Hi Erik,

Our sanctions screenings process will check against external databases maintained by Altares Dun & Bradstreet and Dow Jones. Our checks will use data that they have obtained themselves and control. We will not be supplying either company with confidential data. Both are US companies: the legal jurisdiction for our agreement with Altares Dun & Bradstreet is the Netherlands, and for Dow Jones is the UK. Our contracts with both companies are subject to GDPR.

But I think you are really asking about ID documents. iDenfy is based in Lithuania (EU) and is therefore subject to GDPR requirements. iDenfy deletes all ID information within 14 days of submission. The jurisdiction for our agreement with iDenfy is Lithuania.

Regards,

Felipe Victolla Silveira
Chief Operations Officer
RIPE NCC


On 16 Sep 2021, at 14:36, Erik Bais <ebais@a2b-internet.com> wrote:

Hi Felipe,  

Thank you for the announcement.  ( I cc: the RIPE list, as that will allow all RIPE community members to read the question and your reply. )

Could you provide insight in where those companies are located, which legal jurisdiction is used for the agreement with them and where the data is going to be stored that is send to them of the involved companies ?
I assume that most of the parties involved the RIPE NCC are dealing with a Dutch entity .. but is that the case and is Dutch law applicable for the agreement between the RIPE NCC and them ?  

Especially as we are dealing with checking ID's .. the location where those are going to end-up .. is something that some of us might want to have that kind of info.  

Kind regards
Erik Bais


On 16/09/2021, 14:16, "ncc-announce on behalf of Felipe Victolla Silveira" <ncc-announce-bounces@ripe.net on behalf of fvictolla@ripe.net> wrote:

   Dear colleagues,

   We will soon begin working with third parties to fulfil our mandatory due diligence requirements in two key areas: sanctions screening and the validation of identification documents.

   To keep you informed, we have published an article on RIPE Labs that explains the relevant processes in more detail:
   https://labs.ripe.net/author/felipe_victolla_silveira/using-third-parties-to-automate-our-due-diligence/

   You can find a summary of the key points below.

   -- Sanctions screening
   We need to perform sanctions checks whenever we receive a request to transfer, allocate or assign resources, or to open a new membership/LIR (this also includes End User requests). We need to check the company making the request, its director, the people on its board, and also any other companies or individuals with a share in that company. This adds up to a lot of checks requiring specialised skills and data, further complicated by the administrative and legal differences across our service region.

   Working with Altares Dun and Bradstreet and also Dow Jones, we will soon start to run automated checks against their databases to verify company information and to check if individuals, companies or any of their signatories are subject to sanctions. We will use the database run by Altares Dun and Bradstreet to quickly verify information about companies and individuals. Dow Jones maintains a list of all sanctioned entities around the world and we plan to run automated checks against this list. This collaboration will allow us to carry out our mandatory due diligence checks in a structured, complete and efficient way.

   For the vast majority of members, we expect that these checks will basically run in the background and not have any visible impact. We will only need to contact you if there is missing information in Altares Dun and Bradstreet’s database. In this case, we would let you know that they would like to contact you. This is voluntary, and there is no requirement to accept their call.

   -- Validation of identification documents
   Validating identification documents is a manual process that we want to automate. Until now, we have worked with fraud specialists to manually authenticate IDs that appear suspicious. We want to apply a uniform approach that verifies all ID information across the board.

   We will be working with iDenfy, a specialised provider in automated ID validation and remote identification services, to ensure a high standard of diligence and security across all ID documents that we process. Once this is ready, members will upload personal identification documents directly to the iDenfy system using a secure link that we send. In addition to maintaining a high level of security, iDenfy will ensure that this data is deleted within 14 days of being submitted. In line with GDPR, we remain the ‘data controller’. Work is currently underway to integrate our external request processes with iDenfy’s systems and we plan for this to go live on 23 September.

   Kind regards,

   Felipe Victolla Silveira
   Chief Operations Officer
   RIPE NCC