You might already know that the data taken while verifying for financial services is the most sensitive data you ever give away. You’ll give away your full name, national identity, tax ID, social credit information, place of residence and even information on your next of kin.
These Know Your Customer (KYC) requirements are meant to validate customers' identities, but this collection is often involuntary, and they also hold significant ramifications for your privacy.
The best way to know how much KYC affects your privacy is to ask: What could happen to your KYC data behind closed doors?
A little digging can reveal that a lot more goes on with your data; some of which you would never willingly consent to. Among other things:
- Your KYC data is shared with other parties
- Your KYC data enables the monitoring of your behavior
- Your KYC data is sometimes leaked in data breaches
Why The Name KYC Is Misleading
Going by definition, the KYC process exists to identify you as a customer. But the name makes it easy to overlook what happens after the customer is known. How?
When it comes to the traditional KYC processes, the following three steps will be involved:
- Identification - You offer personally identifiable information to the service provider, i.e. name, date of birth, address, or even tax id numbers issued by a government
- Verification - The information is checked for validity
- Monitoring and due diligence - Activity tied to the identity is tracked for any misconduct
Visibly, the name KYC barely hints at the existence of the third step where your activity utilizing the service is tracked alongside your verified identity. It's the third step that consequently holds the most implications on your privacy in the following ways:
1. KYC Makes Money The Perfect Surveillance Tool
Before money became all bits, having an identity was a necessary part of enabling banks to function. It was only in this way that money could be accounted for. Without an identity, chances are that money could often end up in the wrong hands. Furthermore, only having a verifiable identity would allow for responsible action in the case of liabilities or misconduct.
Although all money existed in the form of paper and balance books as large physical books, financial institutions could still know financial information about their customers. But unlike before, tracing users' transactions was greatly limited for one key reason. It was an extremely labor-intensive task. The challenge posed meant that tracking users' transactions only had to be viable when there were strong motivations to do so.
Fast forward to today and even the weakest motivation to trace and track user activity is backed by computers that can store huge amounts of data and retrieve it quickly. The result is that encroaching on users' privacy is easier than ever before.
With a mouse click, one person can have an entire list of all your transactions throughout your lifetime, down to a single cent. Even further, your transactions can be tracked as you make them in real-time.
How Much Data Do You Give Away?
Using the data tied to your KYC, a lot more information can be gleaned from your transactions. For example, a coffee charge on your card lets someone know your addictions, or your donation to a cause reveals your political standing.
Furthermore, the use of KYC means that users end up being categorized based on their identities and activities in the real world. These categories are created based on your activities within the service you signed up for or from perceived opinions you may keep.
For example, frequent travel overseas can put you on a travel risk list, or close association with a government faction can make you labeled as a politically exposed person. It is for these reasons that KYC is the easiest way for someone to encroach upon your private life.
2. Your Data Is Shared And Sold
When it comes to KYC, the personally identifiable information fetches a higher price, creating a stronger incentive to sell your data for profit.
The data is used in marketing campaigns, promotions, and even more recently, to train commercial AI models. This reinforces the paradigm that data is the new oil and users are the new oil wells.
Additionally, users' information is shared with other parties to meet compliance mechanisms put in place. For example, data relating to your trading activities is shared with tax authorities, or data from your medical facility is shared with insurance.
The sum result is that the user's KYC information ends up in more hands than what would be acceptable, compounding to a situation where users' privacy is habitually out of their control.
3. Your KYC Data is a Hacker’s Dream
The personally identifiable information held in KYC is the most valuable information a hacker could get their hands on.
What aggravates this further is the fact that KYC information is handled by third parties. These third parties act as verifiers and also tend to keep the data for much longer than they are obligated to.
Understandingly, keeping a huge amount of sensitive data puts a target on their back by hackers. What’s more, providing KYC data to multiple services results in your data being exposed across multiple locations. Recent data breaches reveal that even the biggest companies get hacked.
When cyber attacks are successful, hackers get away with valuable user information. The private information collected is the biggest catalyst for identity theft and encourages other cyber threats such as phishing.
And while measures are often put in place to protect user data, often the best solution would have been if such personally revealing information was never collected in the first place.
The KYC Dilemma: Trust or Privacy
The idea behind KYC is that for you to be trusted, you need to reveal as much personally identifiable information as possible. This is the only way you can be accountable as a user.
From a regulatory point of view, tracking and invading the privacy of all is taken as the right way to prevent the misdoings of a few bad actors.
But how much privacy should be traded away for trust to exist?
The solution lies in applying more privacy-focused trust technologies or even yet, switching to trustless systems, like Bitcoin. Trust doesn’t always have to be dependent on vulnerability, especially when the vulnerability predisposes you to manipulation.