/devices. The Facebanx solution enables an incremental approach to the onboarding of existing customers whilst ensuring all new customers go through the Strong Customer Authentication process. Existing customers can be onboarded and re-onboarded when they visit the business or invited to register via an onboarding campaign.

The Facebanx solution can be provided as:

  • A hosted service
  • Integrated into existing infrastructure
  • Mobile or web-based

How much will it cost?

The cost of Facebanx’s suite of products can be matched to your requirements. However as a general rule the standard service is:

  • Yearly licence fee
  • Fee per user per year
  • Volume based fees
  • Maintenance and support fee

The costs is very much dependent on the amount of customers that will use the service.