SPECIAL/TR use case

From Data Privacy Vocabularies and Controls Community Group

Use-Case Overview

Thomson Reuters Org ID is an end-to-end client identity and verification service that provides a complete legal entity due diligence and document management service through which financial institutions and their end clients (asset managers, hedge funds, corre- spondent banks and corporates) can more effectively manage their response to new KYC regulatory requirements (cf. SPECIAL Deliverable 1.1 and SPECIAL Deliverable 1.5

1. Categories of personal data involved

Note: this is about legal entities, not necessary physical persons: "Org ID only collects data as far as is required to confirm and verify the ownership and control of the legal entities we undertake KYC on. This is in line with international and national Anti-Money Laundering (AML) laws and regulations. The level and volume of documents/data collected is in line with the risk level at which the legal entity is assessed, typically Low, Medium or High." The standard data required is

  • Name,
  • date of birth,
  • country of residence
  • domestic address

There are however a number of jurisdictions that require additional data such as

  • former name
  • marital status

Examples of documents (copies) collected are:

  • Passports
  • Government issued ID cards
  • Birth Certificate
  • Driver’s license
  • Bank Statements (Note: Used for proof of residential address)
  • Utility bills (Note: Used for proof of residential address)

Screening data ... Screening results will contain heightened risk information about individuals and organisations, examples are listed below:

  • PEP status (Politically exposed person)
  • Sanctions
  • Adverse / Negative media
  • PII and private data such as date of birth, country of birth and residence as well as employment details

The data referring to individuals are:

  • demographic data (name, date of birth, country of residence, domestic address), associated to evidence such as (copies of) passports, government issued ID cards, birth certificates, driver’s license, bank statements, and utility bills, that may carry further personal information (place of birth, parents’ names, etc.);
  • negative/adverse media about UBOs, SMOs, Controlling Owners;
  • source of funds and employment details for the same individuals. The possile sources of demographic data are:
  • outreach (that results in the data subject’s disclosing some of the above documents and giving consent to produce the screening reports and share them with the specified FI)
  • public sources (e.g. public administration, media).

Negative/adverse media are clearly gathered from public sources. Sources of funds are normally gathered from public sources, but they may be collected via outreach, if needed. It should be verified whether the GDPR requires the explicit consent from the data subjects also for collecting and processing such public information.

More details, cf. SPECIAL Deliverable 1.5

2. Purposes for personal data handling

The main purpose is carrying out the KYC process in accordance with the Anti-Money Laundering laws and regulations. The KYC process is meant to produce a risk assessment report about a legal entity that may be supported by evidence regarding related individuals (UBOs, SMOs, Controlling owners).

  • Proof of legal name
  • Proof of legal address
  • Proof of listing
  • Proof of regulations
  • Proof of formation
  • Screening/Risk Assessment

3. Different kinds of processing of personal data involved

  • Screening (e.g. public sources)
    • We screen entities and identify risk flags
    • We source legal entity documents in over 168 countries and 60 languages
    • We provide on-going monitoring and refresh of end client profiles.
    • We link data in the following way. If we are screening a Senior Management Official and we gather from public sources his or her age / location, our analyst will use that information to fine tune the results of the screening application, to help add accuracy. We do not do ad-hoc research and only use approved sources when collecting data for processing.
    • Data contained within Org ID is segregated from other internal sources/systems and is only tagged with identifiers for content sources and matching (i.e. Thomson Reuters Perm ID.)
  • Outreach/Correspondence

4. Data subjects, Controllers, Processors, and Recipients involved

  • TR
  • Customers

We share the following types of information with Financial Institutions which are part of a Profile Report:

  • Public information about an end client without getting consent. • Screening results about an end client without getting consent
  • Non-public information with consent.

We share the following types of information with End Clients:

  • Attestation report to confirm validity of data collection (Note: only applicable to South Africa at present)

Note: We do not share the due diligence level, the results of screening or any risk flags to the End Client. Exceptions There are a few exceptions to the standard sharing processes defined above which have been listed below:

  • Regulatory requests (i.e. FCA, etc.)
  • Law enforcement requests (i.e. National Crime Agency of UK, etc.) • Related party requests (i.e. data subject)

Note: The data provided for these exception cases will vary depending on the circum- stances.

5. storage & security aspects

Storage Locations

Org ID data is primarily stored within a centralised BPM system which is governed with strict security controls and standards for housing strictly confidential data. All strictly confidential data is hosted within data centers in the UK and can be found in the following locations:

  • Database - Data fields within Database Schema / Data Model used to store End Client data.
  • Document Repository - Files on file server used to store Proofs which may contain strictly confidential data.
  • Export folder - Files on file server used to store Profile Reports which contain strictly confidential data.

Storage Duration

For Org ID data retention principles are in line with FAFT requirements: http://www.fatf-gafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_- Financial_Inclusion_2013.pdf See section ’RECORD-KEEPING REQUIREMENTS’

Security Measures (including e.g. anonymisation "levels", pseudonymisation)

For Org ID data retention principles are in line with FAFT requirements: http://www.fatf-gafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_- Financial_Inclusion_2013.pdf See section ’RECORD-KEEPING REQUIREMENTS’

6. Means of Legitimation for Personal Data Processing

e.g. consent, legitimate interest, etc. ...

Use-case named as Heading

short/brief description

  • domain/subject area
  • event/situation it applies to
  • actors/entities involved

Use-Case Overview

Thomson Reuters Limited (TR) located in the United Kingdom is focused on supporting Know Your Customer requirements in the financial sector. To this end, TR provides end-to-end client identity and verification services that enable financial institutions to fulfill their compliance and due diligence obligations against financial crimes based, e.g., on international and national anti-money laundering laws and regulations.


assumptions that are true before the use-case begins/starts

  1. ... currently used technologies
  2. ... already used vocabularies for interchange of privacy controls and personal data management
  3. ...
  4. ...

Workflow and Dataflow Description

  • trigger/onset of event - what is the 'start' point of this use-case?
  • primary flows - set of steps that describe the use-case
  • alternate flows - any alternate set of steps set in the same use-cases
  • aspects of interoperability
  • exceptions - any step or action that may prevent an outcome from happening
  • post flows - assumptions that are true upon completion of the use-case
  • relations/parallels to other use cases (with cross-references)


Any examples, described here, or documented elsewhere