Business Services Processing Notices

Enabling our Customers to verify your identity, age, residence, and prevent and investigate fraud, and assess risk

When you apply for services from credit, insurance, or utility providers, retailers, government bodies and agencies, or other organisations they might ask you to provide identification and answer certain questions. Our products allow our Customers to check this information against our databases to confirm that you are who you say you are.

For example, the Customer may check your name and address against addresses we have obtained from public sources, like the Electoral Register. In some cases, the output from a check will be 'yes' or 'no'; in other cases we may provide the likelihood that this is the same information (for example, by saying there is a high, medium or low chance this is the same person as the person on the Electoral Register).

Income, employment information, and previous loan application data is processed to enable LNRS customers to obtain information about individuals in order to calculate risks, associated with those individuals. Data is processed within the product for the purposes of linking and matching individuals and assessing fraud risk. This includes the creation, validation and use of scorecards, models, and attributes in connection with the assessment of risks relating to credit, fraud, affordability, and debt collection. It is also used in verifying identities, to monitor and predict market trends and to enable clients to refine lending and fraud strategies, and loss forecasting.

Some of our products produce scores, which provide predictive insight to our customers associated with applications for products or services. Using a combination of datasets, the product will create a list of attributes by looking at our data sets to ask it questions and gather facts e.g. are you on Electoral Roll? How many years have you been on ER? Each attribute will have a value which will be taken into account to build a series of indicators and derive a score.

The exact attributes are carefully designed based on the detailed data analysis to ensure that only the most meaningful data elements are taken into account. The score model does not make use of any protected class indicators that are related to an identity’s race, ethnicity, religion or sex life.

Allowing our Customers to comply with regulatory requirements

Our products allow our Customers to check whether doing business with a client or potential client could create a risk of financial crime, such as bribery, corruption, or money laundering.

For example, when you apply for financial products, organisations may search your name against sanctions lists, watch-lists, lists of politically exposed persons, media reports, and other publicly-available information in order to comply with their regulatory requirements.

As such searches can return information relating to other individuals with similar names, our products provide scores to our Customers to help them identify the likelihood that a given record corresponds to you. For example, if a search identifies a news story indicating corruption by someone with a similar name to yours but located in a different area, our products will allow our Customers to understand the likelihood this is a match and whether to investigate further and determine for themselves any actions they are legally required to take.

Helping our Customers better manage their client accounts and records

We supply information including personal data to our Customers to help them maintain of their relationships with you and their other clients. This could include helping them remove inaccurate records (e.g., email addresses that are mistyped), and updating existing records, correcting database errors, and identifying if you have recently moved. It could also include helping our Customers identify a recent change in your personal details or circumstances that may affect their relationship with you. For example, if a Customer has previously assessed your credit-worthiness, some of our products would allow them to identify a change in your circumstances that indicate you may be at financial risk.

Assisting Customers with their tracing, investigations, collections, and recovery activities

We supply information including personal data to assist our Customers with their tracing (i.e., locating individuals), investigations, collections, and recovery activities. Our products provide contact and address information to help our Customers locate individuals that owe debt and have moved or gone away and from whom they have no longer been able to collect payments on that debt. Our products and services also allow our Customers to confirm if an individual might be facing financial hardship, and where appropriate, come to an agreed repayment plan in support of the ongoing client relationship.

Such activities can often be performed in support of regulatory requirements such as the prevention or investigation of fraud or to assist businesses and other organisations undertaking tasks in support of the substantial public interest.

Enabling life and pensions providers to undertake  existence/mortality checks, asset reunification and de-risking activities

Where you or your spouse have a pension or life assurance plan, our Customers are required under law to ensure they have accurate and up-to date records for you, to ensure they can make maintain contact with you and provide you with important information about these significant long-term financial assets and benefits. 

These services also help our Customers to verify identity and prevent fraud through regular existence and mortality screening, by confirming if you are present at your current address, have moved to a new address or have been recently deceased.

Developing our statistical models, testing and analytics     

We use data to test our products with a representative of real identities to ensure they are working correctly and provide accurate results to our customers. Without being able to include a representative example of real data we risk not being able to test full scenarios to ensure existing products are functioning as expected and leaves us open to missing relevant information that may have a negative impact on customers and data subjects.

We use personal data for statistical models, analytics and profiling to improve our products and services and to help Customers better predict risk, to verify data you provide, to help to prevent and investigate fraud, to allow them to comply with their regulatory requirements, to better manage their client accounts and records and assist them with their tracing, investigations, collection and recovery, asset reunification and de-risking activities. To do this, we compare information received against variables like name, age, and address so our Customers can more accurately predict risk factors associated with their proposed or ongoing relationships with you. We may also use personal data to develop and improve our products and services and the data is crucial to validate assumptions related to functionalities of existing products and services, areas for improvements, behaviours of the systems, to inform decisions about the final shape of the services before they are made customer facing and key for us to monitor how our products are being used and the identities being searched.

Protecting our legitimate business interests and legal rights

Where we believe it is necessary to protect our legal rights, interests and the interests of others, we use personal data in connection with legal claims, compliance, regulatory, audit functions, and disclosures in connection with the acquisition, merger or sale of a business.

• Name, current and previous addresses, date of birth, telephone contact information, and individual identifiers, including from the Electoral Register and other publicly available databases; and
• Information as set out above relating to spouse, associate, children, and other family members.

Credit header activity history, including:

• Confirmation of credit activity history such as number of accounts or other agreements that involve a credit arrangement – bank, mortgage, credit cards, utilities, and communications (including mobile and internet).

Court judgments, bankruptcies, administrative orders and other public records, maintained by Registry Trust Ltd:

• Information about any bankruptcy or insolvency proceedings; and
• Court judgments information - the name of the court, the nature of the judgment, how much money was owed, and whether the judgment has been satisfied.

Data concerning credit file searches:

• CRAs provide us with records they maintain each time an organisation makes an enquiry about an individual called a “search footprint”, including the name of the organisation that made the enquiry, the date, and the reason they gave for making the enquiry.

County and High Court Judgments, such as provided by Registry Trust

Information on court judgments that have been issued, such as how much money was owed and whether the judgment has been satisfied.

Identity and Passport Service -  General Register Office (GRO)

Birth, marriages and death records and  certificates and Disclosure of death registration information (DDRI).

Registered commercial entity information, such as Companies House

Data on directorships, such as presence of a director within a postcode area.

Property related information, such as Her Majesty’s Land Registry (HMLR) – Property Register

Along with the address and postcode we receive information such as property type, age of property, tenure and sale prices.

Politically Exposed Persons (PEP) lists

Names of individuals in prominent public functions that present a higher risk for involvement in bribery or corruption, as defined under the Financial Action Task Force Recommendations; or close associates of politically exposed persons (‘PEPs’), details of family circumstances, such as marital status and dependents, and, in limited circumstances passport details. Position or affiliation within government; and family members and other related individuals.

Sanction lists

Names of individuals that have been sanctioned by governmental and supra-national authorities (such as the United Nations); details of the reasons for which sanctions are imposed; and affiliated businesses and associates. For example, the UK Sanctions List.

Watch lists

Names of individuals placed on criminal watch lists, such as national and international terrorism watch lists; details of the alleged offenses; and affiliated businesses and associates.

Enforcement lists

Names of individuals provided by financial enforcement agencies; details of the alleged offenses; and affiliated businesses and associates.

Public media sources and publicly-available information from internet searches and websites

Information relating to individuals in published news sources such as name, age, date of birth, gender, country of residence; information from other public websites and social media, such as employment and education details, which may include details of public, religious, political, or trade union roles; personal and professional affiliations; and, to the extent it appears in public search, information that may reveal connections to investigated, indicted, suspected of, or convicted for, criminal activity or offences which is considered a pre-cursor to money laundering or terrorist financing (e.g. arms trafficking, smuggling or fraud).

Third-party data partners, service providers and customers

We receive data from trusted commercial sources and service providers in connection with the provision of our products which includes personal data such as name, current and previous addresses, postcodes, gender, date and place of birth, telephone and email contact, social media handles, professional status and background, previous loan applications, income and employment data, relationship status, financial account numbers for data for verification purposes; and other individual identifiers. This includes for example British Communications plc, Royal Mail plc, Vocalink Ltd and other commercial providers of similar data or services. Personal data is also provided by our business customers for the purpose of carrying out searches and this data may be used to understand the identity and how often it has been searched as well as any associations to that search information, for example how other identities are associated to the email address that has been input.

LexisNexis® Risk Solutions

LexisNexis Risk Solutions creates a unique identifier called a ‘LexID’ for each individual we hold personal data for. The LexID is a numeric personal identifier which is assigned to an individual to allow the identification of their personal data. It is used when information is called from the database and needs to be distinguished from other information in the database. LNRS uses proprietary linking technology to link and match data across multiple data sets and assign a unique identifier, LexID, to consumer identities.

Businesses, government bodies and other organisations

We share personal data with Customers when they check a client or potential client against our databases. We ask our Customers to explain to their clients that they use our information, including data provided to us by third parties.

Your personal information may be stored and processed in your region or another country. We take steps, including through contracts, intended to ensure that the information continues to be protected wherever it is located and in a manner consistent with the standards of protection required under applicable law.

Credit Reference Agencies (CRAs) and Fraud Prevention Agencies (FPAs)

We share personal data with CRAs when we send them data from our Customers through some of our products and services that they check against their databases. We ask our Customers to explain to their clients that we provide this information to them and which we may be further used for identity verification, fraud prevention, debt collection, tracing and asset reunification purposes. 

If we or our Customers believe a fraud has been or might be committed, we may also share that data with FPAs such as CIFAS (UK fraud prevention service) who collect, maintain and share data on known and suspected fraudulent activity. Most CRAs also act as FPAs.

Service providers and data partners

We share personal data with service providers who assist us with the provision of our products and services. These providers include data partners, customer support, IT service providers, financial services, and professional advisors. 

Your personal information may be stored and processed in your region or another country where LexisNexis Risk Solutions affiliates and our service providers maintain servers and facilities, including but not limited to Australia, Brazil, France, Germany, Iceland, India, Italy, Ireland, the Netherlands, the Philippines, Singapore, South Africa, the United Kingdom, and the United States. We take steps, including through contracts, intended to ensure that the information continues to be protected wherever it is located and in a manner consistent with the standards of protection required under applicable law.

Resellers, distributors, integrators and agents

We sometimes use other organisations to help provide products and services to clients and we may provide personal data to them in connection with that purpose.

Other affiliated companies of LexisNexis® Risk Solutions within the RELX of companies

Some of the service providers we use are other affiliated companies of LNRS within the RELX companies. These companies assist us in providing the products and services described in this Notice, such as to provide customer and product support. We have contracts in place with them to ensure they only use the personal data we provide them in accordance with our instructions. Some of our affiliated companies also act as resellers, distributors, integrators, or agents for the sale of LNRS products or services.

Your personal information may be stored and processed in your region or another country where LexisNexis Risk Solutions affiliates and our service providers maintain servers and facilities, including but not limited to Australia, Brazil, France, Germany, Iceland, India, Italy, Ireland, the Netherlands, the Philippines, Singapore, South Africa, the United Kingdom, and the United States. We take steps, including through contracts, intended to ensure that the information continues to be protected wherever it is located and in a manner consistent with the standards of protection required under applicable law.

Certain U.S. entities within the LexisNexis Risk Solutions group of companies have certified certain of their services to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. Please view these entities’ Data Privacy Framework Notice here. To learn more about the Data Privacy Framework program, and to view these entities’ certification, please visit https://www.dataprivacyframework.gov.

If some or all of the LNRS or RELX business is acquired by, another company personal data may be disclosed to the prospective or actual purchasers.

Third parties where required by law (or to protect our rights)

• comply with the law;
• investigate and help prevent security threats, fraud or other malicious activity;
• enforce and protect the rights and property of LNRS or its affiliates; or
• to protect the rights of our customers, employees and third parties. This may include sharing information for the purposes of crime prevention and fraud protection.

Sanctions lists, watch lists, PEP lists, adverse media searches, social media and other public website data

We retain information relating to sanctions, criminal records, adverse media searches as well as the information we obtain from social media and other public websites for such periods as necessary for our Customers to perform and comply with their financial crime compliance requirements. This is usually for a minimum period of 6 years but may be longer, depending on their location and relevant national laws.

Identification data

We retain identification data (such as names and addresses including from the Electoral Register) whilst there is a continuing need for us to utilise it. We keep this retention under review and we will remove data as and when we no longer require it.

Credit Reference Agency (CRA) records

Data provided to us by credit reference agencies is subject to the retention periods determined by the relevant CRA, and subject to further agreed contractual provisions, applicable regulatory requirements and industry standards. Search footprints are retained by CRAs for different lengths of time. Experian and Equifax retain most search footprints for one year from the date of the search, although they keep debt collection searches for up to two years. Crediva keeps search footprints for two years from the date of the search.

Court judgments, bankruptcies, administrative orders

We retain information about court judgments or orders for up to 6 years from the date of the judgment or order (or a shorter period if the judgment is set aside or repaid). For bankruptcy, individual voluntary arrangements (‘IVAs’), or other insolvency related events and arrangements, we usually keep such data for up to 6 years (or, if such events are extended, then for that longer period).

Other third party-supplied  data and services

Other third party supplied data is retained as necessary for our Customers to perform and undertake their legitimate interests and activities, including those undertaken in the substantial public interest. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements, and industry standards.

Archived data

We may hold data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining fraud strategies, scorecard development and other analysis such as de-risking), for audit purposes, and as appropriate for establishment, exercise, or defense of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.