Name
Global FinTech Guide
Country _ Name
United Kingdom
SectionTitle
Identification
Body
FinTechs belonging to this category provide identification services, which are required for most banking services.

Introduction

Attitude of the country towards identification services

Several business collaborations have been entered into between well-established banks and FinTechs, providing streamlined “identify-as-a-service” for financial services businesses.

Banks benefit from FinTechs’ digital expertise to assist with their KYC requirements, and consumers benefit from a user-friendly experience. Demand has grown, particularly because of many bank branches closing, and because of Covid restrictions, both of which have reduced the ability of customers to attend branches and verify their identity in person. The increase in online banking has led to consumer demand for easier and secure ways to identify themselves via mobile phone apps. The importance of data privacy and protection and cyber security will remain a key factor in the growth of this market. 

Legal affairs

Obligations and requirements to provide identification services

Whilst identification services are not specifically regulated in the UK, and no license is required, identification service providers must process personal data in accordance with the GDPR and UK Data Protection Act 2018. Compliance is overseen by the Information Commissioner’s Office. FinTech firms that control data must consider:

  • That personal data can only be processed in a lawful manner, for certain specific reasons – particularly with regard to biometric data. 
  • Data controllers, as defined under the GDPR, must set out compliance and other data control requirements.
  • Safeguards are required where significant decisions are based on automated data processing.
  • There are restrictions on the transfer of data outside of the UK and EEA.
  • Data subject rights, including the right for individuals to be provided with data being held that relate to them, and the right to know if automated decision making is used. 

FinTech firms must also maintain data security measures that meet the UK’s cyber security requirements. The UK does not have a single cybersecurity law, but rather a patchwork of cyber security, privacy and national security legislation which will apply in various circumstances. Generally, FinTech firms must:

  • Meet the requirements of the FCA and PRA in relation to management of risks and controls, business continuity, and outsourcing.
  • Have appropriate data security measures in place relating to backing up data and the processing of personal data. 
  • Notify the ICO in the event of a material cyber breach.

Firms must also comply with the UK’s anti-money laundering laws, including the Proceeds of Crime Act 2002 (“POCA”) and the MLRs. These create reporting obligations if a firm suspects money laundering. Firms must maintain good systems and controls for identifying and dealing with money laundering risk, regularly assess those systems, and provide training to staff (amongst other obligations).

Additional comments regarding the legal situation for identification services or what FinTech’s must be aware of in this business area

The Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) transpose the requirements of the Network and Information Security Directive ((EU) 2016/1148) (Cybersecurity Directive) into UK law. It imposes various cybersecurity and incident reporting obligations on two distinct classes of operators:

  • Relevant digital service providers (“RDSPs”).
  • Operators of essential services that operate in specific sectors and meet threshold operating re

Authors

Close

Choose country