[gotodengo]

For various reasons I started to open a bank account with Mercury, before deciding to use another provider.

When I said I'd no longer be finishing the application and to please delete my passport info, first they ignored the second part. When I replied again asking them to delete my data they replied about KYC laws and assured me the data was securely stored of course.

At that point I gave up. Maybe they could delete the data if I fought, maybe their hands were tied, maybe me fighting would end up flagging my info as a money laundering risk. But I immediately imagined exactly this leak happening.

They're not the only vendor affected that had my data, nor is this breach the first, but that's the one that stings the most.

Anecdotally I'm being swarmed by text message spam for the first time in months. I have to assume people are running through new breach data to find live numbers.

[input_sh]

Yes, their hands are tied. KYC requires the banks to keep the data for five years after account termination.

One of many, many shitty things introduced by the Patriot Act that we now just live with.

[kelnos]

GP was never their customer, though. They started filling out the application to open an account, got past the ID verification step, and then decided not to complete the new account process.

Likely the issue is that they just didn't think of this possible case, and there's no way to delete the ID information, and the CS person didn't want to go through the extra work to find someone who could approve it and/or get it done.

[TeMPOraL]

I understood GP to have started but not finished the process of opening account. Does KYC still require banks to keep the data in this case?

[input_sh]

IANAL, so I'm not gonna attempt to interpret it, but here's how it's phrased:

> Recordkeeping. Section 326 of the Act requires reasonable procedures for maintaining records of the information used to verify a person's name, address, and other identifying information. The proposed regulation sets forth recordkeeping procedures that must be included in a bank's CIP. Under the proposal, a bank is required to maintain a record of the identifying information provided by the customer. Where a bank relies upon a document to verify identity, the bank must maintain a copy of the document that the bank relied on that clearly evidences the type of document and any identifying information it may contain.6 The bank also must record the methods and result of any additional measures undertaken to verify the identity of the customer. Last, the bank must record the resolution of any discrepancy in the identifying information obtained. The bank must retain all of these records for five years after the date the account is closed.

[kelnos]

> a bank is required to maintain a record of the identifying information provided by the customer.

They didn't complete the application, though, and so were never a customer of the bank. So this shouldn't apply.

[1oooqooq]

search for their board and start the process with each one of them up to the public data allows.

[pylua]

They are probably outsourcing to a vendor who will do god knows what with it