Netvora logo
Submit Startup Subscribe
Home About Contact Submit Startup Subscribe

Banks Must Delete Customer Data After Five Years, Financial Watchdog Rules

Comment

Banks Must Delete Customer Data After Five Years, Financial Watchdog Rules

Netvora May 28, 2025 at 12:40 PM Security
Banks Must Delete Customer Data After Five Years, Financial Watchdog Rules

Banks Must Delete Customer Data After Five Years, Financial Watchdog Rules

By Netvora Tech News

The Financial Markets Authority (Kifid) has ruled that banks must delete customer data collected under the Anti-Money Laundering and Terrorism Financing Act (Wwft) after five years. This decision was made in a case involving two ING customers.

Banks Required to Conduct Customer Research

Banks are required to conduct customer research under the Wwft and report unusual payment transactions. If a bank is unable to complete the research, it must terminate the customer relationship. In this case, ING asked the customers questions about payments to third parties, but the customers did not provide sufficient clarity about these transactions, leaving the bank with doubts that were not alleviated.

As a result, the bank announced that it would terminate the customer relationship because it was unable to complete the research. Additionally, the bank had stored the customers' personal data in the Incidentenregister (IVR) for eight years. The IVR is a black list within the bank that is only accessible to bank employees. A registration in the IVR typically only has consequences for the customer's relationship with the bank.

Kifid Rules on Data Retention

The Kifid has ruled that the customers did not cooperate sufficiently and therefore the bank was unable to complete the research and terminate the customer relationship. With regard to the duration of the registration, the Kifid has determined that it cannot be longer than five years. The Wwft requires that data obtained through mandatory customer research be stored for five years and immediately destroyed after that period.

The bank must shorten the registration period of the customers' personal data in the internal warning registers from eight to five years, according to the Kifid.

  • The Wwft requires banks to conduct customer research and report unusual payment transactions.
  • If a bank is unable to complete the research, it must terminate the customer relationship.
  • Banks must store customer data collected under the Wwft for five years and then delete it.

Comments (0)

Leave a comment

Back to homepage

You might also like