Gift deposit evidence and GDPR rules

ItsComingRome

JackieEllis said:

MaryNB said:

JackieEllis said:

MWT said:

JackieEllis said:

I've been reading up a little on GDPR and that this can fall under lawful basis of legitimate interest when the official organisation (the bank) can process the data for money laundering reasons (fulfilling a legal obligation - recital 45).

I've come to this after researching myself but would rather there be official advice or somewhere clearly stating this rather than me trying to reassure the donor from my own assumption.

You will struggle to find support for that approach as the reason for the information being processed has nothing to do with the business/professional activities that caused the data to be acquired in the first place.

If for example this was an application for a business loan then it might fly, but to support a gifted deposit to a close relative isn't going to be sufficient I suspect...

I would follow the line ACG suggests and ask if redacting the PII only (name) would be acceptable to the lender.

I see, so legitimate interest still needs to link back to the original reason for obtaining data. 

Okay.. Trying (underlined) to get hold of Nationwide again (through broker).

This is so tough! I'm livid that this is even an issue that doesn't have a resolve. To be honest (thinking about an earlier comment from ItsComingRome - the bank would still want to have seen the origin of the money regardless if it was a separate account from business to current. The moneys origin would still need to be located from the start, the way they're looking into it.

JackieEllis said:

ItsComingRome said:

JackieEllis said:

We are applying for a mortgage, FTB with Nationwide. We are submitting with a gifted deposit and they have asked for proof of funds from the donors via bank statements - all good. Except - the donor is a psychotherapist and has client details on the bank statement. He's blurred these out as GDPR dictates that he cannot share these details. Nationwide are refusing the evidence currently, so we've hit a stalemate. I'm waiting to hear back from Nationwide BD's, but last week they flatly refused and offered no work around. We can't be the only people submitting bank statements with sensitive client info on? How are other people managing to stay GDPR compliant while submitting bank statements? It doesn't matter how safe and confidential the bank is, the act of sharing the details is breach of GDPR - unless we're missing something?

The solution would be to not transfer deposits from business accounts (or not use a personal account for business purposes.)

That would be find if we had months to play with to allow accounts to settle, but this is for a mortgage application now and the money has been transferred.

There's no hard and fast time limit for accounts to "settle". Some say 6 months as a rule of thumb but that's not the actual rule. A solicitor has to be comfortable that the source of the funds is legitimate. They'll judge how far back they need to go. If money was gradually going into an account (e.g. from a salary) they probably wouldn't go back to far if it is easy to see somebody has been in long term employment and it makes sense for them to have that much money, a lump sum however would be more suspicious. 

My solicitor was very thorough with the gifted deposit I received. My mother provided 6 months of her current account with a salary coming in, that was fine. My father sent my solicitor a state savngs account going back two years but they still asked for more because it was just a lump sum, he had to get a letter from his employer showing it was a payout at retirement 7 years previously. That's probably an exception but still, I wasn't limited to a few months. Ultimately, if the solicitor isn't happy to sign off on it, it cannot be used, it's their judgment call. 

Thank you. We haven't even got it to the solicitor yet, our broker is still building our mortgage case to even apply for it for Nationwide. This is Nationwide's request and initial refusal for deposit evidence and they've asked for the last 3 months, I imagine (without having seen it first hand) the money trickles in as individual clients pay. Hopefully I should hear something today!

If it's early days you may want your broker to start looking at alternatives.

And whoever is gifting you the money needs to sort out their finances.  Either they're keeping personal money in their business account (which can make things difficult if the taxman comes sniffing) or they're using a personal account for business (which will be a breach of the accounts T&C's and could come back to bite them at the most inconvenient time.)

Either way, mixing your business and personal affairs is rarely a good thing, not just when you want to make a gifted deposit.

Thrugelmir

JackieEllis said:

We can't be the only people submitting bank statements with sensitive client info on? 

Always been the case that sensible housekeeping dictates that business and personal banking is kept seperate for a whole variety of reasons.  Given that the lender is seeking confirmation of the source of funds. Redacting the source of credits on a bank statement simply raises everyones guard. Easier to simply say no that get involved in any further discussion on the matter. 

What client sensitive data is visible anyway?  Names in themselves are meaningless and of no interest to those viewing the statements. 

ACG

JackieEllis said:

ACG said:

Is the donor taking out the full line or just the clients name.
For example, when we get paid by customers we ask them to put their name in the reference. Some people just put their surname, could the donor leave the full line unredacted bar the persons name? Also under GDPR, how much of the persons name is actually showing? If it is just their surname for example, that is not enough to be able to identify the person and so should not fall foul of GDPR anyway, unless the person is the only person in the country with that surname. 

Also, money laundering rules trump GDPR. However, I think this is a very grey area and if I was the donor I would not be risking my license for it. 

If Nationwide will not back down and/or you can not find a way that works. You need a new lender. 

I'm not sure how much exactly they left showing on the statement, I'd imagine the amount was left, but not sure how much else.

I've been reading up a little on GDPR and that this can fall under lawful basis of legitimate interest when the official organisation (the bank) can process the data for money laundering reasons (fulfilling a legal obligation - recital 45).

I've come to this after researching myself but would rather there be official advice or somewhere clearly stating this rather than me trying to reassure the donor from my own assumption.

You wont get this as it is intentionally left vague because there are laws and rules which will supersede it but not in every event - as you can see with your situation. 

Personally, I think the statement can be provided as "patient john smith" is not enough to identify someone. If it was "John Smith, High Street London" I think that would be a very different story. But the donor has to satisfy themselves they are not breaking any laws. I can understand their concerns but I think this is where a lack of knowledge on the donors behalf and potentially a lack of common sense on nationwide are causing the problems. 

But I would like to think if you went back to nationwide and said you will leave the transaction description in there bar the actual name, they would be open to that. 

dunstonh

We can't be the only people submitting bank statements with sensitive client info on?

The key to GDPR is identifiable data.  A surname on a bank statement is not identifiable information.   

Banks, building societies and regulated financial companies are considered safe institutions to hold data.  After all, the bank that produces the statements knows the information.  So, why not banks that are required to comply with AML requirements?

 It doesn't matter how safe and confidential the bank is, the act of sharing the details is breach of GDPR - unless we're missing something?

Sharing details is not a breach in respect of AML checks.   It is also not a breach when shared with permission. i.e. person gives an unredacted statement to the bank.

user1977

What exactly is his concern? If he's content for his own bank to "know" the info on his account, what different does he think the Nationwide is going to do with it? 

amnblog

Nationwide are looking to put on file the source of the funds. The funds have come  from your Donor but from an account that has other funds feeding into it.

So where have the other funds come from? If lines are redacted the Lender cannot answer this point. For all they know there could be several redacted deposits from the same source that you wish to conceal.

Your Donor is going to need to concede here, or produce the funds from another account.

Researching the legal requirements is a waste of time as Nationwide are not about to change their policy in time to assist you even if you could prove they could and stay within the Law.

MWT

dunstonh said:

Sharing details is not a breach in respect of AML checks.   It is also not a breach when shared with permission. i.e. person gives an unredacted statement to the bank.

The permission that is required here is the person named, not the holder of the bank statement...

The GDPR rules are framed intentionally loosely and for various reasons I've had to spend a lot of time listening to very expensive lawyers giving advice on this over the last couple of years and it all boils down to making sure you have a contractual basis for storing/processing/sharing the data.

Even a name alone without any other data can be considered PII if it is unique enough, there are no certainties on this stuff, hence the advice to always have a contractual basis in place.

Who knows if the business/ professional practice involved here is even vaguely GDPR compliant in the first place, the mixed personal/professional banking might suggest not, but if it is, then the client contract will have secured the right to hold and where necessary share the data for certain purposes which would include KYC/AML checks but most likely only in relation to the practice, not their personal needs.

aoleks

there's a misunderstanding about what GDPR means and does. sharing personal data is not prohibited, it simply required a good reason (a legal basis) and some measures in place that reduce any potential risk to those involved. the bank has a legitimate reason to access this information, hence it's not an issue with the bank, but your donor...