In February 2023, the Dutch Institute for Financial Disputes- Kifid - ruled that banks are allowed to process a clean and unshielded copy of an identity document to fulfil their identification obligations under the Dutch anti-money laundering or terrorist financing regulation. This so-called Wwft regulation is the Dutch implementation of the European AML-directive. Through the justification of Kifid's ruling was based on articles 3 and 33 of the Wwft, one may wonder if Kifid made the right decision. Shouldn't Kifid have taken a better look into the technical aspects of identity verification and, consequently, have taken into account the basic principles of the General Data Protection Regulation?
"Shouldn't Kifid have taken into account the basic principles of GDPR?"
Kifid concluded that an unedited copy of an identity document is necessary to verify the authenticity of the document. With an edited (i.e., shielded) copy, the security features are not legible according to Kifid. Moreover, it also concluded that the retention of the unprocessed identity document by the bank is necessary because it enables the financial supervisory authorities to determine whether the bank has complied with its legal obligations in the context of customer due diligence. In addition, the retained data is unavoidable for that purpose: preventing, detecting or investigating possible cases of money laundering or terrorist financing. This also provides a sufficient basis for the bank to keep an unprocessed identity document, i.e., it allows the supervising authority to verify the authenticity of identity document via the retained copy of it.
As far as I am concerned, this entire statement is based on quicksand because it assumes that a photocopy of the identity document can be used to determine its authenticity and validity in order to comply with Wwft article 11 and more specifically the Guideline for the Wwft and Sanctions Act (version December 2020, page 49), as provided by the national supervising authority for banks, Dutch Central Bank (DNB). However, in our opinion, it is impossible to determine the authenticity on the basis of a copy. With current photo manipulation solutions available it is a piece of cake to ‘alter’ a copy of an identity document by, e.g., swapping the face image, replace the name or change the date of birth. The figure below shows several manipulated copies of identity documents that we created at Inverid and are hard to label as being fake with optical verification technology.
"It is impossible to determine the authenticity on the basis of a copy."
Original vs manipulated copies of identity documents. Top row: In the manipulated copy all data fields were erased and re-inserted. Several data fields were changed such as surname and date of birth. Bottom row: The face image has been swapped without any manipulation of other personal data. This is a common identity fraud method.
As the actual checking of the authenticity and validity of the identity document is impossible with a photocopy of the document, the collection of it and the processing of the personal data thereof do not serve a valid purpose under GDPR. Moreover, the data being processed, including sensitive biometric face image data, is irrelevant for achieving this purpose and consequently violates the data minimisation/proportionality principle. As a result, the processing of a copy of an identity document does not comply with two basic principles of article 5 of GDPR: purpose limitation and proportionality.
Given the above and considering the subsidiarity principle as well, one may wonder why Kifid did not take a closer look at the technical particularities of the identification solution and recommended the bank to adopt other solutions that can actually determine the authenticity of the identity document and are far less privacy intrusive?
This can be done using ReadID identity verification technology. ReadID enables the bank to verify the authenticity of the personal data in the chip of the identity document and of the chip itself (i.e. clone detection) via cryptographic technology in an irrefutable and justifiable manner.
In this case, there is no need to store a copy of the identity document whether shielded or unshielded. I hope that banks, dispute commissions, judges, DNB and Data Protection Authorities will take this into account when they are assessing remote identification solutions to be compliant with Wwft and GDPR.
