WHAT YOUR BANK KNOWS ABOUT YOU - in-cyprus 18/5 by Theano Thiopoulou
Banks in Cyprus know almost everything about their customers — and no transaction goes unnoticed, according to information compiled from bank websites and data protection regulations.
Every card payment and e-banking transaction is recorded in real time, leaving digital traces accessible to authorities, particularly in fraud investigations. Using modern data analytics systems, banks track the merchant name, amount, date and location of each transaction. They can also tell when and where a customer travels, based on airline ticket purchases, hotel bookings, car rentals and card use abroad.
The era of blanket banking secrecy is over. Strict transparency and oversight rules now apply across Cyprus and the European Union, and banks are required to comply with the General Data Protection Regulation (GDPR), informing customers how their data is used.
What banks collect — and where they get it
Banks do not gather data only from customers directly. According to the privacy notices published on their websites, they also obtain information legally from credit reference agencies such as Artemis Interbank Information Systems, public authorities, and card payment processors such as JCC Payment Systems Ltd.
They can also draw on publicly available sources including the Land Registry, the Registrar of Companies and Official Receiver, the Bankruptcy Archive, trade registers, the Cyprus Stock Exchange, the Insolvency Service, the press and the internet.
For customers applying for banking facilities, banks may hold data covering current income and expenditure, employment history, property ownership, personal debts, number of dependent children, personal investments and investment income, life insurance policies, tax residency and tax identification details, and details of any guarantors or collateral providers. For non-EU nationals, residence or work permits are also required.
Monitoring for suspicious activity
Banks use automated systems to monitor every transaction for suspicious activity, particularly for amounts above €10,000. They can share data with state authorities when required by law and use fraud detection and risk assessment systems.
Anti-money laundering legislation requires banks to verify a customer’s identity before entering into any contract or business relationship. When opening or updating an account, customers are typically asked for a government-issued identity document or passport, proof of address such as a bank statement or utility bill, and consent to the retention of that information. For business entities, banks may also request company registration certificates, business agreements showing ownership and authorisation, and tax returns where a credit application is involved.
Banks are also open to receiving information about a company from all available sources, including the company’s partners, clients, various registers and media coverage.
Your right to complain
Customers who are unhappy with how a bank handles their personal data have the right to file a complaint with the Commissioner for Personal Data Protection, banks advise on their websites.
Under GDPR, organisations found to have breached transparency and communication rules face fines of up to €10 million or two per cent of total turnover, whichever is higher. For more serious breaches involving the processing of personal data, consent, data subject rights or actual data violations, fines can reach €20 million or four per cent of global turnover, whichever is higher.
Transfers of personal data outside the EU to third countries or international organisations are restricted under the regulation. Such transfers require the approval of the Commissioner for Personal Data Protection, or in certain cases, notification to the Commissioner is sufficient.
