Convier Enterprise: Data Privacy & Security Policy

The following is a description of how Convier is processing personal data within its data platform.

Responsible party

The responsible party pursuant to data protection law is:

  • Convier AS
  • Storgata 5
  • 0155 Oslo

The appointed data protection officer is:

  • Andreas P. Engstrand, CEO
  • E-mail: andreas.engstrand@convier.no
  • Phone: +47 40639599 (tel:+4740639599)

Any queries relating to processing of data within our platform can be addressed to the contact person above.

Background

The policy applies to information that is collected and processed about individuals within the Convier platform. It explains how personal data is collected and processed when the platform is used by an organisation. The organisation using our platform is required to have separate data privacy policies describing the purpose of using Convier for the processing of their customer and personal data.

Purpose of processing of data

The Convier data platform is used by financial institutions and regulated entities to help them comply with Anti-Money Laundering (AML) obligations more efficiently.

The Convier platform is a case management tool that allows a user to investigate suspicious activity through the use of automated analytics, data retrieval and reporting. The organisation can decide what data to be collected and analysed in the platform, which is generally customer and transaction data where the tool helps automate analysis and reporting that an investigator would normally do manually.

The purpose of the processing is to determine whether flagged transactions are suspicious or not with the help of automation. The analyst can save significant amount of time using the Convier platform as compared to processing the alerts manually, as all relevant information is retrieved and summarised in one application.

For a regulated entity, processing of such data is necessary for compliance with the Norwegian Money Laundering Act and the EU Directives on AML, to which the controller is subject, Art. 6 (1) c GDPR (EU General Data Protection Regulation).

Data being processed

Data sources

Data will be collected from the organisation’s internal data warehouse or customer system. There are three main categories of data: the customer database, the transaction database and the transaction monitoring system.

Customer database

For household customers, the following personal data is generally collected:

  • Name
  • Date of birth
  • ID number
  • Address
  • Citizenship
  • Country of birth
  • KYC data (such as expected transaction and account behavior. The complete list depends on the data points used by the organisation)
  • Related parties, such as family members, other individuals with disposable rights to the customer’s account
  • Level of income
  • Bank account numbers

For corporate customers, the following personal data is collected:

  • Board members (Name, Address)
  • Ultimate beneficial owners (Name, Address, ownership percentage or level of control of the company)
  • Other related parties, such as other individuals with disposable rights to the customer’s account, netbank users, company representative

Transaction data

From the transaction database, the following data points are generally collected:

  • Account number for sending and receiving party
  • Transaction description
  • Currency
  • Transaction amount
  • Date of transaction

Flagged alerts

From the transaction monitoring database, the following data points are generally collected:

  • Case ID
  • Case name
  • Customer ID
  • Description of flagged activity

The lists are not complete, and may be customised by the organisation tailored to their environment.

User data

Convier uses the organisation’s user management database, such as Active Directory (AD) using LDAP. Convier will collect username of the user to ensure logging of activities performed by the user in the platform. The following information is logged:

  • Username
  • Date and time of login and of activities performed
  • Web browser
  • IP address
  • Activities performed in the platform (read and write activities)

How Convier SaaS accesses, uses, stores, or shares Google user data

The website does not access, use, store or share Google user data.

Scope of processing

Data about customers will be collected for every incoming flagged transaction. The level of personal data collected depends on the type of customer and the type of scenario detected in the flagged transaction. The list of adaptive controls define what type of analysis and data that will be collected and processed.

Storage of data

Convier limits the data stored within the platform in order to reduce the management of data duplication, deletion and maintenance.

There are three main categories of data with different storage within the platform:

  • Customer data source This is the data input to the platform from the organisation’s data warehouse, API or web service. Convier does not retain copies of this data unless specifically requested by the client. Data is retrieved from the source location once a user opens a flagged transaction.
  • AML report data Suspicious activity reports written by the analyst in the Convier platform will be stored in an SQL database on the platform, as the reports are later pushed to the organisation’s transaction monitoring platform or other reporting platform for reporting to the regulator. The organisation can set intervals for retention of the reports. For project specific assignments shorter than six months, data is generally deleted at the project finalisation.
  • Log data Log data is stored in an SQL database on the platform. The data retention policy can be specified by the organisation, and should comply with Norwegian AML regulations on data retention.

Data in the database is encrypted at rest.

Processing activities carried out

Convier will only process data in accordance with the data processing agreement with the client. The activities below represent the general functionality within the platform.

1. Contextualise flagged transactions

The Convier platform is using customer data to set context to a flagged transaction. If for example a transaction is flagged because it is sent to a high risk country, the platform will retrieve historic customer and transaction data to answer questions, such as:

  • Has the customer indiciated in the KYC questionnaire that they expect transactions to country X, or to the beneficiary of the transaction?
  • Has the customer previous transaction history with country X or the given beneficiary?
  • Does other customer in the bank have transaction history with the beneficiary?
  • Have the beneficiary or the customer previously been flagged for the same scenario?

The type of questions can be defined by the organisation and adapts to what scenario has been flagged. All questions are rule-based, thus provide full transparency as to why they have been analysed.

The platform can also perform calculations of the customer’s transactions to assist the investigator in better understanding whether a flagged transaction is suspicious or not. For example, the platform may perform the following calculations:

  • Is the transaction size above the average size of transactions to country X in the last Y months?
  • Does the size of the transaction deviate from the moving average of outgoing transactions for the customer adjusted for seasonal variations?

The list of analysis provides context to the flagged transaction to assist the user in determining whether the flag is suspicious or not.

Recipient of data

For any organisation using the on-premise installation of Convier, the organisation owning the data will be the only recipients of the data, as the data remain within their infrastructure.

Storage duration

Data used in the adaptive analytics is retrieved when the user opens the flagged transaction. The data is used to document the alert, and will either be used to file a suspicious activity report to be sent to the Financial Intelligence Unit (Økokrim) or to close the alert.

Report data about the customer reviewed will be stored within the platform for the length decided by the organisation. Convier is not the platform for storage of the master data, thus the data will be further sent to the end location chosen by the organisation. Convier will export the data to ensure it can be sent through the reporting application of the organisation. Convier does not send data to any other third party.

For project specific implementations, data will be stored for a maximum of six months or the length of the project.

Profiling

Convier does not perform any profiling of customers, but the platform groups alerts with similar patterns. This allows the review team of the organisation to more efficiently structure the review of flagged alerts so that similar risks can be assigned to a defined team of analysts.

The organisation can choose whether to use the group function or not.

2. Management Information and reporting functionality

Convier collects information about how the users interact with the platform in order to produce management information for the organisation. The information allows management to track progress of investigated alerts and make better decisions relating to the operations of the transaction monitoring process.

Information collected include:

  • Cases reviewed
  • Case status
  • Review time per case
  • Review time per activity for a case

The data allows the organisation to extract information about the processing of the alerts, such as:

  • Alerts processed the last day, week, month
  • Average processing time per scenario activity
  • Scenario categories requiring more manual investigation time than others
  • False positive ratios

Recipients of data

For any organisation using the on-premise installation of Convier, the organisation owning the data will be the only recipients of the data, as the data remain within their infrastructure.

Access to the MI can be customised in the admin panel of the tool. A user may see the operational efficiency of their own cases, but access may be limited to see other users’ efficiency.

3. Scenario efficiency intelligence

Configuration of transaction monitoring scenarios is not handled by Convier, but intelligence from the processing and handling of flagged alerts in Convier is collected to help define automated analysis, what data to collect per scenario and to tune scenarios more efficiently. The information is anonymised, and does not include any personal information for either the organisation’s user or the customer under investigation, nor any information that can relate the information to the organisation.

The intelligence is collected based on the following data points:

  • Scenario category
  • Type of adaptive analysis performed
  • Type of data sources used
  • Classification of alert
  • Case processing time
  • Customer category (i.e. individual vs corporate)
  • User classification at the finalisation of the case (investigation questionnaire)

The collection of data will allow us to understand questions about the efficiency of the scenarios and the investigation process, such as:

  • How relevant were the adaptive analysis in determining whether a case is suspicious or not
  • What manual controls and analytics were performed in addition to the automated controls?
  • What other data sources were used in addition to the data collected automatically?
  • What was the reason for the case not being reported or marked as false positive?

Recipients of data

Data can be used by the organisation to perform tuning of the detection scenarios to improve detection rates and to tune investigation procedures.

Data will be used by Convier to improve the platform, herein the automated analysis, evaluate whether data sources and data points are relevant for each specific scenario and to provide better recommendations to organisations about the processing of alerts.

Data quality and minimisation

Convier minimises the data stored in the application by default. Data about customers and reviewed objects are retrieved and analysed when a user opens an alert relating to a customer. There is no pre-processing, thus no duplication of data inside Convier.

Data is only stored temporarily within the Convier platform once the alert has been reviewed and closed by the analyst waiting to be sent to regulatory reporting or archiving. The organisation can set the time for storage within Convier before it is deleted. Reporting and archiving of the alert is not handled within Convier.

Audit and transparency

Audit trail

Convier documents what users have viewed, changed and processed of data within the platform. This allows the organisation a full audit trail of how personal data has been processed. It further allows the organisation to backtrack data to specific points in time to understand what data was available at a given time.

The platform further details what controls have been performed automatically within the tool and what data about individuals have been processed.

Disclosure of data

Any requests for disclosure of data about an organisation or organisation’s customers will be directed to the data processing contact persons of the organisation.

Cookies

The platform is using cookies in order to:

  • Maintain user sessions
  • Remember your display preferences, such as browsing language, notification preferences;
  • Protect against threats, such as cross-site request forgeries etc.

We use the following type of cookies:

Authentication cookies

Authentication cookies are stored when you log in to the platform using the bank’s user authentication service.

Analytics cookies

We do not use analytics cookies.

Data security

We handle personal data only as detailed in the data processing agreement with the organisation, the data controller. We also endeavor to provide all necessary, technical and organisational security measures to adequately protect personal data at all times against unauthorised access and misuse.

If we store or process personal data within our environment, it occurs in a high-security data center. Our servers are secured by firewall, virus protection and backup with recovery procedures.

For description of the data security measures of our platform, please refer to the Convier Data Platform Technical Description.

Changes to our data protection policies

We reserve the right to modify this policy to ensure that it is in compliance with regulatory requirements. Organisations using our platform will be notified should there be any changes to this policy.