Know Your Customer Standards and Privacy Recommendations for Cash Transfers
This report reviews how Know Your Customer (KYC) standards – rules designed to combat criminal money laundering and terrorism financing – are applied in humanitarian cash programs. The report examines the practices of aid agencies and their processing of the personal information of aid beneficiaries for KYC purposes, and the report assesses the privacy implications of the processing of such information. The report provides a number of recommendations and guidelines in relation to the application of KYC rules and data privacy measures in humanitarian cash programs that are listed below.
With respect to the application of KYC standards to humanitarian cash programs, the report recommends that aid agencies consider the following:
- Creating specific humanitarian KYC standards, in collaboration with governments and international organizations
- Ensuring that aid agencies, rather than beneficiaries, are treated as customers by service provider for KYC purposes
- Developing simplified KYC forms for humanitarian purposes
- Limiting the disclosure of information of refugee beneficiaries
- Leveraging their status as NGOs when negotiating contracts with service providers.
With respect to the data privacy practices of aid agencies in humanitarian cash programs, the report recommends that aid agencies consider the following:
- Explicitly incorporate personal information protection principles into humanitarian KYC guidelines.
- Creating privacy policies specifically to govern beneficiary personal information
- Eliminating the use of personal information collected for KYC compliance for other, secondary purposes.
- Basing beneficiary privacy policies on the principle of notice rather than the principle of consent.
- Endorsing the principle of data minimization.
- Providing beneficiaries with a personal information protection framework and not merely the confidentiality of information.
- Requiring alternatives to biometric information collection where possible.
- Implementing strict safeguards for collected biometric information.
- Postponing inter-agency personal information sharing until such time that robust data privacy practices are in place.
- Deferring Big Data analytic initiatives until a proper Threat Risk Assessment (TRA) and Privacy Impact Assessment (PIA) are completed.