Discover the latest insights
KYC vs KYB: addressing key challenges for AML regulated businesses
Anti-Money Laundering (AML) compliance presents ongoing challenges for regulated businesses: verifying clients, managing risk, and meeting regulatory requirements without overwhelming paperwork or operational slowdowns. Two key approaches are used to address these issues: Know Your Customer (KYC) and Know Your Business (KYB). Which of these two you employ depends on the nature of your business and your client base. Many organisations need to implement both KYC and KYB processes to fully meet their compliance obligations.
Common pain points in AML compliance
AML regulated businesses often face these key challenges:
- Slow onboarding: Client due diligence can delay business operations.
- Resource intensive: Compliance tasks often require significant staff time, diverting resources from core business activities.
- Changing regulations: Keeping up with AML regulations across different jurisdictions requires constant attention.
- Non-compliance risks: Failing to meet AML requirements can result in large fines and reputational damage.
- Excessive flagging: Over-cautious screening can delay legitimate clients unnecessarily.
- Information gaps: Traditional checks may miss key information, especially for complex business structures.
- Human error: Manual processes can lead to mistakes that compromise compliance efforts.
Understanding KYC: Know Your Customer
KYC verifies the identity of individual customers. It's a key part of customer due diligence (CDD) used across many industries, especially in financial services.
Key aspects of KYC:
- Individual focus: KYC deals with personal customers.
- Identity verification: Confirms a person's identity using documents like passports or driver's licenses.
- Personal background checks: May include credit history, employment verification, and sanctions list screening.
- Ongoing monitoring: Requires continuous tracking of customer activities and transactions.
Common KYC users:
- Banks and financial institutions
- Insurance companies
- Cryptocurrency exchanges
- Online gambling platforms
- Some retail and e-commerce businesses
Understanding KYB: Know Your Business
KYB verifies and analyses the businesses you work with. It's crucial for B2B relationships and AML regulated entities dealing with corporate clients.
Key aspects of KYB:
- Business entity focus: KYB examines companies, partnerships, and other business structures.
- Company verification: Confirms a business's legal existence, registration details, and operational status.
- Ownership structure analysis: Investigates who owns and controls the business, including ultimate beneficial owners (UBOs).
- Business activity assessment: Examines the business's operations, industry, and typical transaction patterns.
- Risk profiling: Evaluates potential risks associated with the business, including jurisdictional and industry-specific factors.
- Ongoing monitoring: Tracks changes in ownership, business activities, or risk profiles over time.
Common KYB users:
- Law firms
- Accounting firms
- Corporate banking
- Business lending institutions
- Payment service providers
- Professional services firms
- Commercial real estate agencies
How automated KYB addresses AML compliance pain points
Streamlined onboarding for complex clients: Business clients often have intricate structures that can slow down the onboarding process. KYB employs streamlined verification processes specifically designed for business entities. This can significantly reduce onboarding times, sometimes from weeks to days, without compromising on thoroughness.
Enhanced risk assessment: Traditional checks might miss crucial information about business clients. KYB provides a more complete picture by analysing business structures, activities, and associations in detail. This thorough approach leads to more accurate risk assessments, helping businesses make informed decisions.
Reduction in false positives: Overzealous screening often flags legitimate clients, causing unnecessary delays. KYB's nuanced understanding of business clients enables more accurate risk scoring. This precision helps reduce false alarms, allowing businesses to focus on genuine risks while processing legitimate clients more efficiently.
Alignment with evolving regulations: AML regulations are constantly changing, and recent trends emphasise understanding business clients and their ownership structures. KYB naturally aligns with these regulatory directions, helping businesses stay compliant with current and emerging requirements.
Optimised resource allocation: Compliance tasks can drain significant staff time from core business activities. KYB leverages automated processes for business verification and monitoring. This automation frees up staff to focus on higher-value work, improving overall operational efficiency.
Effective ongoing monitoring: Tracking changes in client status over time can be challenging. KYB systems typically include automated alerts for changes in business status, ownership, or risk profile. This ongoing monitoring helps businesses stay on top of changes without constant manual checks.
Clarity on complex ownership structures: Identifying ultimate beneficial owners (UBOs) in complex business structures is often difficult. KYB provides tools for mapping and analysing these structures, making UBO identification more straightforward and accurate.
Core needs of AML regulated businesses
AML regulated businesses aim to:
- Verify clients efficiently and thoroughly
- Assess and manage risks accurately
- Maintain compliance without excessive resource use
- Quickly adapt to regulatory changes
- Minimise compliance-related business disruptions
- Build trust with regulators and clients
KYB helps regulated entities meet these needs by providing a thorough and efficient approach to business client due diligence. This enables AML regulated businesses to fulfill compliance obligations without sacrificing efficiency or growth opportunities.
The value of knowing your business
Understanding clients deeply is essential in today's business environment. KYC remains valuable for individual customer relationships, but KYB provides a more thorough solution for AML regulated businesses primarily dealing with corporate clients.
By tackling key pain points and helping businesses meet their core compliance needs, KYB allows regulated entities to:
- Onboard clients faster and more confidently
- Make decisions based on thorough risk assessments
- Use resources more efficiently
- Anticipate and meet regulatory requirements
- Develop stronger, more trusted business client relationships
As AML regulations and business structures become more complex, the ability to truly "know your business" grows increasingly important. KYB approaches and technologies can help AML regulated businesses turn compliance into a competitive advantage, supporting growth while upholding high standards of integrity and risk management.
Exploring automated KYB solutions could help you tackle your key pain points and meet your compliance goals more effectively.
Measuring compliance effectiveness in AML-regulated industries
Organisations in AML-regulated industries need to gauge how well they're building a culture of compliance. This matters for meeting regulations, managing risks, and keeping clients' trust.
To assess the effectiveness of a compliance culture, a combination of quantitative and qualitative metrics can be used:
Quantitative metrics
- Mean time to issue discovery (MTTD):
this measures how quickly compliance issues are identified within the organisation.
- Mean time to issue resolution (MTTR):
this tracks how long it takes to resolve compliance issues once discovered.
- Compliance expense per issue:
calculated by dividing the total fines received for compliance violations by the number of issues handled by the compliance department.
- Average cost of compliance-related lawsuits:
this metric helps assess the financial impact of compliance failures.
- Regulatory compliance rate
measures the adherence to applicable laws and regulations.
- Training completion rates:
tracks employee participation in compliance training programs.
- Number of whistleblower reports:
monitors the frequency of internal reporting of potential compliance issues.
- Cost of compliance:
assesses the financial resources allocated to compliance activities.
- KYC accuracy rate:
measure the percentage of KYC checks completed without errors or omissions.
- Time to complete KYC processes:
track the average time taken to complete KYC checks and how it changes with the automated system.
- System adoption rate:
monitor how quickly and thoroughly employees adopt new automated KYC systems.
- Client onboarding time:
measure changes in client onboarding time as compliance processes improve.
Qualitative metrics
- Ethics and integrity index:
measures employee perceptions of the organisation's ethical culture and leadership behaviour.
- Compliance risk assessment results:
evaluates the firm's ability to identify and mitigate compliance risks.
- Employee knowledge and understanding:
surveys that measure employees' comprehension of compliance policies and procedures.
- Cultural beliefs and values:
surveys focusing on the overall compliance culture and employee attitudes.
- Leadership assessments:
evaluate how well leaders model and communicate compliance expectations.
- Client feedback:
gather client opinions on the organisation's compliance practices and how they perceive the firm's commitment to integrity.
- Case studies:
analyse specific instances where strong compliance culture prevented issues or led to positive outcomes.
Survey-based metrics
Many organisations use compliance culture surveys to gather data on:
- Employee attitudes and perceptions regarding compliance
- Workforce understanding of compliance policies
- Effectiveness of compliance communication and training
- Leadership commitment to compliance as perceived by employees
These metrics provide a comprehensive view of a firm's compliance culture, allowing for benchmarking against internal historical data, industry peers, and national averages. Regular measurement and analysis of these indicators can help organisations identify areas for improvement and demonstrate the effectiveness of their compliance programs.
Better compliance with automated KYC systems
By combining automated KYC systems with these metrics, AML-regulated businesses can:
- Track improvements in compliance processes over time
- Identify areas where additional training or resources may be needed
- Demonstrate the value of compliance initiatives to leadership and stakeholders
- Create a data-driven approach to enhancing compliance culture
Regular review and analysis of these metrics can guide the organisation's efforts to strengthen its compliance culture and ensure that automated KYC systems are delivering the intended benefits.
_____________________
Sign up here to get more news, updates and event invitations from Meo!
Self-evaluation: Does it make sense for you to invest in a KYC system?
Both the legal and financial industries are experiencing a significant shift in how Know Your Customer (KYC) processes are managed.
Manual methods, once a standard, are being replaced by automated systems. This change comes from increased global business, more regulations, and complex financial crime.
Clients want faster service.
Regulators impose large fines for mistakes.
Automated KYC systems offer a way to address these issues.
Considering the shift from manual to automated KYC processes? This guide helps you evaluate your current methods against the potential of automation.
Estimate how much time you spend:
When you get a new client
How long does it take for one of you to:
- Write an email/ ring and ask for information?
- Follow up (if the client doesn't reply)?
- Check ID?
- Check PEP status?
- Check for sanctions/adverse media?
- Make the matter and client risk assessment?
- Store the information in the correct location?
What is the salary of the person that executes these tasks?
If it's a corporate client:
- Do everything mentioned above to verify the beneficial owners?
- Make sure that you know all the beneficial owners?
- Verify the company information in official registers?
- Check the company for sanctions/adverse media?
And what does it require from your clients?
Consider the client's perspective:
- Multiple requests for information, often redundant
- Lengthy wait times during the onboarding process
- Frustration with repeated follow-ups
- Potential loss of business opportunities due to delays
- Confusion about the extent of information required
- Concerns about data privacy and security
To ensure that these steps are being followed:
- Ongoing monitoring of your clients?
- That the manual procedures are updated on a regular basis?
- Ongoing control of the manual procedures?
- Correct documentation of risk assessments when the relationship is initiated and if it changes?
- That verification of data can be documented?
- An overview of all your clients' risk profiles
- An overview of the number of clients that are PEP
- That all client relations have been approved
- That you know and remember when you need to re-verify your clients' data
- That there isn't any personal information on clients saved in emails?
- That all client data is archived and timely deleted
- That you know exactly who has access to what information and can document who has or has had access.
- That you can tell your clients which data you handle and why.
How likely is it that you'll make a mistake or forget a step when you are busy?
When there is an audit
- How much time do you need to prepare for an audit when you have to document what you do and the evidence is lying in emails and folders of various colleagues?
- Can you pull a list with the client overview that the authorities require at an audit? List of high, medium and low risk, different jurisdictions etc.
- Can you provide that data on the clients that are selected for control?
Now that we are at it, have you remembered to make your Firm-wide risk assessment and document your policies and procedures? - if it isn't written down and reviewed annually, then it doesn't count.
What tasks could you spend your time on instead?
Consider the consequences
If your clients aren't satisfied
- How many will choose another firm where the client onboarding is easier?
If you don't pass an audit
- What will it mean for your reputation, if you get a sanction, a fine and that it is publicly known?
- A sanction can also result in your company being put on public risk lists and then your business partners will require an enhanced AML control of your company before they can work with you.
If it goes all wrong
- What will it mean if the criminals get hold of you and you unknowingly participate in money laundering and/or terrorist financing?
- How big a fine will you get?
- What will it mean to your reputation?
- Who of you will in the worst case risk going to jail, if your policies, procedures and controls aren't good enough?
The benefits of an automated KYC system
✓ Increase onboarding conversion rates by 60%
✓ Reduce the costs of running AML compliance operations by 75%
✓ Improve your compliance team productivity 3-4 times on average
✓ Give your clients a good first impression with a professional onboarding
✓ Stop the criminals, avoid fines and stay GDPR and AML compliant
Automated systems cut time spent on repetitive tasks. This frees your team to focus on complex risk assessments and strategic compliance planning. KYC policies are applied consistently, with real-time updates and comprehensive audit trails.
These systems boost your defence against financial crime. They generate audit trails for regulatory inspections and detect suspicious activities faster through real-time monitoring. This limits criminal exploitation, protects your reputation, and helps avoid regulatory penalties.
Your team can concentrate on high-risk cases and compliance planning. KYC policies are applied uniformly across all clients, reducing human error—a common audit issue. As regulatory scrutiny and fines increase, automated KYC strengthens risk management and maintains smooth operations.
Consider how automation could enhance your workflows, improve accuracy, and boost your team's ability to meet growing regulatory demands.
Not sure if an automated KYC system is right for you? Contact us. We're here to advise based on your specific needs.
_____________________
Sign up here to get more news, updates and event invitations from Meo!
Building a culture of compliance: How automated KYC supports firm-wide integrity
For law firms, a strong compliance culture means ethical behaviour becomes standard practice in all operations. Automated know your customer (KYC) systems play a key role in developing this culture, helping to ensure integrity across the firm's activities.
The compliance culture challenge
Many law firms find it difficult to create a widespread compliance mindset. This frequently stems from several common obstacles:
- Perceiving compliance as a burden rather than a core value
- Inconsistent application of KYC procedures across departments
- Limited understanding about the importance of thorough client due diligence
- Resistance to change from traditional manual processes (“but we’ve always done it this way”)
How automated KYC enhances compliance culture
- Standardisation across the firm
Automated KYC systems enforce consistent procedures for all clients, regardless of which solicitor or department handles the case. This uniformity reinforces the idea that compliance is a firm-wide responsibility, not just the job of a dedicated compliance team. - Increased transparency
With centralised data and clear audit trails, automated KYC makes compliance efforts visible throughout the organisation. This transparency helps emphasise the importance of these processes to all staff. - Empowering employees
User-friendly automated systems give employees the tools to perform KYC tasks efficiently and accurately. This empowerment can increase engagement with compliance processes and reduce the perception of KYC as a difficult task. - Facilitating ongoing education
Many automated KYC systems include built-in guidance and updates on regulatory requirements. This feature supports continuous learning about compliance, keeping it at the forefront of employees' minds. - Demonstrating firm commitment
Investment in advanced KYC technology communicates the firm's dedication to compliance. This visible commitment can help change attitudes throughout the organisation.
Implementing a compliance-focused culture
- Leadership buy-in
Managing partners must champion the importance of compliance and the role of automated KYC in achieving it. Regular communications from leadership about compliance successes and challenges can reinforce its priority. - Comprehensive training
Beyond teaching the mechanics of the KYC system, training should emphasise why compliance matters. Include real-world scenarios and consequences of non-compliance to emphasise its importance. - Performance metrics
Include compliance-related goals in employee performance reviews. This could involve metrics on KYC accuracy, timeliness, or participation in training sessions. - Open dialogue
Create channels for staff to discuss compliance challenges and suggest improvements. This collaborative approach can increase buy-in and identify practical ways to enhance processes. - Celebrating successes
Recognise and reward employees who excel in compliance-related tasks or who suggest valuable improvements to KYC processes.
The wider impact of strong compliance culture
A robust compliance culture, supported by automated KYC, extends beyond regulatory adherence:
- Client trust: clients appreciate firms that take their compliance obligations seriously, viewing it as a sign of overall professionalism and reliability.
- Risk reduction: a compliance-focused culture helps identify and address potential issues before they become serious problems.
- Mitigating financial crime risks: strong compliance practices minimise the risk of the firm unwittingly participating in money laundering and terror financing, or failing an audit.
- Competitive edge: firms known for strong compliance cultures may attract clients who prioritise ethical business practices.
- Employee satisfaction: clear processes and the right tools can reduce stress associated with compliance tasks, improving job satisfaction.
Automated KYC. Driving cultural change
Implementing an automated KYC system can serve as a catalyst for broader cultural change within a law firm. By improving processes, ensuring consistency, and providing data-driven insights, these systems make compliance more tangible and manageable for all staff.
The move to automated KYC isn't just a technological upgrade—it's a step towards a more integrity-driven organisational culture.
In today's regulatory environment, this cultural shift is becoming essential for law firms aiming to succeed and maintain their reputation in the long term.
Creating a culture of compliance requires time and effort, but with the support of automated KYC systems, law firms can build an environment where integrity and regulatory adherence guide every action and decision.
_____________________
Sign up here to get more news, updates and event invitations from Meo!
Meo accelerates European expansion with launch in Austria
Meo accelerates European expansion with launch in Austria
Today, we're thrilled to announce that Meo is expanding into the Austrian market through a partnership with Compass-Gruppe. This move marks a significant milestone as we continue our mission to help our customers set new standards in compliance operations globally.
We're also excited to welcome Steffen Bilde, our former Chief Product & Technical Officer, as Meo’s new CEO. Steffen’s leadership will usher in a new phase of growth as we prepare to introduce even more advanced digital compliance solutions across markets.
Partnership with Compass-Gruppe
Our partnership with Compass-Gruppe is a key highlight of this expansion. Compass-Gruppe is the leading provider of business information in Austria and has been supplying companies and institutions with reliable and up-to-date data for 157 years.
"This partnership allows us to offer unique Austrian company and ownership data, streamlining operations for compliance teams and enhancing their efficiency," says Steffen Bilde, CEO at Meo.
Why Austria?
Austria is a natural fit for our growth ambitions due to its strong adherence to EU AML regulations and proactive adoption of digital compliance solutions. This market presents a robust opportunity for Meo to demonstrate our capabilities and expand our footprint.
With our entry into Austria, Meo now operates in five EU countries, reinforcing our dedication to providing tailored compliance solutions internationally.
Welcoming Steffen Bilde as our new CEO
Steffen Bilde brings a wealth of expertise from his previous roles at Dixa and Coinify, where he led product and customer-driven growth. We are excited to embark on this next chapter of our journey under his leadership.
"Steffen’s extensive experience is invaluable as we continue to innovate and enhance our platform for compliance teams," says Lars Jensen, Chairperson of the Board at Meo. "His ability to balance perfecting products with timely delivery, along with his deep customer focus and leadership across all organizational levels, will drive our next phase of growth."
About us
Meo is a modern operating system for compliance teams in AML-regulated businesses. Our end-to-end platform for KYC and KYB enhances compliance capabilities for B2B clients in the legal and financial services sectors. Founded in 2017, our mission is to simplify complex regulatory landscapes into manageable, user-friendly solutions, fostering safer business operations.
Stay tuned for more updates as we continue to grow and innovate!
_____________________
Sign up here to get more news, updates and event invitations from Meo!
NewBanking is now Meo
Today marks a pivotal moment in our journey. NewBanking, a name you've known and trusted, is evolving. We're thrilled to announce our rebranding to Meo – a name that resonates with our core mission and vision. Meo, meaning ‘My’ or ‘Mine’ in Latin, is more than just a name. It's a declaration of our unwavering commitment to individual data ownership and privacy.
Why Meo?
In an era where digital footprints are expanding rapidly, the importance of data privacy can't be overstated. Meo is our answer to the growing need for control over digital identities and personal data. This new name embodies our belief that everyone should have the power to manage their digital presence securely and effortlessly. "Meo is uniquely built with Privacy by Design at its core, placing individuals firmly in control of their data, simplifying GDPR and CCPA compliance and acting as a responsible custodian of identities," states Christian Visti, our CEO. Meo is not just a service; it's a promise to uphold the highest standards of data privacy and give back control where it belongs – in the hands of individuals, accessible by you with their consent.
Simplicity in complexity
The digital world, with all its opportunities, brings a complexity that can be daunting. Our role at Meo is to cut through this complexity, offering a platform that simplifies and streamlines everything related to compliance and data management. Whether it's onboarding and managing digital identities or ensuring regulatory compliance, we're here to make these tasks as seamless as possible. Our goal is to take the burden off your shoulders, letting you focus on what you do best, while we handle the intricacies of data privacy and compliance.
Meo: Empowering compliance professionals
To our dedicated compliance professionals, we understand the challenges you face daily. With Meo, we're not just offering a tool; we're providing a partnership. Our platform is designed to enhance your capabilities, making you more efficient and effective in your role. "Our renewed product vision focus on supporting the complex nature of business verification, case management, custom risk modelling and automated scoring, rule-based AML checks, and superior UBO clarification - all while elevating the user experience to unprecedented heights," says Steffen Bilde, our Chief Product and Technology Officer. The transition to Meo means access to more advanced features, more robust support, and a community committed to excellence in AML compliance. In short, Meo is your superpower in the complex world of data privacy and regulatory compliance.
What stays the same?
While our name changes, our foundational principles remain steadfast. We continue to offer top-notch tools to onboard and manage digital identities (businesses and individuals), reduce risk, and ensure regulatory compliance. What changes is our enhanced focus on trust, transparency, and security – without any compromises.
What's next?
As we step into this new chapter as Meo, we're excited about the possibilities ahead. For our existing customers, this transition is a step up in the services and value you will receive. For those considering joining us, welcome to a new era of onboarding and managing digital identities and personal data with unmatched ease and security.
Keep an eye out for more exciting updates as we continue to evolve and enhance our offerings. Together, let's embrace the future with Meo – where your digital identity and data privacy are in safe hands.
An easy integrative platform
“Meo integrated perfectly with our existing systems”
KommuneKredit’s goal is to offer leasing and loans to Danish municipalities, regions and joint municipal companies. Previously, only the leasing part required identification from the owners, but it has also become a requirement for the loans. Therefore, KommuneKredit had to find a system to handle the safe-keeping of personal information.
“It is a significant task to store and manage personal data in the correct manner. Our goal was to outsource the safe-keeping of data because we believe in “best-of-breed”, meaning that we all do what we are best at. Therefore, we have not for one second considered developing a solution on our own”, says Christian Jeppesen, customer director and AML manager, who was responsible for finding the best, suitable platform for KommuneKredit.
When you deal with companies, it is simple to identify who the CEO is and who owns the company. But it is different in a municipality - because who is the ultimate beneficial owner, whose identity needs to be verified?
Today, the definition states that the mayor and the municipality director must be considered the municipality’s ultimate beneficial owners. Therefore KommuneKredit keeps the sensitive data of all Danish mayors and municipality directors under lock and key on the Newbanking Identity platform. Only a few designated employees of KommuneKredit have access to this information.
Difficult to develop on our own
“If we had to develop a platform, we would need a lot of governance to determine who should gain access and under which conditions. Aside from the fact that the actual development of the platform would be very complex, it would also involve far too much administrative work with too many unknown factors”, says Christian Jeppesen and continues:
“Today, everything is automated in Meo, where we carry out spot checks on all identity documentation in the system. The platform is easy to work with, and every time we are in dialogue with the Meo founders, they have proved to have an extensive knowledge regarding KYC and GDPR procedures, which gives us a high sense of security.”
Integration with our customer management system
For KommuneKredit, however, a few other factors came into play in choosing a platform to manage their KYC and GDPR compliance. They needed to integrate the KYC system directly with their current customer management system. By integrating Meo with KommuneKredit’s customer management system, it becomes easy for the employees to email their customers, for example, when they must update their identification documents.
Moreover, KommuneKredit was facing a replacement of their current CSR system with a new one, and thus, it was essential to find an easy integrative platform.
“The entire process of implementing Meo in the daily routines has been very agile, and Meo has been very responsive to help to integrate with our customer management system. They are super skilled at integrating the platform with the other systems we use, which is pivotal. The platform works impeccably and has high operational stability. By all means, we have acquired a great solution that meets the full range of our needs”, says Christian Jeppesen.
What is a PEP (Politically Exposed Person)?
Learn what a Politically Exposed Person list is.
PEPs, or Politically Exposed Persons, are individuals who are involved in politics or hold high office in governments, just to mention a few examples.
If your business is subject to Anti-Money Laundering (AML) laws and regulations, it’s important that you can determine whether you’re involved with PEPs as they are often come with a higher risk of money laundering and financing of terrorism.
On this page we try to answer ‘what is a PEP’, and all other questions regarding the Politically Exposed Person list:
- What is a PEP (Politically Exposed Person meaning)?
- How does a PEP list work?
- What do you need to do as a business if you have a client who is a PEP?
- How the Meo platform can help you check your clients identity and do PEP screenings.
- Fight financial crime with thorough PEP screenings
- Recent changes in PEP legislation
- Identification of PEPs
What is a PEP?
What is the meaning of PEP? A PEP (Politically Exposed Person) is an individual who has a high-ranking job in a government or some other type of political position. In other words, it’s a person who possesses a certain form of political and institutional power.
Because of that power they’re considered high risk in relation to money laundering, blackmail, bribery and other types of corruption – both voluntary and involuntary. Spouses, family and close business partners are also considered PEP, as their relationship can be exploited by criminals to pressure the person in the position of power.
Examples of PEP typically include:
- Politicians
- Leaders of government or state
- Judges and members of the court
- High-ranking members of the Central Bank
- Ambassadors
- High-ranking officers in the Defense Forces
- Spouses and children of the people above
- Close business partners and connections of the people above
The Anti-Money Laundering Directive requires all businesses subjected to the directive to be extra careful when they have clients or customers who are PEPs – and therefore constitutes an elevated risk.
Because of this, it can be difficult for businesses to evaluate, by themselves, whether a current or potential client is a PEP. For that reason EU governments have established lists of present and former PEPs, the so-called PEP lists.
What is a PEP list?
A PEP list is an overview of people who are presently or have formerly been classified by the EU as a Politically Exposed Person. But, what does a Politically Exposed Person mean?
The purpose of the Politically Exposed Person list is to make it easier for businesses to assess whether their clients are subject to aggravated circumstances. Every European government has its own PEP list that they maintain.
It’s important to note that the lists are not seen as sufficient evidence of PEP status. It’s possible that a person is considered a PEP despite not appearing on the list, or if they have not yet been added.
The fact that the Politically Exposed Person lists are incomplete – as well as the fact that spouses, close business partners, amongst other examples, are also considered PEPs – makes it difficult for businesses to live up to the PEP requirement without accessing external data sources that have specialized in maintaining updated lists with all people defined as PEPs.
In these cases, a platform like Meo can help. With our AML solution you can quickly and easily perform PEP checks of clients and customers by screening a number of PEP lists all over Europe.
What do you need to do as a business if your client is a PEP?
If you get involved with a PEP client, you need to conduct an enhanced KYC check (meaning Know Your Customer) and implement greater supervision and more audits of their business venture.
How you conduct an enhanced KYC check, you can read more about in our article about KYC (Know Your Customer).
The audit itself can, among other things, consist of your company investigating their financial transactions more carefully as well as evaluating your client relationship in relation to their current risk assessment.
Meo makes it easy to perform a security check and cross-reference with PEP lists
With Meo’s platform you can easily verify your clients’ identity and cross-reference with a number of well-established Politically Exposed Person lists.
Furthermore, our platform ensures that your clients’ personal data is handled responsibly and in accordance with GDPR.
See all features
Fight financial crime with thorough PEP screenings
If you want to fight financial crime, you need to be aware of PEP lists. It is necessary to be aware of PEPs as it is essential for employees and management to be able to identify these people and handle them correctly and safely in order to avoid financial crime.
On a global scale, bribery and corruption are major problems and there are many examples of attempts to do exactly this to PEPs, therefore common international standards have been established to combat them. The definition of PEPs as well as the requirements for handling PEP transactions are determined based on international standards and on experience gathered over a number of years from authorities around the world.
Recent changes in PEP legislations
An important element of the new anti-money laundering rules is that companies must adopt a risk-based approach and conduct risk assessments of each individual customer relationship. This also applies to the rules on PEPs.
In addition, the knowledge and monitoring must be based on a risk assessment, meaning that companies must strengthen their efforts and monitoring of PEPs that are known to have a greater risk of exposure to money laundering, including bribery, etc.
Additional customer due diligence procedures and additional monitoring must be carried out as deemed necessary by the individual firm to ensure full compliance with the legislations.
Identification of PEPs
Rules on identification of PEPs are put in place as a preventive procedure and should therefore not be interpreted as stigmatizing PEPs as people engaging in criminal activities. Thus, companies have no grounds for refusing to proceed with a customer relationship or closing existing customer relationships solely on the fact that a person is a PEP or a close associate or business partner of a PEP.
PEPs should always be aware that they and their close associates and business partners may at any time be asked to explain or document their finances or other transactions.
Related parties and close collaborators
Related parties and close partners are not considered PEPs solely on the basis of their relationship with a PEP. However, they need to be identified because they may benefit from or be taken advantage of in relation to money laundering, corruption or bribery.
Related parties
The definition of a close relative of a PEP includes:
- Parents
- Spouse, cohabitant or registered partner
- Children and their spouses, cohabitants and/or registered partners
This means that the term does not affect siblings or stepchildren and stepparents e.g.
Close partners
The definition of close business partners of a PEP includes:
- A person who is the owner of a business or other legal entity together with one or more PEPs.
- A person who has a close business relationship with one or more PEPs. For example, a trading partner.
- A person who is the owner of a company or other legal entity established solely for the benefit of a PEP. This means that the person controls all the ownership interests or voting rights, etc. directly or indirectly.
This means that positions that would not be considered as PEPs are, for example, a person participating in board work together with a PEP.
Customer Due Diligence - What is CDD and its connection to AML?
Introduction to CDD
CDD, or Customer Due Diligence, is an important concept to know – especially for businesses that are subject to anti-money laundering laws, regulations, and directives. What is CDD in banking for example?
Following the EU’s latest money laundering directive (AML 5) which was issued in 2020, there have been a number of changes to money laundering laws in Europe. The biggest change is that businesses were obliged to transition to an anti-money laundering (AML) risk assessment model that demands more of businesses and their ability to correctly assess their customers and client relationships – which is where CDD comes into the picture.
In this article we comprehensively explain what CDD is – and answer the most frequently asked questions about the subject.
What is CDD?
CDD is an acronym for ‘Customer Due Diligence’.
The term applies to all procedures that a business uses to verify the identity of their customers or clients, as well as assess their background information and risk level. A number of these activities need to be completed before the potential client actually signs a legal contract and becomes a client.
Both individuals and other businesses can be subject to a CDD investigation.
Why is Customer Due Diligence important?
There are quite a few good reasons for businesses to have proper Customer Due Diligence procedures and checklists in place when you need to assess potential clients:
- To protect your business against potential risks.
- To make the best possible decisions as a business.
- To comply with current laws and regulations.
- To guard the business against deception and malpractice, such as identity theft.
- To help the business identify unusual behavior with the business’ clients.
For these reasons, a procedure regarding Customer Due Diligence is a necessary tool for many businesses, in particular businesses subject to anti-money laundering laws and regulations.
Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven).
Customer Due Diligence checklist
What is CDD, and how do you handle this process? CDD data consists of information regarding a customer or client that makes it possible to assess to what extent the client might put the business at risk of being misused for money laundering or the financing of terrorism.
This data can – among other things – consist of:
1. The client’s identity
Names, photos, addresses, and birth certificates can all be used to identify a client.
2. Background check
A part of the initial CDD also pertains to PEP screenings that assess whether the client is a so-called PEP (Politically Exposed Person). This could, for example, be to investigate whether the client has or is involved in scandals or other troubling activities (information that is typically publicly available). This is called Adverse Media Screening.
3. Ownership
If your client is a company or organization, it’s important to ascertain ownership of the businesses: who owns the business? If ownership is shared, who owns how many shares of the business?
4. Customer relationship
It’s equally important to understand and get an overview of the professional relation between you and your potential client. How is this relation? What is the purpose of the partnership?
Enhanced Due Diligence (EDD) for high-risk clients
Certain clients – for example, PEPs – have a higher risk profile than others. In these cases, it’s important to implement procedures defined as Enhanced Due Diligence (EDD).
With Enhanced Due Diligence you investigate the potential client’s:
Legal matters
Has the person or business previously been convicted, or involved in a crime? Are there any contractual relations that need to be accounted for? Questions like these illustrate the importance of Customer Due Diligence and Enhanced Due Diligence.
Finances and taxes
How are their financial statements? Are there any obvious tell-tale signs of illegal activities?
Shares
Does everything add up when it comes to the person’s/business’ physical shares and commodities, including offices and production facilities?
On-going control and assessment
You can implement an enhanced, on-going control and surveillance of the client’s business.
Who can benefit from a Customer Due Diligence checklist?
There are different types of companies and organizations that can benefit from using Customer Due Diligence checklists as part of their KYC processes. These include, among others:
- Companies dealing with customers in general
- Such companies can benefit from having a CDD checklist to help them avoid legal or financial problems that may arise from not conducting thorough due diligence on customers. By following the steps in the above checklist, the company can ensure that the necessary precautions are taken to avoid potential risks and problems.
- Businesses obliged to comply with AML rules
- Anti-money laundering (AML) regulations require businesses to put in place additional measures to prevent the financing of criminal activities. Part of these regulatory requirements include the completion of the CCD. By using a checklist, businesses can make sure they are compliant with AML rules on an ongoing basis.
- Any organization or financial institution that wants to protect itself from the financial risks associated with customers
Documentation to help companies identify and assess potential threats from their customers can be quite beneficial. By putting in place and ensuring proper measures to mitigate these risks, businesses can protect themselves from any financial losses that may arise as a result.
What are the risks of not completing a Customer Due Diligence checklist?
First of all, your company could end up being liable for any losses incurred by the other party as a result of your company’s negligence
Secondly, your business may be subject to civil or criminal sanctions if it is discovered that you have participated in money laundering or other financial crime, even if unknowingly.
Thirdly, your company may miss important information about the other party that could be crucial to a decision-making process.
Finally, your company may be blacklisted for non-compliance with regulatory requirements or by financial institutions if it turns out that business has been conducted with individuals or entities in high-risk categories.
Customer Due Diligence in connection to money laundering
CDD procedures are invaluable for businesses that are subject to Anti-Money Laundering (AML) laws and regulations, as they’re necessary to conduct the individual clients’ risk assessments.
In many cases there is a need for both CDD (Customer Due Diligence) and KYC (Know Your Customer) information in order to get a proper overview of the client’s risk profile and simultaneously verify their identity". The business’ KYC procedure describes what tasks are necessary to perform before the business can credibly say that they know their client.
For example, CDD and KYC procedures are necessary for:
1. New clients
Before a potential new client becomes an actual client, their identity needs to be verified and undergo a risk assessment.
2. Single transactions
Businesses in the financial sector as well as banks are required to investigate and evaluate whether clients are demonstrating suspicious behavior. This could for example be when making a substantial transaction or when dealing with high-risk countries.
3. Suspicion of money laundering
A through background check of the client is also necessary if you have a suspicion that they might be involved in criminal activities, such as money laundering.
4. Faulty or lacking documentation
If a client is unable to provide valid or approved identity documents then the business needs to perform a CDD check.
Streamline your Customer Due Diligence procedure with Meo
Meo is a software platform developed to handle information and data about your clients in a secure and centralized fashion.
With Meo you get:
A safe and automated onboarding
You can define and obtain the required information from your clients – directly in the platform.
A comprehensive overview
All relevant information about your clients are stored in one easy-to-use platform. It gives you a grand overview and ensures that you’re compliant with GDPR. You can also tag clients for easy organization.
Automated processes
With Meo it’s possible to integrate processes that automatically screens your clients against PEP lists.
What are some of the warning flags when it comes to CDD?
Warning flags that appear during a Know Your Customer (KYC) check should be carefully examined before making a decision on whether to initiate or continue the business relationship. These warning flags can vary from company to company and industry to industry, but common warning flags to look out for during a CDD check include, for example
- Customer information provided does not match the documentation available in the audit
- If the ownership picture is unclear or includes foreign companies and/or persons
- There is a lack of registration of a beneficial owner
- One or more of the company’s representatives are on PEP or sanctions lists
- If the company’s representatives are involved in other companies that are assessed as high risk
- If the industry in which the business operates is particularly prone to money laundering, such as cryptocurrency trading or bookmaking and betting
- If the company’s activities include cash handling
And the list goes on and on. However, the most important thing is to be aware of and responsive to customer information and behavior to avoid unnecessary risk.
Who is Meo?
Who are we at Meo and why do we help with CDD in banking and other organisations and fields?
At Meo we work with KYC procedures and Customer Due Diligence in several different institutions and organisations. Our previously mentioned software-as-a-service helps to streamline these processes and handle data and exchanges correctly and securely in compliance with GDPR.
We have for many years worked with several types of organisations with everything from AML, data security, compliance checks, PEP lists and general knowledge sharing within RegTech. Our digital solution assists with efficient CDD by checking PEP-lists and thorough background checks.
You are very welcome to contact us to learn more about our software and digital solutions, as well as our onboarding. Sign up to receive our newsletter, where we regularly send information and knowledge sharing on everything from ’what is CDD and how to be aware of money laundering’.
What is KYC (Know Your Customer)?
KYC (Know Your Customer)
KYC is about knowing your customers and clients so your business can avoid getting involved with organizations that commit crimes, launder money or fund terrorism.
In this article we explain:
- What is KYC (Know Your Customer)?
- What type of businesses are subject to Anti-Money Laundering (AML) laws and regulations, as well as KYC?
- What requirements does international law – including the EU Anti-Money Laundering directive – have regarding KYC?
- How can your business make sure you know your customers & clients?
With Meo you get a thorough and easy-to-use Know Your Customer platform that – from first contact with your client till the customer relation expires – can verify and document your clients’ identity and perform a KYC-check in real time.
Read more about the platform here or contact us to hear more about how we can help your company with KYC compliance.
What is KYC?
KYC is an abbreviation for “Know Your Customer.”
The term is especially used in finance because banks, accounting firms, lawyers, and private equity funds all have to document their clients’ identity so that governments. Basically, it must be documented where money is coming from and going to.
This is meant to prohibit or stand in the way of money laundering and black money that has been obtained by criminal means. If they are unable to supervise or audit the flow of money, it can undermine confidence and trust in financial organizations and companies whose business is dependent on stocks, investments and the greater financial market.
If you do not fulfill the demands of KYC, it can result in fines, penalties, sanctions, and even prison sentences. The exact amount or extent depends on local laws and regulations. A 2020 Financial Times article found that: “[...] AML fines in the initial six months of 2020 reached a total of $706m, compared with last year’s aggregate of $444m.”
What businesses and organizations are subject to the Anti-Money Laundering (AML) directive and KYC?
Many different types of businesses, including all companies and organizations involved in finance and the financial sector, are subject to anti-money laundering laws and regulations – and therefore KYC.
This applies, but is not limited, to:
- Banks, financial institutes and merchant banking
- Credit-, currency- and securities businesses
- Foundations and stock brokers
- Lending firms
- Providers of financial leasing
- Insurance companies
- Accountants and accountancy firms
- Founders of businesses
- Lawyers and attorneys
- Realtors
- Businesses that deal in valuables whose worth exceeds €15.000
What requirements does the law and regulations have in regards to KYC?
The overall directives and regulations regarding knowing your customer are best exemplified in European law by the Anti-Money Laundering (AML) Directive. Among other things, it states that businesses need to perform risk assessments, verify the identity of their clients or customers, and report if they have suspicion of money laundering or other types of fraud.
Risk assessments are structured procedures, wherein you evaluate the risk as objectively as possible and approach each client individually, instead of treating them uniformly.
That means that you are required to have clear guidelines and policies in place regarding the risk of being involuntarily involved in money laundering and financial crimes, as well as supporting your employees with counseling and well-established procedures for when and how you are obliged to report money laundering, if you are not able to refute your suspicions.
In addition, you need to be able to document your vetting and verifications of, among other things, your clients’ identity. It’s futile to perform an audit if you are unable to document your findings afterwards. A typical error often made in this approach is when you manually assess copies of passports and driver’s licenses. Here it is necessary to not only vet the documents to ascert their legitimacy, but also document that you’ve performed the verification.
With a KYC Platform such as Meo you can automate much of the process, while simultaneously documenting that you are complying with GDPR and other data protection laws while handling personal data.
How do you perform an audit or check of your client’s identity?
Your vetting and verification check of your clients’ identity is built upon your risk assessment and the identified risk. Afterwards, you can conduct an audit under strict or relaxed procedure.
Strict procedures for physical persons can, among other things, be a request for a copy of their passport, a physical meeting or further demands regarding the terms of your expected shared business.
If it’s regarding a legal entity, you can request founding documents, articles of association and make more comprehensive requirements for the description of the business scope.
A KYC check requires the retrieval of personal data documenting the client’s identity. As a starting point this includes name and social security number or legal entity identifier (LEI), depending on whether you’re assessing a person or a legal entity. With this method you can verify and check your client’s identity – and thereby comply with KYC standards.
This identifying information needs to be vetted via an independent and credible source. That means the documents need to be verified and compared with other registries or sources that can validate addresses, passports or names.
For both persons and legal entities you need to – if relevant – obtain information about the goal of the business venture and the extent of your relation.
How often do you need to check your client’s identity?
You need to vet your client’s identity at the start of every business venture – and if there are changes in your client’s circumstances, as well as at appropriate times.
With high-risk clients the procedure can be repeated once a year, whereas with Low-Risk Clients a check every five years can suffice.
The extent of the KYC check depends on the risk assessment of the client. In cases where you assess that there is a low risk of money laundering, you can perform a more lax KYC check. You could, for example, choose not to obtain updated documentation, provided that the identification papers (ID), you received originally, still are legally valid.
Remember to check for PEP (Politically Exposed Person)
As a consequence of the latest Anti-Money Laundering Directive from the EU, you are now also required to determine whether the person is a PEP (Politically Exposed Person).
Politically exposed people are individuals whose political position or relation makes them a high risk target for money laundering. That’s because they’re more likely to be exposed to blackmail, bribery or in some other way (voluntary and coerced) be involved in financial crimes.
This can be done by cross-referencing with publicly available information and databases, also known as PEP-lists.
It’s important to be aware that these lists are not sufficient in order to indicate whether a person is considered a PEP – they’re only lists of the people that local governments have reported as explicitly politically exposed.
Spouses, business partners etc. of people on the PEP-lists are also considered PEPs. That makes it especially difficult for businesses to comply with the PEP-requirements without using external data sources that specialize in maintaining updated lists of all persons, that can be defined as PEP.
Meo works together with a number of external data vendors that have specialized in having updated PEP-lists that cover a wide variety of nationalities and sectors
Data processing and GDPR
Data Processing & Compliance
GDPR (General Data Protection Regulation) sets a high standard for data processing of personal data, and how you document your actions. For that reason it’s important that you know what personal data is and how they’re processed correctly.
In this article we dive deep into data processing and explain:
- What is data processing and what is considered sensitive data?
- What requirements does GDPR set for your data processing?
- How do you process personal data correctly?
- What’s in a data processing agreement?
- What’s the difference between a data processor and a data manager?
What is data processing and what is sensitive data?
Data processing is any activity in which personal data is collected, registered, stored, analyzed, transmitted, deleted, sold etc. The term is defined so broadly that any contact with personal information is basically considered as data processing.
Data, in this case, is defined as formalized information that is typically handled by a machine or a computer.
Most businesses and organizations will, in one form or another, handle or process some type of data, most often personal data. The GDPR defines personal data as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Typically, personal data is divided into two categories. Some countries also have a third category while others consider the category “Confidential personal data” to be of the same category as sensitive data.
- General or common personal data: names, e-mail addresses, place of residence, place of employment, and other factual information that is publicly available.
- Sensitive personal data (‘Special category of personal data’): Health records, information about a subject’s ethnicity, religion, or sexual identity. This data is more personal, and should therefore be handled with greater care.
- Confidential personal data: social security numbers, criminal records and other classified information that needs to be regulated separately.
What requirements does GDPR set for your data processing?
According to the GDPR all personal data needs to be handled and processed particularly and sensitively. The more personal or private the information, the more rules and regulations you have to uphold during the processing of the data.
If you want to know more about how you should protect your clients’ personal data, you can read our article about data security.
Here is a concrete example on what the GDPR demands of you when you process data: A business needs to verify whether a given name actually belongs to the client. This is a requirement under KYC as defined in the Anti-Money Laundering Directive. Here you are required to use authoritative data sources that verify the credibility of the information. You could for example do this by seeing a copy of their passport or driver’s license. You are then required to document that you’ve verified their identity. All of this data processing needs to happen in accordance with the GDPR.
Is there a difference between data handling and data processing?
Data handling and data processing is often used interchangeably.
However, you could say that data processing is the overall term for both data handling and data utilization.
Data handling can be seen as an almost passive or non-transformative processing of data, whereas with data utilization, you do something with that data, such analyzing, deleting, or changing it.
How do you process personal data correctly?
In order to process personal data correctly, you need:
- The legal right and a legitimate purpose
- Consent from the person whose personal data you’re processing
- A data processing agreement
A legal right and a legitimate purpose are prerequisites whenever you process personal data. Your rights are limited by whether you’re processing general or sensitive personal data.
You need consent from the person whose personal data you’re processing. This needs to fulfill a number of requirements: it needs to be voluntary, limited or specific, informed, and unambiguous. Furthermore, you need to document and verify that you’ve obtained the consent correctly.
There are exceptions as to when a business can get consent. This could be if, for example, it’s necessary out of care and due diligence to the person, or if there is a legitimate reason for the data manager that isn’t superseded by the subject’s own interests.
You can read more about consent on GDPR.eu.
Thirdly, businesses need a data processing agreement. This is a contract which contains instructions for the data processor on how to process the information. This agreement is between the data manager and data processor.
What’s in a data processing agreement?
A data processing agreement needs to give clear instructions to the data processor concerning how the information should be handled and processed. It’s a legally binding document that needs to be in writing and kept electronically.
The purpose of the agreement is to ensure that the personal data is treated and processed responsibly and securely. It’s also important that it contains requirements for how and when to contact the data manager if there’s suspicion of a security breach or misuse. If your business is the data processor it’s your responsibility to inform the data manager about suspicions of misuse or data breaches.
As part of the instructions the data processor should also be required to perform yearly, or by agreement, audits to document that they’re following the instructions and current laws. This can be done through an audit report that needs to be certified by an external auditor.
You can find a template for a data processing agreement on GDPR.eu.
What’s the difference between a data processor and a data manager?
The data processor and the data manager are not the same person.
The data manager is the party that determines which data to process, to what purpose, and using which tools. The data manager defines the ground rules for how the data ought to be processed.
On the other hand, the data processor is the party that performs the actual processing on behalf of the data manager.
It’s important to separate the two, because they have different requirements. One party, the data manager, ensures that the data processing is GDPR compliant, whereas the other party, the data processor, takes responsibility for acting in accordance with the given instructions.
Easier data processing with Meo
With Meo you can easily find the information you need about your clients using a simple search. And personal data is deleted or properly archived, whenever a business relation ends.
The platform makes sure that you comply with GDPR and makes it easy to handle data for:
Onboarding
Onboard your clients using secure channels.
Validation
Determine your requirements for validation of information.
Documentation
Full log and tracking of actions and access.
Guarding sensitive and personal data
Compliant management of clients’ personal data has a high significance
DANDERS & MORE was the first Danish law firm to implement the Meo platform. Like many other companies, new legislation regarding the processing of personal data and anti-money laundering was the triggering factor. Since then, DANDERS & MORE has found the platform to be useful beyond their initial need.
“It is of utmost importance to us that we at all times are ready to undergo an audit without any remarks. Therefore, our primary motivation in searching for a platform has been to ensure compliance with personal data and money laundering legislation, which are continuously developing and becoming increasingly strict. Meo was the obvious choice for us as the only suitable platform to meet our different needs,” says Majken Korsgaars, lawyer, partner and co-owner of Danders & More.
Today, many companies receive emails with unsolicited applications containing sensitive personal data. In some cases, applicants even attach a copy of their passport or driver‘s license, unaware that the companies are at risk of breaking the law if they do not delete these emails. It is one of the issues with receiving emails containing sensitive or confidential personal information. Another issue is that the company can not ensure that the applicants and clients send sensitive information via a secure and encrypted email connection.
Uncovering the chain of ownership
All this was - and still is - of immense significance to DANDERS & MORE. For this reason, the choice of Meo’s platform helps the partners to sleep peacefully at night. With the implementation of Meo’s platform, DANDERS & MORE now has a straightforward KYC procedure. If a client should send sensitive or confidential information by email, it will be erased immediately. Instead, the Compliance Officer will send the client a link to the system, which will guide the new user to upload ID and other relevant documentation - all of this without involvement from the law firm. But once the client has completed uploading documents to Meo’s secure platform, the designated persons at DANDERS & MORE will receive a notification.
“The platform is also helpful to obtain and categorise all necessary documentation to uncover the ownership and control structure (chain of ownership) of corporate clients, which gives us the certainty that we are not inadvertently violating the AML and GDPR legislation. This certainty is crucial in our industry. We cannot underestimate the significance of sending a message to the customers that we are vigilantly guarding their sensitive personal data, and we are doing so with reliable procedures”, says Majken Korsgaard.
A better relationship with the clients
In DANDERS & MORE, the partners have appointed a compliance officer responsible for the customer contact when KYC documentation is to be collected. Albeit it is not necessary because the platform is simple to navigate, it has its advantages.
“The advantage of having a Compliance Officer and a system like Meo is that my colleagues and I can focus on counselling our clients. We do not have to spend time pushing and reminding clients to upload any missing documentation. Now that the Meo platform and my compliance colleague take care of this, I can build a good client relationship without interruptions due to KYC procedures”, says Majken Korsgaard.
Responsive to amendments
At the beginning of the partnership with Meo, DANDERS & MORE had a couple of wishes for the platform’s development to ease the lawyers’ daily operation.
“We have had the opportunity to leave our mark on the platform, and Meo has always been very accommodating to our wishes. They are easy to work with, and they have proved highly skilled and tech-savvy when solving all our issues to meet our needs”, says Majken Korsgaard.
Some companies might question whether they want to collaborate with a new company in such an important area, but Majken Korsgaard was quickly convinced.
Deep insight at Meo
“I had a long meeting with Christian Visti Larsen, who explained about his background. It is compelling to work with people who are as knowledgeable about the GDPR framework as he is. He has been working with it for years, which convinced the partners and me about the platform. In Meo, we deal with very skilled people who know the demands for a platform and recognise the challenges it poses. They are 100% knowledgeable about all relevant issues, which make an excellent collaboration”, says Majken Korsgaard.
Since DANDERS & MORE has started using the platform, it has become a focal point for working with clients. As a result, the law firm has expanded its use to manage funding applications and to receive job applications.
“We were the first law firm to start using the platform, and we have not regretted it for a second”, says Majken Korsgaard.
Data protection: How to protect your clients personal data and comply with GDPR
A Business Obligation
Businesses that process personal data and information are obligated to protect said data. Data security is a foundational premise if you work in the financial services or sector – but it’s also a necessity if you handle or process any form of data.
In this article we explain:
- What is data protection?
- Technical data protection
- Organizational data protection
- How to manage breach of data protection
With Meo you can simplify the process of protecting your clients’ personal data – from first contact till the end of your business relationship. Our solution ensures that you comply with GDPR and Anti-Money Laundering (AML) laws and regulations in all of the EU.
Read more on holistic profiles
What is data protection?
Data protection is a catch-all term for all security measures and safeguards that protect your own – and your clients’ – data.
All businesses in the EU are obligated under GDPR (General Data Protection Regulation) to protect their customers’, employees’ and other partners’ data – including their personal data. This applies to both internal (people in the organization) and external (for example, hackers) parties.
It’s up to the business itself to implement sufficient safety measures that protect data. These safeguards are usually categorized as either:
- Technical security measures or precautions
- Organizational security measures or precautions
The appropriate degree or extent of such measures for your business is up to you. This requires, among other things, that you make a Data Protection Impact Assessment (DPIA) and a consequence analysis of your data protection. You can find a template for a Data Protection Impact Assessment (DPIA) on GDPR.EU.
Furthermore, it’s important that you can document that you’ve installed or implemented the necessary measures, and that you subsequently and regularly evaluate whether they’re sufficient in order to protect the personal information you process.
There are a number of internationally recognized standards for data protection, such as:
- ISO 29151
- ISO 29134
- ISO 27001
They can be read in full on the International Organization for Standards’ website.
As a data manager and as a data processor it’s important that, even if you’re following the standards and guidelines, this is not synonymous with complying with GDPR. For that reason it’s important that you have a systematic, professional, and structured approach to the job. If you process sensitive personal data (‘special category of personal data’) it can be necessary to add-on or expand with subsequent protection measures.
Technical data protection
Technical data protection and safeguards are all forms of security measures that rely on digital tools and IT infrastructure. It exists predominantly on computers and servers.
This could, for example, be:
- Firewalls
- Passwords
- 2-factor authentication
- Encryption
- Logging of data handling
- Different administrative roles
- Storing data in levels (so a breach doesn’t give access to all data)
- Anti-virus
- Backup
Organizational data protection
Organizational data protection and safeguards are the type of data protection that involves people and processes. Data is secured by training employees and following guidelines that prohibit unplanned error or intentional breaches of personal data.
This term applies to:
- Procedures for data processing
- Clear distribution of roles and access
- Security courses
- Education of employees
- Risk- and consequence assessments
- Action plans for breaches of personal data
How to manage breaches of data protection
No data protection is fail-safe and fool-proof.
This is also acknowledged by the GDPR itself and by most of the regulatory agencies responsible for enforcing it in the EU.
In order to minimize the damage of a breach, it’s important that you have a clear action plan for when you might suspect that there’s been a breach of your security. This encompasses, but is not limited to, a clear division of responsibilities between data manager and data processor, how you report potential breaches to clients, and clear guidelines for how you report breaches to the relevant regulatory authorities.
With Meo you get AML and GDPR compliant data protection
With Meo, you get a software platform that protects your clients’ data and ensures you comply with Anti-Money Laundering (AML) laws and regulations.
Furthermore, the platform helps you verify your clients’ identity so you comply with KYC and CDD. Get more information about our security by reading our Security Whitepaper.
Overview: How to comply with GDPR
What is good GDPR handling?
Does your business have a good handle on GDPR and on how you process personal data?
Virtually all businesses that come into contact with personal data are subject to local laws and regulations. In the EU and EEA that means GDPR. For this reason it’s important that you know the requirements for how you correctly process personal data.
Below you can read about the EU directive and how it applies to personal data – as well as get a few tips on best practice for processing personal data:
- What is the General Data Protection Regulation (GDPR)?
- What businesses are subject to GDPR?
- What is a Data Manager and a Data Processor?
- What is a DPO (Data Protection Officer)?
- How to comply with GDPR
- Storing personal data – when and for how long?
- Rights of private individuals
- Ongoing audits and the principles of accuracy
What is the General Data Protection Regulation (GDPR)?
GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area.
The regulation applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.
Its official name is:
“Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”
As an EU regulation and directive it is, strictly speaking, not an actual law. Instead it’s a legally binding agreement between all EU and EEA countries, which they are required to then interpret and implement in their local law.
That means that, while GDPR is binding and sets out to give specific directions regarding personal data, there can be variations and minor differences from country to country. It often acts as a basic framework that is then expanded upon by the individual country.
Oversight: Different countries in the EU and EEA have different supervisory or regulatory agencies. These ensure that GDPR is upheld and guide local governments, businesses and organizations in how to be GDPR-compliant.
Which businesses are subject to GDPR?
GDPR applies to virtually all processing of personal data i.e. all information that can be connected with or identify a specific person.
Read more about personal data and the different categories.
As the regulation is geographically specific to the EU and EEA, it only applies:
- When the data manager or data processor is in the EU, regardless of whether the actual processing is conducted in or outside the EU.
- When the person whose personal data is processed is in the EU, regardless of the data manager’s or data processor’s location.
- When the processing of personal data pertains to a product or business in the EU, or involves surveilling behavior inside the EU.
To be concise: almost all businesses with an affiliate with the EU, whether this applies to them or their clients/customers, are subject to GDPR.
What is a Data Manager and Data Processor?
And what’s the difference?
According to the GDPR, it’s important to fundamentally separate the two specific roles that both process personal data.
You can either be a data manager or a data processor.
There are different requirements for the two roles. That’s why it’s important to know which is which and who is who, before you start to process personal data.
Data Manager
The data manager defines the purpose and procedure for how personal information is processed. As data manager you are obligated to ensure that:
- You have a legal right to process specific personal data
- You’re capable to provide insight to the registered parties, at their request
- You register violations of personal data security to the relevant oversight, supervisory or regulatory agency.
Data Processor
As a data processor you solely process the personal data on behalf of the data manager. You do not have any influence on the purpose or procedure you operate under.
A data processor can, for example, be a software provider for the services used to store data on the servers, or a different type of provider of an automated processing of personal data, wherein you do not directly have any access to the data.
Because the relation between data manager and data processor involves the exchange of personal data, it’s important that there is a data processing agreement in place that clearly defines the exact relation between the two. A template for this can be found on GDPR.eu.
What is a Data Protection Officer (DPO)?
There can also be a third role: DPO or Data Protection Officer. You might have come across this term before, but what does it mean? And should your business have a DPO?
The role of DPO is to advise on the requirements of GDPR and guide the data manager in how they can fulfill these requirements. It’s important to note that the DPO is not responsible for whether or not the business is compliant with GDPR or local law.
Governmental agencies are required to – regardless of whether they’re data managers or data processors – appoint a DPO. Private companies are only obligated if all of the following three conditions apply:
- Processing of personal data is a core work activity
- Personal information is processed in vast quantities
- Processing consists of regular and systematic surveillance or contains sensitive personal data (‘special categories of personal data’)
When is processing of personal data a ‘core work activity’?
Most organizations perform some type of processing of personal data but GDPR differentiates between non-core work activities and core work activities.
Non-core work activities can generally be said to be activities that support core work activities. For example, most businesses come in contact with a certain amount of personal data in regards to employee data and personal data related to sales and different types of support. These are considered to be non-core work activities.
According to GDPR, the processing of personal data is a core work activity, if what a business is looking to sell is irrefutably connected to personal data. This could, for example, be:
- Insurance companies whose product is tailored on the basis of personal data
- Providers of market research
- Search engines
- Businesses related to headhunting of new employees
These are all examples of business activities that are centered around processing personal data, and where the output depends on the information obtained and processed.
How to comply with GDPR
GDPR necessitates a risk-based approach similar to, for example, anti-money laundering initiatives.
A risk-based approach means that, whether or not the business is a data processor or a data manager, you are obligated to perform an assessment of the types of data that is stored or processed by the business. Then you need to make sure that there are organizational and technical security measures or safeguards in place that correspond to the assessed risks.
Technical security measures
Examples include strong firewalls, ongoing updates of codes and systems, encryption and a strong IT-infrastructure.
Organizational security measures
Examples include described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.
To comply with GDPR, businesses need to have:
- Risk assessments
- Policies and procedures
- Audits and documentation
How do you perform a risk assessment?
Risk assessments will typically evaluate, or assess:
- What types of data is stored by the business (there are for example differences in sensitivity between storing e-mail addresses and copies of passports)
- Consequences for data leaks (for example, phishing, hacking or accidental internal leaks of material pertaining to personal data)
- The security measures in place to minimize the above risks
On the basis of these factors you can assess whether the risk is acceptable, or if you need to implement new safeguards to minimize the risk of data being stolen or leaked.
There are also requirements for documentation of your considerations regarding the procedures.
Policies
Most businesses have set procedures and policies in place that streamline and systematize work activities. In the same way, it’s a good idea to define policies and procedures for the processing of personal data.
Typically you’ll divide personal data policies into whether they pertain to personal data about employees or clients/customers. A personal data policy for clients could, for example, contain the following:
- A clarification of whether you’re acting as data manager or data processor.
- Where the personal data is stored – on internal or external servers or storage units? If it’s stored outside of the EU/EEA then what did you do to ensure a sufficient level of security?
- Whether you have a DPO, and if so, what the DPO’s assignment is and how you’ve secured the DPO’s position in the organization.
- What the stated purpose is for storing data, specifically your legal rights and the legitimacy of the purpose.
- What your policy for deleting or erasing personal data is, and for how long you store data after the termination of a client/customer relationship.
- Optionally, which technical and organizational security measures you’ve implemented to protect against data leaks, and how you’re planning to react in the case of a leak.
Business procedures
The business procedures should be in an internally accessible document that has been written to support the work flow and procedures you’ve agreed upon. A business procedure is often a relatively detailed description about how you handle personal data with specific procedures for how your business – in its day-to-day activities – make unnecessary data is deleted, and how you share data with others whether that’s with colleagues or external data processors.
Audits and documentation
Simultaneously you need to be able to document that your processing of personal data is in accordance with GDPR and local law. You, for example, need to document how you delete personal data after the end of a business relationship.
A business can have multiple procedures regarding how and how often they delete data. But according to GDPR it’s essential that it’s written down or somehow documented, so that the proper regulatory agencies can audit your actions and thus ensure that you’re complying with GDPR.
The documentation requirement can be supported by IT solutions that can even automate some of the necessary processes.
Storing of personal data – when and for how long?
Businesses can store personal data as long as they:
- Have a legal right to it.
- Have a legitimate purpose for storing the data.
The legal right regarding storage of personal data is defined as:
- The business has obtained consent from the person whose personal data is being stored.
- It’s written in the law that the data must be stored.
- It’s necessary in order to uphold an agreement or contract.
- The business has a legitimate interest in storing the personal data. And this interest has a greater value for the person’s own interest, than if it was deleted.
Normally, the business or governmental agency has sufficient legal right if just one of the above criteria have been met.
A legitimate purpose is basically defined by common sense.
Ask yourself: What is the purpose of storing the given personal data?
If you don’t have a legitimate purpose then the data needs to be deleted.
Example
Six months ago the company had a job posting looking for a legal aid. They had many applicants but have since closed the entire department and do not plan to hire legal aids ever again.
Does the business still have a legitimate purpose for saving resumés and applications? Here, the answer is no.
As long as a business has the legal right and a legitimate purpose, then the business can continue to store data. As soon as this is no longer the case, the data should be deleted.
Rights of private individuals
With the implementation of GDPR, private individuals gain the right to access the data businesses store about them. This is often called access rights or subject right:
- In principle, you have the right to access all personal data about yourself that the data manager is responsible for.
- A data processor cannot grant access, because they are not responsible for the registered data.
The data and information you can request includes:
- How your personal data is processed
- What purpose there is for the processing
- Who the information is shared with
- For how long the data is stored
- Where the personal data originates from
This is to ensure that the data is verifiable, accurate and that the processing is performed on the basis of sound legal authority.
Ongoing audit and the principle of accuracy
As a business you are obligated to make sure that the stored personal data is accurate and that wrong or false information is deleted.
This is also called the principle of accuracy.
The principle does not only revolve around the duty of deleting or correcting information that you’ve been informed is wrong. You also have an obligation to actively seek out and verify the accuracy of your data.
This could for example be done by you continuously comparing the data you obtain with searches in registries and databases with publicly available information, or that you periodically request verification from the individual that the information is about.
The extent of how thoroughly you need to verify the information’s accuracy and authenticity, and how frequently you need to repeat this process, depends on the data you are processing. The more sensitive – and therefore the greater importance the information holds to its owner – the more procedures and fail-safes you need to implement to protect against this outcome.
Cases at Meo
Meo has also collaborated with a lot of different companies that have benefited greatly from the Danish software platform, Meo. Among them is the law firm Bech-Bruun, which recently commented on whether the platform has provided clarity on the secure handling of information and data from new clients in accordance with the GDPR law.
This focus is something that is reflected in the opinions of our various partners and customers, who all believe that our software platform has created security for them in connection with the exchange of data and information with clients or partners.
We at Meo therefore help to create clarity over administrative tasks as well as the security of your business and the exchange of data.
Meo – Processing personal data easily and securely
If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone.
Luckily, there are a number of good solutions for the business challenges of processing data.
Meo is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.
For businesses there are a number of benefits from using Meo:
Onboarding
Onboard your clients digitally on secure channels.
Validation
Setup your own requirements for validation of information.
Documentation
A full audit trail and overview of the performed actions and consent for processing.
Processing
With Meo you comply with all legal requirements, both GDPR and AML.
What is personal data? Ownership, processing and security
Everything you need to know about personal data
In this digital age, and with the enactment of General Data Protection Regulation (GDPR), there has been an intensified focus on personal data and the way businesses handle their clients’ information. Personal data is shared by citizens and clients all the time – with both businesses and governments. And organizations that don’t have a proper handle on personal data risk major fines and penalties.
Because this is such an important topic for businesses, we’ve written this extensive guide and FAQ so you can better come to understand what personal data is – and how you’re required to handle it under GDPR. We’ll be answer:
- What is personal data?
- What is the GDPR (General Data Protection Regulation)?
- Personal data in a business perspective
- When are businesses considered to be processing personal data?
- Who owns personal data?
- Secure processing of personal data
- How Meo helps companies collect, verify and store personal data in a secure and easy way that is also 100% GDPR compliant.
Read more about the platform here or book a demo to hear more about how we can help your company with KYC compliance.
What is personal data?
In order to understand what personal data is, let’s start with a definition. Personal data is defined by the EU in the General Data Protection Regulation as:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Regulation (Eu) 2016/679 Of The European Parliament And Of The Council Of 27 April 2016
In other words, personal data is all information that can be used to identify an individual. According to this definition personal data spans a variety of different informations, including:
- A name
- A photo
- E-mail address
- Information about a person’s ethnicity
- A sound file
- IP address
- Criminal record
- Social Security Number
- The list of personal data is therefore potentially inexhaustible.
Any information related to an identified or identifiable individual is personal data. Information such as data about congenital diseases of an individual’s grandparents is also personal data.
The GDPR does, however, differentiate between different types of personal data, that need to be processed or handled under less and more restrictive conditions:
General personal data
These include personal data such as names, e-mails, addresses, place of employment etc. They are factual information that are often publicly available.
Sensitive personal data (‘special categories of personal data’)
Such as health data, ethnicity and sexual identity. These types of data are very personal and need to be processed with extra care.
Social security numbers and criminal record (‘special categories of personal data’)
Governmental information such as social security numbers and criminal records are also a part of special categories of personal data. By some EU countries these are considered a separate category, as they involve classified or protected information that need to be more guarded than even traditional sensitive personal data.
What is the GDPR (General Data Protection Regulation)?
The GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area. It applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.
Its official name is:
Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Read more about the General Data Protection Regulation (GDPR).
What is personal data in a business perspective?
Personal data is ultimately the most valuable information that businesses collect and process. Without this data it’s not possible to run a business in such a digitalized world.
On a consumer level, people would not be able to use today’s digital options, i.e. setting up a bank account, getting a package delivered or in any way buying vital digital services without the release of some form of personal data. There are, of course, certain providers of services and products that don’t need personal data – for example, if you buy a hotdog at a vendor and pay in cash.
With the exception of examples as above, the majority of interactions between individuals and businesses are based on some sharing or exchange and processing of personal data. The increasing digitalization of society and the use of personalized data also gives rise to better and more targeted services. For that reason the exchange of personal data can be considered necessary, or even essential, for both consumers and businesses.
The rules for how businesses process personal information are quite extensive and cover, among other things, the secure storage of personal data.
Read more about the rules here.
What is processing of personal data?
The processing of personal data refers to activities such as the collection, storage, use, transfer, security and disclosure of personal data. Any activities relating to personal data, from the planning of the processing to the removal of personal data, constitute processing of personal data.
When a company processes data, there will always be a need for a data processor and a data controller. These two roles are not the same, but are both necessary to have. In the following you can find a definition of each role and what it entails.
A data controller is a person or an organization that determines the purposes and means of processing personal data. A data controller can be an association that collects information about its members, a hospital that processes patient records, an online shop or a social media service.
A data processor is a person or an organization that processes personal data on behalf of a controller. A data processor could be an agency that handles some processes of another company, or an IT service provider that has access to the personal data collected by the data controller.
When can businesses process personal data under GDPR?
The GDPR – and subsequent local laws – applies the moment businesses ‘process’ personal information. But, as mentioned earlier, the processing of personal data can take many forms. Because the definition is so broad, it in reality occurs the moment a business comes into contact with personal information.
According to the definition of GDPR, processing of personal data applies to all the ways in which you handle personal information. This includes collecting, recording, organizing, systematizing, storing, editing, altering, searching, using, sharing, transmitting, securing, disseminating, deleting – and much more.
Verification of information
A specific example could be when businesses need to verify that a given name actually belongs to a person. The business extracts the verification data from a network that the person uses – or from additional data sources that have the authority to verify the truthfulness of the information. This is especially relevant to businesses who are subject to the Anti-Money Laundering (AML) Directive.
If just one type of the above actions occurs, it’s considered processing under GDPR. In order to live up to EU law, all businesses should consider it data processing the moment they come into contact with personal data.
Read more about the General Data Protection Regulation (GDPR).
Who owns personal data?
Who owns personal data after collection?
GDPR marked a foundational shift in how broader society views data ownership. Before, it wasn’t necessarily clear who actually owned the data after it had been exchanged between two parties. User rights and the right to gain insight into what personal data is stored by businesses was often unclear.
GDPR helped to clarify these issues and principles. It was determined that the one who owns personal data is the person represented by the information. Businesses are allowed to process and use the given data but the ownership and rights will always belong to the registered party.
Data belongs to the person represented by the information.
The rights of private individuals
What rights do private individuals have in relation to their personal data?
The shift created by GDPR – which clarified the ownership rights of data – lead to that the registered persons gain the right of access, or subject access, to the data stored by businesses about them. A right that, of course, is also important for businesses to understand, as they are required to live up to the laws and regulations.
With the exception of certain outlier cases, private individuals have the right to contact businesses that they believe are processing or storing personal data and gain insight into what data they possess; for what purpose they consider valid for processing your personal data; and when consent for this type of processing was given.
Read more about the Right of Access (Subject Access).
This new understanding of data ownership leads us to the six principles for how businesses should process personal data. Find the definition of securing personal data, and read more below.
Secure processing of personal data
Fundamentally, GDPR requires businesses to protect both internal personal data (on e.g, employees) and external personal data (on e.g. other clients, business partners, criminals), using sufficient security measures.
It’s up to each business to assess which safeguards that apply to different situations.
Businesses typically divided these security measures into two categories:
Technical security measures: Among other things, strong firewalls, on-going updates of codes and systems, encryption and a strong IT-infrastructure.
Organizational security measures: Among the other described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.
If you’re handling sensitive personal data (as defined above), you need to implement more strict security measures. The chosen measures are based on the risk assessment, which is a part of the GDPR’s risk-based approach to data protection.
Read more about data protection here.
Here’s how to get started with personal data under GDPR (The 6 Principles)
Are you interested in the underlying principles of GDPR, you can read Chapter 2, Article 5 of the General Data Protection Regulation.
This outlines the six founding principles for how businesses need to approach personal data. We’re going to explain each one here:
1. ‘Lawfulness, fairness and transparency’
Your business needs to be transparent with clients and customers about how you process their personal data. For example, the language in written communication, such as e-mails, needs to be clear and easy to understand. The clients need to know what is happening – and why. Avoid obtuse language or extensive technical jargon and set time aside to develop good, legible templates to use in the future.
All processing of personal data needs to be fair, secure and based on best practice (for example, by using the best available technology).
And lastly, your processing of personal data needs to be lawful. You need to act in the spirit and letter of the law, when processing personal data. This includes obtaining consent from clients and customers, as these are the ones who own the personal data.
2. ‘Purpose limitation’
You can only collect personal data for specific purposes. And it’s important that you inform your clients, that you’re doing this. This also entails that you only use personal data in the context the client has consented to.
3. ‘Data minimisation’
‘Need to have’ is central to data minimisation. Fundamentally, you can only collect the exact personal data needed to complete your expressed goal or purpose.
4. ‘Accuracy’
Ensuring the accuracy of the personal information is an on-going process. For that reason you need to update the data, concurrently. Furthermore, you need to correct or delete data that is inaccurate or unusable for the specific purpose it’s needed for.
5. ‘Storage limitation’
You can only store personal data as long as necessary. Therefore you need to continuously ask yourself: do we still have a purpose for storing this data? It can be a good idea to have a half-yearly or yearly event where you evaluate your stored data.
6. ‘Integrity and confidentiality’
The integrity of the data needs to be maintained. That means ensuring the data’s accuracy and credibility over time.
Simultaneously, you need to process and handle the data with great care and confidence. You can’t allow anyone to gain access to the data. That applies to people outside your organization (for example, hackers), but also people from within (for example, colleagues).
To ensure this, you need sufficient and adequate security measures. The level of security can vary from business to business. As mentioned previously, both technical and organizational security are two methods for protecting the data.
If you have a handle on the six principles, you’ve come a long way towards processing personal data correctly. And it pays off to work within the rules. Violations of the GDPR can result in fines and penalties.
Enforcement Tracker can give you an overview of fines and penalties for violating GDPR in the EU and EEA.
What can be done in the process of securing personal data?
Data can be protected in different ways and therefore, as such, there is no manual on how exactly to do it. However, some methods may be better than others.
You can achieve optimal protection of personal data through good design and good default settings.
A good data protection design allows your company to take data security into account early in the process when planning new ways of processing personal data. Here, the controller can and should take all the necessary technical and organizational decisions to implement data protection principles and protect the rights of individuals. This may include, for example, the use of pseudonymization.
Data protection with good default settings includes ensuring that the company always has the highest data protection setting as the default setting. For example, should there be two different privacy settings available and one of the settings ensures that the personal data cannot be accessed by others, this setting should be the default setting.
Who is Meo?
Meo is a Danish RegTech company that owns, develops and operates an identity management platform for handling customer data, Meo. Our goal is to get companies to share data securely and thus prevent inappropriate situations and risks such as money laundering, corruption, and ensuring compliance with the law.
Read more about Meo in our About section. Find out more about Meo below.
Meo – processing personal data easily and securely
If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone. Luckily, there are a number of good solutions for the business challenges of processing data.
Meo is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.
For businesses there are a number of benefits from using Meo:
Onboarding
Onboard your clients digitally – using secure channels.
Validation
Setup your own requirements for validation of information.
Documentation
A full trail and overview of the performed actions and consent for processing.
Processing
With Meo you comply with all legal requirements – both GDPR and AML.
What Is Anti-Money Laundering?
Here is what you as a company need to know about money laundering
Is your business subject to the Anti-Money Laundering (AML) Directive? Then it’s important to know the fundamentals of money laundering, and why it’s necessary to have local and international anti-money laundering laws and regulations.
In this article you can learn more about money laundering, including:
- What is money laundering?
- How is money laundering committed?
- What does international and european law say about money laundering?
- 4 important terms when it comes to money laundering
- Guide to anti-money laundering checks
- How the Meo platform ensures that your company is 100% AML-compliant at all times.
What is money laundering?
Money laundering is predominantly about making illegal means – black money – legal. That means cloaking the financial gains from criminal activities and using it with legal vendors and in broader society. The origins of the black money can, for example, come from dealing illegal substances or weapons, tax evasion and much more.
White washing
All activities that help criminals obfuscate, conceal, or transform black money into legal tender (which can be documented and used legally) is called white washing or money laundering.
How is money laundering committed?
There are many ways to launder money. Below is an example of how it could transpire:
- A drug dealer has sold illegal substances for 25,000 EUR and now has a lot of black money in his possession.
- The drug dealer finds a used car that’s privately for sale for 75.000 EUR. He offers to buy the car for the full amount – in exchange for paying partially in cash.
- The drug dealer goes to the bank and gets a loan, where he explains he’s buying a car for the price of 50.000 EUR.
- The bank grants the loan and transfers 50.000 EUR directly to the seller, but the drug dealer pays him 25.000 EUR in cash.
- The drug dealer now sells the car to a third-party for 75.000 EUR that is transferred directly to his bank account. He can now document that the money originates from the sale of the car. He pays off his loan to the bank.
- Now the 25.000 EUR have been laundered as they seem to be payment for a simple car sale.
- In principle, money laundering can also be achieved through registered car dealers as a go-between. The drug dealer can have straw men buy and sell cars, boats, art, property, and other physical items to white wash the black money.
What does the law and regulations say about money laundering?
In the EU all financial businesses are subject to and regulated by the Anti-Money Laundering (AML) Directive.
Its full official title is: "Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing" (read it in full here). The directive exists to hinder criminals from being able to earn money from illegal activities which can then be used legally or to finance terrorism.
It’s important to combat money laundering because this type of crime makes it difficult for law enforcement to discover criminal acts. By stopping the laundering of illegal money you simultaneously prevent other forms of financial crime as the perpetrators will have a more difficult time spending or storing their ill-gotten gains. Furthermore, the Anti-Money Laundering Directive also exists to prevent opportunities for financing terror acts and organizations. Most European countries have local laws and regulations based on the EU-directive, which is continuously being formed and developed by the European Parliament. At the present time, the EU has developed six different directives (AML1-6) for the prevention of money laundering.
A number of different business fields and sectors are legally obliged to conduct themselves in accordance with anti-money laundering regulations. Here’s a brief overview:
- Lawyers
- Auditors and external accountants
- Real estate agents
- Landlords
- Financial companies
- Service providers
Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven).
4 important terms when it comes to money laundering
There are quite a few technical, legal and other terms or abbreviations regarding money laundering. The four most important ones to know are:
1. CDD - Customer Due Diligence
Customer Due Diligence (CDD) is a cornerstone of businesses’ anti-money laundering initiatives and procedures. The term covers all actions undertaken by companies to verify the identity of their clients or customers, as well as perform background checks and risk evaluations. Companies and organizations subject to anti-money laundering laws and regulations are required to perform risk assessments, wherein they – on a client-to-client basis – assess the risk of the client being used or using the business for money laundering or the financing of terrorism. Read more about CDD and risk assessment.
2. KYC - Know Your Customer
There are many reasons for why it’s important for businesses to “know their customers.” Among them is – in relation to CDD – evaluating whether or not they are a risk for the business. KYC-screening or verification is a process in which the business identifies or verifies the identity of their customers and clients. In other words, they get to know their customer. This can be achieved by gathering personal information and identification data about the customer or client, which needs to be verified.
3. PEP - Politically Exposed Person
A PEP, or Politically Exposed Person, is a strictly defined category of people, who – on the basis of their political position or power – are considered to be customers that are at greater risk of being subject to money laundering or other criminal activities. The concern is that they - because of their position - can be exposed to blackmail, bribes or otherwise (both willingly and coerced) can be embroiled in money laundering. Read more about PEP and PEP-lists.
4. AML - Anti-Money Laundering
AML is an abbreviation for “anti-money laundering”. The term refers to a broad swath of laws, regulations, directives and procedures that exist to prohibit or stop the laundering of illegal money.
Guide to anti-money laundering checks
Businesses in the affected sectors have to constantly adapt to a plethora of laws, directives and regulations. Most of these require or encourage specific forms of anti-money laundering checks.
With AML 5, which was implemented in January of 2020, a number of changes were introduced, including a transition to a risk-dependent approach to precautionary measures regarding anti-money laundering. The new approach demands more of the businesses’ ability to assess their customers or client relationships.
Roughly speaking, businesses need to assess the risk that they’re being misused for money laundering or the financing of terrorism. One of the central and foundational concepts is the creation of the risk assessments, policies and business procedures, as well as the underlying control and evaluation that ensures that overall compliance.
Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven - Download PDF).
Meo – steer clear of money laundering with our intelligent platform
We hope you now have a more clear understanding of money laundering – and have given you an insight into what your business needs to be aware of to be AML-compliant. Do you have a clear standard for your processes, data handling and the verification of new clients?
If not, Meo can help.
Meo is a Danish company and software platform that helps businesses with their data security, onboarding and overall compliance.
With Meo you can:
- Automatically screen clients via PEP-lists.
- Verify clients’ ID
- Collect data from official sources regarding businesses and individuals
With Meo you don’t need to worry when it comes to anti-money laundering measures.
The Anti-Money Laundering (AML) Directive - guide to businesses
Is your business subject to the Anti-Money Laundering (AML) Directive and the subsequent laws and regulations in all EU and EEA countries? Then it’s important that you know your obligations regarding the law, and why it’s even necessary to have a European standard for anti-money laundering initiatives and regulations.
On this page we answer the most frequently asked questions about AML and the Anti-Money Laundering Directive, such as:
- Why do we need Anti-Money Laundering (AML) laws and regulations?
- Which businesses are subject to the Anti-Money Laundering Directive?
- How do EU directives and national laws interact?
- The various regulatory agencies
- What happens if businesses don’t uphold the law?
- Guide to the Anti-Money Laundering Directive
- AML 5: the risk-based approach
- Risk assessment
- Policies
- Business procedures
- Audits and verification
- KYC procedure
- AML 6: New requirements coming
Why do we need Anti-Money Laundering (AML) laws and regulations?
Anti-money laundering laws and regulations exist to prevent money being made from criminal activities being used in the rest of society. Fundamentally, the law exists in order to make it more difficult to commit crimes, such as tax avoidance and financial fraud. The law is also intended to prevent the financing of terrorism.
All EU and EEA countries have their own anti-money laundering laws and regulations. However, they’re all formed by EU directives which are formed and approved by the European Parliament. The EU has, at the current moment, created six different directives regarding money laundering. In technical terminology they’re referred to as AML 1-6. AML is an abbreviation for ‘anti-money laundering.’
EU directive
A directive is a legal act decreed by the European Union. The directives are binding for member states and members of the European Economic Area (EEA). However, the countries themselves decide on how to implement the directive in national laws and regulations.
Which businesses are subject to the Anti-Money Laundering Directive?
Different businesses are subject to the Anti-Money Laundering Directive, among others:
- Law firms
- Accountants
- Real estate managers
- Landlords
- Financial companies
- Service providers
How do EU directive and national laws interact?
Whenever the European Parliament issues a directive, the individual member states have a period where they’re required to implement the directive in local legislation. This typically happens by making adjustments in pre-existing laws and/or issuing new executive orders.
The work involved in implementation typically stretches over a longer period, and not all countries implement the law concurrently or similarly. This creates some debate between countries, as it leads to situations arising where it might be more beneficial to set up a financial license in one place and then delivering your products to the remaining countries.
EU’s expert groups
The development of AML-directives involves a number of different professions, interest groups, legal experts as well as local regulatory agencies.
Meo has since 2015 been represented in one of the EU’s payment systems market expert groups (PSMEG) by our CEO, Christian Visti Larsen, who has assisted in developing AML 5.
Different regulatory agencies
The supervisory or regulatory agency that originally issued a business license will often be the party responsible for ensuring proper supervision and enforcement.
But from country to country, there can be a degree of difference between how regulations are enforced. This makes it more enticing for certain businesses to focus their activities in one country where the supervision is more lax – and thereafter selling their wares or services to the rest of the countries in the European inner market.
What happens if businesses don’t uphold the law?
There’s a difference between how the individual regulatory agencies communicate the activities and issues they might uncover when supervising businesses.
At times these can be in the form of regulatory AML reports that specify criticisms, injunctions and even reports to the police. These reports are typically publicly available on their websites, and it’s often required that the reports are displayed on the businesses’ own websites.
If a business is caught not living up to their obligations, it doesn’t necessarily result in a fine. However, the business will rarely be able to avoid penalties or a trip to the metaphorical pillory. For businesses that depend on their good name and reputation, this can be much worse than a fine.
Penalties
The regulatory agencies can rarely issue fines but they are able to report the company in violation of AML laws to the local police department for criminal financial activities. This then results in a police investigation that can lead to a public trial. However, it’s possible for the agency to issue administrative fines in simple cases where the business admits to wrongdoing.
AML 5: The risk-based approach
The latest directive, AML 5, was passed in 2017 and widely adopted by januar 2020. With this directive we transitioned to a risk-conditional approach to anti-money laundering (AML) precautions – an approach that requires more from businesses’ assessment of their client relations.
Businesses now need to assess the individual risk, from each client, of being used for money laundering or financing of terrorism. Some of the central and fundamental elements in the new AML directive is:
- Risk assessments
- Policies
- Business procedures
It’s all up to the business to develop and implement these requirements. Below, we explain what each element entails. Furthermore, you need to create a description of how you audit and supervise each activity, so you’re certain the law is being upheld.
The risk-based approach results in a much greater focus on verification of identity and ongoing KYC checks.
Risk assessment
Businesses subject to the Anti-Money Laundering Directive have to create risk assessments that identify and evaluate every perceived risk associated with individual clients, products, delivery channels and business activities.
To create a risk assessment, the business needs to:
- Consider the risk, from client to client, of being exploited for money laundering or the financing of terrorism. This is also called CDD (Customer Due Diligence).
- Be able to explain and justify the assessment and precautions to the relevant regulatory agency.
- Make a Risk Assessment that includes the business’ precautions and safeguards in relation to the prevention of money laundering.
You could, for example, end up concluding that there is an elevated risk connected with clients living abroad. This risk is dependent on which country the client resides. Based on this information you can evaluate whether you need further documentation from the client. For instance, you could demand to see a copy of their passport or birth certificate. If the businesses’ services allow for people or entities to become clients without physical meetings, you can also decide that this requires a need for further documentation.
Risk assessment
Risk assessments are structured approaches wherein you attempt to, objectively and fairly, assess clients individually. That requires differential treatment.
Policies
A business’ policies describe their overall appetite for risk. This policy will often include descriptions of:
- Which types of clients you want to do business with
- Which types of clients you don’t want to do business with
It will typically be management who outline and develop these policies which are then approved by the board of directors. One of the primary reasons for this is that it forces leaders to acknowledge and actively decide on the risks associated with running the business. In this way no one in the business can acquiesce their responsibilities or wash their hands of wrongdoing if problems arise.
Policies also define the area within which the employees operate without needing constant approval from upper management.
A business’ policies describe their overall approach and capacity for risk. Policies are created by upper management and approved by the board of directors.
Business procedures
Briefly, a business procedure is a written process for how you, as an employee or business, need to conduct yourself in specific, well-defined situations.
A business procedure:
- gives you an overview of the risks you consider to be present with different groups of clients or customers.
- describes the actions you have taken to mitigate this risk.
Example
If you have a client residing abroad, you can use the risk assessment to evaluate whether this constitutes an elevated risk that your business is being misused for money laundering or the financing of terrorism.
This is the perceived risk the business incurs if they take on the client. To be able to accept said risk the business procedure needs to demand a more thorough verification of the client. In addition to a standard KYC check, you can demand notarized copies of passports, or request additional information regarding the business venture.
Furthermore, a business procedure will also contain information regarding when and how you report misconduct to a regulatory agency, such as when you suspect financial malfeasance.
Audits and verification
Audits and verification always have to be documented. It’s useless to perform verification if you can’t subsequently prove it took place.
A typical mistake in this process involves manual verification of copies of passports or driver’s licenses. To counter this, a business procedure could prescribe that the employee has to go through the documents and ensure that the ID is valid and of such a quality that they can subsequently identify the client. But if there’s no documentation that this has happened, the audit is not considered to have transpired regardless of whether or not the employee actually looked through the documents.
KYC check
A KYC check is also performed on the basis of the risk assessment and the identified risks. This is also known as KYC or “Know Your Customer.”
Depending on the perceived risks, you can either perform an enhanced or regular check. KYC requires obtaining identifying personal data about the client. Typically, these will include:
- Name and Social Security Number or Legal Entity Identifier (LEI), depending on whether the client is an individual or another business/organization.
This identifying information needs to be verified via a reliable independent source. That means you need to verify documents and compare them to publicly available information and databases that can validate addresses, passports or names.
KYC Check
Describes how the business conducts itself in order to get to know their customers/clients. KYC is an abbreviation for “Know Your Customer.”
AML 6: New requirements coming
All the previous requirements have a common denominator: they require established procedures and verification processes on each individual client. A secure procedure and verification of client relations can only be ensured if there’s sufficient documentation that it took place.
If you don’t follow the rules it can have grave repercussions for your business. Aside from the already comprehensive demands, you can be subject to increased supervision and thus further requirements. This is a field with a massive political and societal interest and scrutiny, which is why it’s just good business to know the rules and be at the forefront.
The latest edition, AML 6, is scheduled to be implemented in all member states by December 3rd 2020 and go into effect for business by June 3rd 2021. With AML 6 multiple elements will be expanded upon with an emphasis on fines and sanctions.
Meo – steer clear of money laundering with our easy and safe AML solution
As you’ve probably noticed, there are a lot of requirements for businesses when it comes to AML and anti-money laundering laws and regulations. Are you on top of your AML procedures and approaches?
If not, Meo can help.
Meo is a software platform that can help you with AML compliance in addition to a number of other services.
With Meo you can:
- Automatically screen clients via PEP-lists
- Verify clients’ ID
- Collect data from official sources regarding businesses and individuals
Information security - Protect your company's data the right way
Importance of Information Security and GDPR Compliance
In general, information security is about properly protecting a company's data, including customer data, personal data and finance. It is important to handle personal data correctly in accordance with the GDPR. Breaches of this can result in severe penalties.
It is essential to secure sensitive data from misuse or other leakage of information. At NewBanking, we have developed a software and digital data management platform that automates and complies with guidelines, rules and legislation to help you avoid money laundering or GDPR breaches.
We can contribute with risk assessments, examine your KYC status and identify critical points as well as possible optimisation opportunities for this. Our admin tool, NewBanking Identity, helps to digitally verify, monitor and check customers as well as make reports to regulators and risk assessments.
Learn more about what GDPR is on our page and more about information security on GDPR.dk.
Minimize resources spent in your business
With the help of a platform like NewBanking Identity, you can free up resources, as you avoid spending time and staff on handling information security in your company, and can spend your time on more efficient and rewarding areas for your particular industry.
We can also help you with a digital onboarding flow that allows you to easily and securely exchange data across the organisation - safely and securely. This reduces the manual errors that often occur in information security.
In this context, we can tailor exactly the platform and data sources that are necessary and essential for your customer type. This platform can be integrated directly into your website, improving and optimising the user experience for your customers.
Much more than an information security check
At NewBanking, we value being able to offer a complete solution that assists you in everything from the information security mentioned above, but you can also get help with compliance checks, as well as insights into money laundering and handling in these types of cases.
We are a sparring partner on everything that involves the handling of personal data, customer data and the protected exchange of the same.
We work with everything from small companies without KYC management to large companies with greater needs for sparring and additional system integrations. Contact us for a no-obligation conversation about your needs and options.
This is what your business needs to know about anti-money laundering
Here is what you as a company need to know about money laundering
Is your business subject to the Anti-Money Laundering (AML) Directive? Then it’s important to know the fundamentals of money laundering, and why it’s necessary to have local and international anti-money laundering laws and regulations.
In this article you can learn more about money laundering, including:
- What is money laundering?
- How is money laundering committed?
- What does international and european law say about money laundering?
- 4 important terms when it comes to money laundering
- Guide to anti-money laundering checks
- How the NewBanking platform ensures that your company is 100% AML-compliant at all times.
Read more about the platform here or contact us to hear more about how we can help your company with KYC compliance.
What is money laundering?
Money laundering is predominantly about making illegal means – black money – legal. That means cloaking the financial gains from criminal activities and using it with legal vendors and in broader society. The origins of the black money can, for example, come from dealing illegal substances or weapons, tax evasion and much more.
White washing
All activities that help criminals obfuscate, conceal, or transform black money into legal tender (which can be documented and used legally) is called white washing or money laundering.
How is money laundering committed?
There are many ways to launder money. Below is an example of how it could transpire:
- A drug dealer has sold illegal substances for 25,000 EUR and now has a lot of black money in his possession.
- The drug dealer finds a used car that’s privately for sale for 75.000 EUR. He offers to buy the car for the full amount – in exchange for paying partially in cash.
- The drug dealer goes to the bank and gets a loan, where he explains he’s buying a car for the price of 50.000 EUR.
- The bank grants the loan and transfers 50.000 EUR directly to the seller, but the drug dealer pays him 25.000 EUR in cash.
- The drug dealer now sells the car to a third-party for 75.000 EUR that is transferred directly to his bank account. He can now document that the money originates from the sale of the car. He pays off his loan to the bank.
- Now the 25.000 EUR have been laundered as they seem to be payment for a simple car sale.
In principle, money laundering can also be achieved through registered car dealers as a go-between. The drug dealer can have straw men buy and sell cars, boats, art, property, and other physical items to white wash the black money.
What does the law and regulations say about money laundering?
In the EU all financial businesses are subject to and regulated by the Anti-Money Laundering (AML) Directive.
Its full official title is: "Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing" (read it in full here). The directive exists to hinder criminals from being able to earn money from illegal activities which can then be used legally or to finance terrorism.
It’s important to combat money laundering because this type of crime makes it difficult for law enforcement to discover criminal acts. By stopping the laundering of illegal money you simultaneously prevent other forms of financial crime as the perpetrators will have a more difficult time spending or storing their ill-gotten gains. Furthermore, the Anti-Money Laundering Directive also exists to prevent opportunities for financing terror acts and organizations. Most European countries have local laws and regulations based on the EU-directive, which is continuously being formed and developed by the European Parliament. At the present time, the EU has developed six different directives (AML1-6) for the prevention of money laundering.
A number of different business fields and sectors are legally obliged to conduct themselves in accordance with anti-money laundering regulations. Here’s a brief overview:
- Lawyers
- Auditors and external accountants
- Real estate agents
- Landlords
- Financial companies
- Service providers
Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven).
4 important terms when it comes to money laundering
There are quite a few technical, legal and other terms or abbreviations regarding money laundering. The four most important ones to know are:
1. CDD - Customer Due Diligence
Customer Due Diligence (CDD) is a cornerstone of businesses’ anti-money laundering initiatives and procedures. The term covers all actions undertaken by companies to verify the identity of their clients or customers, as well as perform background checks and risk evaluations. Companies and organizations subject to anti-money laundering laws and regulations are required to perform risk assessments, wherein they – on a client-to-client basis – assess the risk of the client being used or using the business for money laundering or the financing of terrorism. Read more about CDD and risk assessment.
2. KYC - Know Your Customer
There are many reasons for why it’s important for businesses to “know their customers.” Among them is – in relation to CDD – evaluating whether or not they are a risk for the business. KYC-screening or verification is a process in which the business identifies or verifies the identity of their customers and clients. In other words, they get to know their customer. This can be achieved by gathering personal information and identification data about the customer or client, which needs to be verified. Read more about KYC (Know Your Customer).
3. PEP - Politically Exposed Person
A PEP, or Politically Exposed Person, is a strictly defined category of people, who – on the basis of their political position or power – are considered to be customers that are at greater risk of being subject to money laundering or other criminal activities. The concern is that they - because of their position - can be exposed to blackmail, bribes or otherwise (both willingly and coerced) can be embroiled in money laundering. Read more about PEP and PEP-lists.
4. AML - Anti-Money Laundering
AML is an abbreviation for “anti-money laundering”. The term refers to a broad swath of laws, regulations, directives and procedures that exist to prohibit or stop the laundering of illegal money.
Guide to anti-money laundering checks
Businesses in the affected sectors have to constantly adapt to a plethora of laws, directives and regulations. Most of these require or encourage specific forms of anti-money laundering checks.
With AML 5, which was implemented in January of 2020, a number of changes were introduced, including a transition to a risk-dependent approach to precautionary measures regarding anti-money laundering. The new approach demands more of the businesses’ ability to assess their customers or client relationships.
Roughly speaking, businesses need to assess the risk that they’re being misused for money laundering or the financing of terrorism. One of the central and foundational concepts is the creation of the risk assessments, policies and business procedures, as well as the underlying control and evaluation that ensures that overall compliance.
Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven - Download PDF).
Meo – steer clear of money laundering with our intelligent platform
We hope you now have a more clear understanding of money laundering – and have given you an insight into what your business needs to be aware of to be AML-compliant. Do you have a clear standard for your processes, data handling and the verification of new clients?
If not, Meo can help.
Meo is a Danish company and software platform that helps businesses with their data security, onboarding and overall compliance.
With Meo you can:
- Automatically screen clients via PEP-lists.
- Verify clients’ ID
- Collect data from official sources regarding businesses and individuals
Sensitive personal information - Get the right tools to handle it
Understanding Sensitive Personal Information and its Pitfalls
What is sensitive personal information and how do you become aware of pitfalls in this area? When dealing with this type of information and the handling of the same, it is first important to know the difference between general personal data and personal sensitive information.
The former is information that can be traced back to a specific person, which can be any information that can identify him or her in context. This can be anything from a picture, name, address, medical records, social security number, fingerprints, age, education, etc.
In contrast, personal data or information is data that a company, according to data protection law, must be extremely careful about handling. This information includes the following:
- Political beliefs
- Ethnicity and race
- Religious beliefs
- Trade union membership
- Genetic data
- Data of a biometric nature for identification purposes
- Health information
- Sexual orientation or relationship
If you would like further information and clarification, you can read more about this on Datatilsynet.dk. Here you can also find information on legislation and paragraphs related to the subject.
Get help for correct handling from Meo
At Meo, we help with efficient handling of sensitive personal information. Our primary task is to ensure that your company and associated customers can exchange and work with sensitive personal information confidential and legal.
We help ensure control over this information and store it in a protected and central location so that there is full control over its handling. We can help with risk assessments, ongoing monitoring, follow-ups, reports and much more.
Meo is a Danish company operating in RegTech and including customer data management using an identity platform and software - Meo, which is our software system.
You are always welcome to contact us regarding questions on what is personal data or our platform and services in relation to compliance and KYC processes. We are available to have a no-obligation chat about how you can streamline processes and thus free up time and resources in your daily KYC work.
3 insights to why your onboarding is not performing
Too long, too personal
According to recent research, 68% of consumers abandoned an application for a financial service in 2021. A 3% rise since 2020 and a huge missed business opportunity. Not surprisingly, the two key reasons were the longer-than-expected application process and the amount of personal information requested.
Bad UX in onboarding is still a major pain
While a bit of friction is necessary in industries providing services where consumers have personal finances or delicate information at stake, too much friction is detrimental to successful onboarding.
Meo partners with e-Boks
Our new partnership with e-Boks results in a more safe and seamless user experience than ever seen before within KYC.
A solution that meets companies’ growing need for access to data, now requested through the most trusted digital postbox, allowing the customers to share data through a platform that they are familiar with and comfortable using.
Frontrunners in the KYC space are dedicating resources to improve onboarding flows and make them more similar to UX leaders like Apple, Amazon etc., while adding just the right amount of friction to induce trust.
Increased scepticism towards data requests
Consumers can be fickle. While increased public attention to GDPR has raised consumers expectations towards regulatory compliance, they still want to share as little personal information as possible.
Research shows that consumers have become increasingly sceptical due to fear of data breaches. Thus, to cater to the digitally enlightened consumer, factors such as data privacy, data transparency and data control are powerful generators of trust in a company or brand.
Where to begin?
As indicated by the data above, speed, UX, data volume and trust are major arenas for battle when it comes to improving onboarding and winning customers. While regulation may prohibit you from reducing the amount of personal information you request, there is a lot to be done in how and where you ask for information. Tuning in on those factors can potentially be a game changer to ensure your customers complete onboarding.
To mend the trust gap and make onboarding and KYC simpler for consumers, we are partnering with e-Boks, the most trusted digital postbox in Denmark. Our customers can now deliver data requests to a provider that consumers know, use and trust with their data already. With conversion rates up to 98% on data requests in e-Boks, completing onboarding feels both more familiar and more safe.
What is a declaration of consent? - When is it necessary?
Its Purpose, Process, and Necessity
Are you questioning: what is a declaration of consent? In this article, we can answer the questions of what it is, how it is filled in and why it may be necessary. This is a written document that is created when having to give consent or permission for a specific action.
More specifically, it is used in the context of travel with children, professional consent in regards to private collaboration, which is both within and outside the legal framework. It can, therefore, also be a written agreement on how an external company manages data security in another company, and so on.
What does such a statement entail?
A declaration of consent is a written agreement that covers a wide range of issues and situations. But generally speaking, there is always one party giving permission to another party to perform a particular action.
Among other things, the consent form involves:
- Identifiable descriptions of all parties
- The time period of the consent
- What is consented to - the object in question
- How the consent itself is to be used
- What a possible cancellation or revocation looks like
Which parties are involved in this document?
When filling in a declaration of consent, there are always several parties present. This involves the "giving" party and the opposite party to whom the consent is given. The descriptions and information in such a statement must be referable, which means that they must be able to identify the parties.
The essence of this whole covenant and permission is that the giving party must give consent voluntarily. This is regardless of the context. There are some points and areas which must also always be complied with and completed.
Understand what is a declaration of consent and what the points are
It can be beneficial to have a declaration of consent template that a company or individual uses in situations where consent is required.
- Descriptions of the parties should include the full names of all parties and contact details provided, together with any social security or company registration numbers.
- The time period must be clearly defined. This gives an indication of when and for how long it may be used.
- What is consented to is the most essential, as it implies the object. It can be the given data used in the collaboration, the certificate used, the person, the company or whatever this may be.
- How the consent and this declaration of consent are to be used is in several places a more optional point. However, if a company wants this point included, the purpose of the act can be described.
- How to withdraw consent may be a beneficial area to cover in the event that parties disagree or rules are broken for the consent form in place.
Reduce risks with digital data management platform
At Meo, we work with data security through a digital platform. Therefore, in addition to being able to introduce you to what is a declaration of consent, we can also assist with digital help to handle everything from verification, monitoring, checking of customers - current as well as new.
We automate time-consuming KYC procedures, creating more time for your work and reducing the possibility of errors.
Due diligence - Understanding what this type of process means
What does due diligence mean?
Due diligence means, in short, a thorough investigation. This process involves a careful review of various elements related to drawing up or designing a contract regarding a change of ownership of a company.
It is necessary in this context to closely examine the assets that the company has and generally their financial status. Therefore, the following elements are often investigated:
- The financial statements
- Management
- Marketing
- Tax situation
- Contracts and rights of an intellectual nature
However, the investigation varies depending on the purpose of the change of ownership and the specific industry. Which information is crucial can vary depending on the purpose of the investigation. It can be advantageous to use professional tools such as relevant platforms for this due diligence process.
This is how it works in practice
How this process works in practice can vary, but what is often done in practice is to divide the company's assets and areas into groups and phases, and then each area and phase is investigated step-by-step.
First and foremost, a preliminary investigation of the company can provide insight into whether there are any parameters that generally prevent the agreement and the change of ownership from being completed. This preliminary investigation can, therefore, also put a natural hold on the upcoming investigation, due diligence if some areas are inadequate.
The next step in a due diligence process is to collect data on the company. This data can cover the aforementioned areas, which are analyzed and interpreted thoroughly and with care.
Finally, a report is prepared that outlines areas where there may be issues. This is done with a view to the further negotiation of the contract or potential termination of the negotiation.
Who are we at Meo?
At Meo, we work on streamlining KYC procedures and digital data management systems, which includes our software solution: Meo Identity. We specialize in streamlining processes with clients, as well as ensuring the best possible handling of data.
We automate verifications, check and monitor current and future customers, as well as perform risk assessments.
We make it possible for your company to share data internally and with customers, quickly and efficiently, without worrying about sensitive personal data or other security measures.
In addition to knowledge about due diligence, you can read much more on our site about areas such as money laundering and AML, as well as PEP lists and data security. We help companies with a compliance check to investigate where you can optimize and need updates.
What is compliance?
What is compliance - Get answers and take a non-binding check up
Let us help you understand "what is compliance" and why regular compliance check ups are important. We conduct non-binding surveys and check ups of your KYC processes, where we provide an overview of the efforts and procedures you can optimise and how.
At Meo, we treat your data and responses confidentially and securely, in order for you to receive a compliance check up with peace of mind. But allow us to introduce Meo and our identity, as well as put you in the picture of what compliance is.
What is meant by a compliance check up?
When talking about a compliance check up, we mean an examination of whether rules, legislation and guidelines are being adhered to in the respective processes. This applies to processes in connection to customers as well as internally.
In the same process, the term KYC compliance is used. KYC is primarily an abbreviation of Know Your Customer, and this term, therefore, covers knowing your customers legislation and guidelines and what you need to be aware of. The term is used in financial contexts.
These concepts and efforts have been created to safeguard customers against corruption, money laundering, fraud and other types of financial abuses.
The purpose of conducting these check ups, and gaining knowledge on what constitutes compliance, is to avoid pitfalls that can, in the worst case, lead to sanctions if you violate laws, guidelines or other regulations.
Who is Meo?
We are a RegTech company located in Denmark, working on platforms for the benefit of secure customer data handling.
At Meo, we offer complete solutions through software to automate customer verification, checks, monitoring as well as risk assessments and onboarding flows allowing you to save resources.
We help save you time on cumbersome processes that are essential to avoid breaches of legislation, regulations or guidelines. By automating or streamlining processes and gaining a deep understanding of "what is compliance", we can ensure that everyday life is easier and more manageable for both you and your clients.
So spend time wisely on other processes and streamline your efforts while ensuring your data exchange is secure and confidential.
A platform that matches the needs of many law firms
Other law firms should follow suit
In April 2019, the law firm, Bech-Bruun, was searching for a platform to assist them in complying with the growing legislation and documentation requirements concerning KYC and GDPR. Bech-Bruun also needed to find a proper way to handle the personal information of their clients and employees. The choice fell on the Meo platform gaining traction with a growing number of law firms.
“We needed to carry out a systematic collection of KYC documentation while meeting all our obligations with GDPR. Therefore, we searched for a system to handle these procedures. The alternative was to develop a system ourselves, but Meo platform checked off the vast majority of our boxes. Furthermore, they were very accommodating to our specific wishes and needs. This is why we chose them.” says Martin Riber Povlsen, CFO and Head of Compliance at Bech-Bruun.
At Bech-Bruun, a total of 11 employees are currently working to ensure that the law firm is compliant with the legislation within KYC (Know Your Customer) and GDPR (General Data Protection Regulation).
Commonly, correct data handling is a responsibility allocated across multiple units within the organisation, but Bech-Bruun has insourced everything to be handled by a designated Compliance Department. However, this does not change their preference for the platform. The Meo platform has become a natural part of the working day ranking alongside Word and Excel.
“We use the platform for all our obligations within KYC, and we are already active with thousands of identities on the platform. As a result, we provide all our customers with a uniform process for obtaining and storing documentation in a legally correct manner. Additionally, the processes of verifying the validity of passports and driver licenses are now automated.” says Martin Riber Povlsen and continues:
“If we did not have these compliance processes governed by a suitable platform, we would either struggle to deliver our service, or we would have to spend many hours solving the tasks manually. As a law firm, it is important to ensure our clients’ correct onboarding and advise clients according to the current KYC and GDPR procedures.”
Legaltech shoots ahead
The requirements are the same for all law firms regarding KYC compliant client onboarding and GDPR compliant storing of personal data. Therefore, Bech-Bruun believes it will be beneficial for law firms and their clients to use the same platform.
“It will be easier for everyone if the clients get accustomed to a shared platform for uploading documentation of different kinds - also when sharing data between the law firms”, says Martin Riber Povlsen.
According to Christian Visti Larsen, CEO and co-founder of Meo, the entire LegalTech industry is in rapid development, and with good reason:
“The law industry has seen how new technology has meant major changes in other industries, and now, due to strict KYC and GDPR legislation, changes to how law firms operate are inevitable. Moreover, many have realised that smart IT platforms can do more than only ensure cost savings in their administrative work. The technology can also be a source of income when used to service their clients. There is a huge market for law firms with access to systems and know-how that makes a difference for the clients.” says Christian Visti Larsen, who has already seen several examples of this in the law industry.
Christian Visti Larsen frames Meo as a platform that complements the law firms’ existing systems when handling client cases. “Usually, there is a law firm represented on both sides of a lawsuit, and therefore, it is a great advantage for all parties if they can use a shared platform”, he explains.
Keeps track of criminal records
In addition to using the platform to handle client information, Bech-Bruun also uses it to support other administrative tasks, such as responsibly reviewing employees‘ criminal records.
Martin Riber Povlsen credits Meo for being very adhering to the needs of Bech-Bruun in the continued development of the platform. Consequently, Bech-Bruun now has a platform that matches the needs of their business and the needs of many other law firms.
“The platform automates and systematises processes, which are easy to document in case of an audit. Instead of developing a system of our own, we now have a platform that automatically evolves with our needs. This makes us very satisfied,” says Martin Riber Povlsen.
DPO - What is a Data Protection Officer and Data Security?
What is a DPO?
What is a DPO? This term is an abbreviation of the word, Data Protection Officer. This person or company carries out tasks, such as data security checks, in a company. This includes compliance with the GDPR.
Public authorities and bodies must have a DPO, Data Protection Officer, who carries out these tasks. This DPO must also advise the data controller of the specific body. It is a legal obligation for these authorities and bodies to have a data protection officer appointed, which may also be the case for several companies.
You can read much more about GDPR,, the Personal Data Act, the Data Protection Act and the difference between them in our articles on this page. Where and for how long can a company keep personal data? Who is covered by the GDPR? These are questions that a DPO, Data Protection Officer can help answer.
A Data Protection Officer will often act as a liaison between the Data Protection Authority and the data controller in the company. In addition, a company's DPO must be independent and external, and must not receive instructions on the selection of tasks.
How does Meo work with data security?
At Meo we can help you with the secure transfer of information to and from customers, as well as a software system that can act as an administration tool for both: verification, checking and monitoring of current and prospective customers, as well as a tailored risk assessment.
This system, Meo Identity, helps you and your DPO to check and manage data correctly, and this system and automation of data management ensures your compliance with GDPR, avoiding penalties, in the form of fines or similar.
We are ISO 27001 certified, as GDPR and AML compliant, which means we are internationally approved and certified in information security and data handling.
Manage your data securely with a DPO, Data Protection Officer
It is essential to work correctly with data, as there may be major penalties for violations of, among others, GDPR, the General Data Protection Regulation. With an automated system, not only can you free up resources from semi-manual processes, but you also ensure control and reduce risk.
A Data Protection Officer will, by advising on a company's data security, look into the handling and guide employees to the extent that potential knowledge about data security, GDPR and the exchange of data with customers or clients is lacking.
This advisor may therefore also provide guidance or recommend useful applications or IT systems that may be relevant for maintaining data security.
Let us help make your client management transparent and secure, so that all processes take place under legal conditions.