An Post - SBS Communications - Data Protection

Ongo Goblogian

Hope this is relevant section...

I have a an post savings account for some time now. Not a huge amount of money in it, just enough for a rainy day. I throw ~ 20 euro a week into it. When the account was setup I verified all my details and showed ID and proof of address etc to postmaster at local post office.

I have now received a second warning letter from SBS Communications(did not respond to first) claiming an obligation to verify the identity of account holders and keep an up to date record of my Name, Address, DOB and PPSN. Failure to do this "MAY" result in loss of access to my account.

My problems are my Name, DOB and PPSN don't change over time (So are always up to date) and the letter would not find me if my address had changed. Regardless, I have no problem bringing the requested documentation to the post office where the account was opened and presenting it for viewing and verification to the postmaster. But this is not what is requested.

They require a photo copy of passport, Driving license etc for proof of Photo ID as well as...
Photocopy of my Savings book as well as...
Proof of PPSN such as a photocopy of my payslip.

According to the Revenue website...

PPSN Security
A PPSN is regarded under the Data Protection Acts as personal information. Revenue will not share an individual’s PPSN with any other party unless authorised to do so by legislation.

On the same basis an individual should not give their PPSN to another person unless they are satisfied about the bona fides of the person to whom it is being given.

So my questions are...
Who are SBS communications.
Do they really have the power to block access to my low value account.
Why do they need photocopies of personal information that was already verified by relevant authorities. Surly an updated verification should suffice, rather then them storing photocopies in a filing cabinet somewhere until they are eventually dumped in a field in Kildare because some one did not want to pay for a shredding service.

I understand the need to verify cash accounts to limit laundering and am happy to comply with this security process. But I am sick to the back teeth of companies looking for photocopies of personal documentation. Verify them at source, even on an annual basis if required but the legal ramifications of photocopies been stored by unknown third parties and data protection is surly being breached regularly here.

Sorry if the above is rambling in nature, but this really p's me off. Any info, advice, experience or input on the above is appreciated.

PS... I also had to do this a few months back in regards to prizebonds.

skinny90

No need to be wary of the rant...verification at this level is well worthy of a thread. I would like to hear an posts story on this op... have you asked them on this!?its pretty threatening behaviour also that you will loose your savings failing to act on their letter I would definitely not take a letter like this so well if I had savings of any kind high or low

L1011

Neither myself or Google have any idea of an SBS Communications connected to An Post/NTMA and as a result I would be hugely worried that this is a data theft scam.

Have you contacted your local post office about this? I'd do this first. No way would I hand over that level of information to a third party in any circumstance - if it turns out An Post failed to get records required under money laundering regs I'd only proffer them at Post Office.

We've a few posters here who are likely to have good info on this (postmasters etc) who hopefully see this post. If its real, An Post really need to learn how to write a letter that doesn't look like a scam - actual scammers are better at it!

Ongo Goblogian

Yes I did perform the obligatory Google search for a connection or information on the process. Even SBS Communications seems ambiguous in search results, although I did not go too deep, just a cursory search. I have not contacted the post office as yet, but from previous experience they rarely know anything about these issues. With the prizebond request I contacted the prizebond company directly and was told that the photocopies are basically stored "securely on file". I asked are they scanned digitally or stored in a cabinet and was told they were stored in a cabinet. The conversation went on for about half an hour about the actual lack of security in a filing cabinet, until they eventually agreed that I could present the documentation to the postmaster and have them verify and sign off the form and return it. I went to the post office and the girl behind the counter had not a clue about what I was explaining to her(not her fault, and I was not gonna give her a hard time over it.). Any way, I waited for the postmaster to be free and explained again and was told that they don't do that sort of thing and I would have to send the information off myself. I gave him a harder time and relayed my converstaion with the prizebond company until he eventually agreed to comply. He ended up photocopying the documentation anyway, and agreeing to forward it on on my behalf. The fight was gone out of me at that point, so I did not continue the argument and just let him at it.

There is a phone number on the letter from SBS and I will give them a call on Monday, hence my quest for info on their setup.
Regarding the letter, it looks legit, all the anpost logos etc and a free post letter(for documents) that returns to a PO box at the GPO. If it was a scam, I reckon it would be stopped pretty quick by the GPO.

So I don't think it's a scam as such, just a really inconvenient and potentially data breaching way of verifying an account that was already verified! The real beef is not with verifying my details, just the manner of having to obtain and forward on photocopies(surely these should go the way of faxes) of what may be considered sensitive information. As well as being an unknown possibly Canadian third party that may not operate on the same data procedures/regulations as European or Irish companies etc!

I am interested in any Postmasters advice on this if they are around!

ED E

https://www.linkedin.com/company-beta/1320040/?pathWildcard=1320040

Canadian outsourcing firm, maybe?

Former Former

Sounds like a routine phishing scam. I would ring An Post and verify.

Ongo Goblogian wrote: »

PS... I also had to do this a few months back in regards to prizebonds.

And did you give them the info??

phildin

I've never heard of SBS myself, I'd ignore them but contact An Post directly as they may have a legitimate reason for verifying this information. I believe this can arise due to anti money laundering requirements which can appear at odds with common sense quite frequently. If it turns out to be legit outsourcing, I'd be pretty unhappy about it and I'd let An Post know.

daheff

OP -if i were in your shoes, i'd be asking them on what basis they need to update your information ?

(they can and should be verifying that your details are correct -mainly at the point of opening your account, and maintenance when you move address).

They will (most likely) tell you that there is a legal requirement on them to verify your identity for anti money laundering /know your customer regulations.

At that point you tell them you provided all the information at the point of opening the account, and that your address hasn't changed -as if it had you would not have received the letter. Ask them do they not have the documentation you provided when you opened the account?

My guess is that they have lost /mislaid /destroyed the documents you gave them in the first place and are trying to cover themselves.

Feel free to push back on them and request they provide copies of the documents you provided to them on opening the account -tell them you want to verify they have the right documents.

But dont go about giving them new documents....especially not if they've lost the original set you gave them.

Fred Swanson

This post has been deleted.

Ongo Goblogian

Just an update on this. I contacted them directly and asked them what it was all about. Round and round in circles for the first five minutes until they replied that they are transferring all accounts to a new digital system and need the documentation to update this system. I said that I presented the documentation when opening the account. He verified the type of documentation that was presented, even mentioned a utility bill that was used, but said that this was not scanned in the post office at that time, only verified!!! So he can see on his system that the account was verified but cannot see the verification documents.

They need these photocopies scanned onto their system with photographic ID (front and back) as this is the way the system works. Guy claimed, and I don't doubt him that he is in the GPO but does not work for the GPO. They work on behalf of the NTMA and "sell products" for An Post!

Once documents are scanned onto system, they are put in a secure, sealed lock box and then into storage. After a certain amount of time(He did not know the timeframe) they would be shredded or incinerated.

I asked what happens if I don't consent to my documents been stored digitally... He said a third and final request would be sent. If this is not responded to, a lock would be put on the account and assets would be frozen. The only way at that point to retrieve assets, would be to bring the required documentation to the GPO.

So the upshot appears to be... they know the account is verified but want to put the verification documents in a digital format that can be analyzed, scrutinized and cross referenced with a couple of keyboard presses by any user of their system.

SBS is the system that they are using, in the fog I forget the first word used, but it stands for S... Banking Services. First S is possibly Secure or Safe. A search on this turned up... safe-banking.com which appears to fit the bill, but still cant find a link to the NTMA or An Post. I have cross referenced the three sites using google site search tag.

I am all for security but I am totally against the lack of transparency in the way these companies operate. You tick or don't tick one box and you sell your first born in some instances. It all reeks of it's my ball, I am the captain, I pick the teams, I take the penalties and free kicks and I am also the ref, my decision is final. And I can understand that they need certain rules to keep the system functioning. but come on, it's my money at the end of the day.

Remember, 70 officials from the Department of Social and Family Affairs breaching the confidentiality of Dolores McNamara, by snooping on her files just days after she won. The system may be secure, but people are not. I know I am already on hundreds of databases and I am happy to verify security information when required. I just don't like the Idea of these companies keeping digital or physical copies on file. Yes keep key verification info but not the whole shebang!

So my options are, comply or remove my savings. I sometimes wonder if the people buying into these security systems realize the many levels of insecurity they are introducing.

Riesen_Meal

This sounds dodgy OP, I would definitely contact PO and see what they have to say about it...

Former Former

This is sounding dodgier and dodgier. I don't think I've ever heard of something like this and I would absolutely not give them any info.

amtc

State Savings are based on 3rd Floor of GPO with very strict physical and technology access systems. It was recently reorganised with a new management structure. Having worked in Revenue as well looking for digital copies is perfectly normal. It's not a scam.

Ongo Goblogian

amtc wrote: »

State Savings are based on 3rd Floor of GPO with very strict physical and technology access systems. It was recently reorganised with a new management structure. Having worked in Revenue as well looking for digital copies is perfectly normal. It's not a scam.

As stated above, I don't think it's a scam. It's the total lack of transparency about who this SBS company is and the threat to block my hard earned if I don't comply. I expect I am already on hundreds of databases against my will and I am not a privacy or conspiracy nut, but I am severely anti digital. I am happy to verify my documentation with third parties appointed on behalf of the government but I do not wish these third parties to retain copies of this information in a new secure format without first been transparent about what happens with it, and also who and what reasons can someone access this information. Like the sneaky national id card that the government have be rolling out for several years, this is another way to monitor the populations activities without going through proper and legal methods. This amount of data retention for the simplest of tasks is getting beyond Stasi levels. It's only a matter of time before I have to bring a used pair of under wear to any financial institution so they can have my scent on file just in case they need to get the sniffer dogs after me.



Regardless of how secure they think their system is and how much they have spent developing it, I can guarantee you, it will be full of bugs and backdoors just waiting to be exploited, and of course the human element, no system is secure to scrutiny or a neighbours curiosity.

daheff

Ongo Goblogian wrote: »

J to a new digital system and need the documentation to update this system. I said that I presented the documentation when opening the account. He verified the type of documentation that was presented, even mentioned a utility bill that was used, but said that this was not scanned in the post office at that time, only verified!!! So he can see on his system that the account was verified but cannot see the verification documents.

How long ago did you open this account? Its been mandatory to keep copies of these ID documents for quite a while now. If you opened it in the past few years I suspect that they are now realising that they are in breach of KYC requirements.

Ongo Goblogian wrote: »

They need these photocopies scanned onto their system with photographic ID (front and back) as this is the way the system works.

They do need this for KYC purposes


Guy claimed, and I don't doubt him that he is in the GPO but does not work for the GPO. [/QUOTE]
They work on behalf of the NTMA and "sell products" for An Post! NTMA sell the savings bonds via An post. Or more accurately, An Post is an agent selling NTMA savings bonds.

Ongo Goblogian wrote: »

Once documents are scanned onto system, they are put in a secure, sealed lock box and then into storage. After a certain amount of time(He did not know the timeframe) they would be shredded or incinerated.

They need to keep the documents until 6years after your relationship with them ends (By law) -more usually companies keep for 7. He should know this.

Ongo Goblogian wrote: »

I asked what happens if I don't consent to my documents been stored digitally... He said a third and final request would be sent. If this is not responded to, a lock would be put on the account and assets would be frozen. The only way at that point to retrieve assets, would be to bring the required documentation to the GPO.

If you dont provide the information they will need to close the account. I'd suggest the easiest way is to give them the information they want. But...if you have already given it to them in the recent past, you should again state that and advise them that there is a legal requirement on them to safely and securely keep this information for KYC/AML /Data protection purposes. If they can confirm to you in writing that they do not have the documentation you previously provided, that you can have the Data Commissioner/ Financial Services Ombudsman assist them in their record retention procedures.


In fairness to them, a lot of this requirement is passed down to them by law. I think the bigger issue here is that they haven't correctly kept files for accounts.

your choices are:
1-Take your money out
2-Comply
3-comply, but kick up a big fuss with them/data protection commissioner/financial services ombudsman.

Ongo Goblogian

daheff wrote: »

They do need this for KYC purposes

Had not heard the term KYC before. I can understand the extra security requirement for high use accounts where large sums of money go in and out on a daily basis. But post office savings accounts are not like bank accounts or at least they never use to be. This account is only for throwing a few bob in semi regularly to build up a few grand for a rainy day. It is not a cash flow account and only a fool would attempt to launder money or fund terrorists with an account of this nature. Seems like terrorists get the blame for more than the terror they cause!

They work on behalf of the NTMA and "sell products" for An Post! NTMA sell the savings bonds via An post. Or more accurately, An Post is an agent selling NTMA savings bonds.

Yes, he pretty much said this in a more verbose way. You know the way people can answer a direct question but your brain is always deciphering a couple of words back in the conversation so as you have to play catch up with the facts and inevitably miss some key points.

They need to keep the documents until 6years after your relationship with them ends (By law) -more usually companies keep for 7. He should know this.

I knew this when I asked him but did not want to put words in his mouth. I got the feeling that the guy was used to getting an earful from people on the phone so did not want to push him too far. Always feel sorry for guys on the other end who have to watch their P's and Q's and stick to a rigid policy. Must be such a frustrating job not being able to tell a customer to cop the f**k on to themselves.

If you don't provide the information they will need to close the account. I'd suggest the easiest way is to give them the information they want. But...if you have already given it to them in the recent past, you should again

On opening the account, the required documentation was checked in the post office and the form was stamped and signed/witnessed by the PO staff. The Post office did not make copies of the documentation, only confirmed everything was in order. This was always the way with these accounts.

At the point of them closing the account, they should make reasonable efforts to allow the customer to retrieve the hard earned. They should not threaten to retain a customers money until the said documentation is provided to them. I.E. They should advise the customer to attend the office where the account was opened, bring I.D and withdraw money. Not demand the customer brings the photocopies of all the requested information to the GPO to activate the account and unfreeze the assets.

state that and advise them... ...KYC/AML /Data protection...
... Data Commissioner/ Financial Services Ombudsman assist them in their record retention procedures.

If I was to go down this route I would end up sounding more of a fool than normal. A little knowledge is dangerous in these situations as it can help you dig holes you don't know how to get out of. Data protection is not the full problem so much as the type of data they request. Photocopies of payslips, passports, driver licences etc. I am happy to verify these with the relevant authority but don't see the need for them to retain copies. If I ring them and they want to verify I am who I say I am, how will a copy of my payslip or passport help them if its displayed on a screen in front of them.

I was forced several years back to get a social services(national id) card when I had to sign on between jobs. I was brought down to a dingy basement in some government building in Dublin with trees in the lobby. When taking my picture for this card I was asked some security questions that I would be required to answer correctly in future phone correspondence to verify my identity. The first question was ... What is your mothers maiden name?... I said that is not very secure is it, sure everybody who knows me would know that answer and everybody else could find it out pretty easily if they were motivated. I know but it is a "European" regulation. was the answer. Classic pass the buck.

In fairness to them, a lot of this requirement is passed down to them by law. I think the bigger issue here is that they haven't correctly kept files for accounts.

I do believe they have kept the required information for the account to function, but the problem may arise from the fact that they want to migrate the information to a new third party/system. To do this they need to obtain the persons permission. Rather than admit this fact, possibly because they know a significant number would refuse, they threaten the loss of hard earned and pass the buck onto other agencies. You would be amazed at how compliant people will be when the correct and rational facts are presented. The cloak and dagger stuff just breeds suspicion. Has anyone actually found an "SBS Communications" that have an association with An Post or the NTMA? Why so secret?


Short version of what I believe has happened...

I opened the account and everything was in order. Some time passes and they update their system/software provider.

Data protection prevents stored data from being transferred to new system.

They have to operate old and new system side by side until all legacy accounts are transferred.

Rather than explain the situation to customers and spin it as a more secure system... some bright spark decides threatening to freeze all customer assets until they comply. When customer confirms the information, this allows the newly obtained information to go into the new system.

Legacy system can now be shipped unformatted and unsecured to India for "secure" disposal. 6 months later someone buys a hard drive on AliEbay, runs an unformat tool and gathers half of Munster's Post Office account details, drivers licence, passports and payslips.

dudara

If they never took a copy of your ID etc when you opened the account, then that's most likely the problem and that's what they're now rectifying. Copies must be maintained on file.

Ongo Goblogian

dudara wrote: »

If they never took a copy of your ID etc when you opened the account, then that's most likely the problem and that's what they're now rectifying. Copies must be maintained on file.

Below is just speculation on my behalf, but it is what I believe is happening.

The procedure/paperwork at the time contained all the information they required. This information was verified at source and then would have been passed onto a data entry person who would have entered it onto the legacy system. This would include PPS no, DOB, name, address etc.

Technology moves on and memory/storage is cheap. So now the systems can contain more irrelevant data, so the developers incorporate this functionality to give their product an edge/advantage and market it as more secure and better for fraud. I reckon there is some regulation or rule that information cannot be transferred to a different system without user consent(can anyone confirm this)

I fail to see how someone on the end of a phoneline can use a photo id or payslip to verify my ID.


Just for the record, the thread was setup originally to find out who SBS communications are and if they really had the power to seize assets which was implied in the letter they sent. I am not on a crusade for any particular agenda and I don't really believe I will lose my hard earned. I most likely will eventually comply. I do have a side interest in security(all aspects) or the pretence of security. At the top level (Government) I can see the need for copies of official state documentation to be kept. But it is getting to the point now where we will need photographic and dna records to be kept by KFC to join the Colonels Club! We need to draw a line in the sand before it gets out of control, because if everybody has a copy of this documentation it is not really proof of anything anymore.

flashinthepan

Also Got one of these scary letters threatening to seize assets if I did not send off details to SBS
So I went to the post office first thing this morning and closed the account
What is gas is the lady in the post office could not see my concern at sending information such as
a copy of passport along with a PPS number and copy of the post office account book with account no visible ( as per threatening letter )
Is a HUGE security risk
To ask account holders to just post this off willy nilly to some faceless crowd that I do not know from Adam is absurd
So account closed.

As stated earlier in the thread

I would not have had a problem bring the information to the post office to prove identity
But to threaten that if I did not post it I would loose access to my little few bob was just too much

So I say to this Mr Francis Foy
Manager SBS Communications 01-7057080 ( who ever the hell you are )
You can Sing for it

CeilingFly

flashinthepan wrote: »

Also Got one of these scary letters threatening to seize assets if I did not send off details to SBS
So I went to the post office first thing this morning and closed the account
What is gas is the lady in the post office could not see my concern at sending information such as
a copy of passport along with a PPS number and copy of the post office account book with account no visible ( as per threatening letter )
Is a HUGE security risk
To ask account holders to just post this off willy nilly to some faceless crowd that I do not know from Adam is absurd
So account closed.

As stated earlier in the thread

I would not have had a problem bring the information to the post office to prove identity
But to threaten that if I did not post it I would loose access to my little few bob was just too much

So I say to this Mr Francis Foy
Manager SBS Communications 01-7057080 ( who ever the hell you are )
You can Sing for it

an post will have a profits warning with your account closure.

As for the info - its a regulatory requirement.

Funny - people have no issue giving facebook or apple all the access they want, but once its a state or semi state company they get all hot under the collar.


And maybe tyou should try and read the letter properly

Its a copy of your passport OR a copy or your driving licence OR a copy of your pps card


If you are with a bank and they did not take a copy or do not have a copy on file, they will require it. If you ise paypal and go over a certain limit they will require it too. If you sell on ebay and over a certain limit, they will require it too.



SBS are a unit within an post, they are not a separate organisation.

dudara

Asking for the information is fine and legal for the purposes required, but I would be concerned at the collection & storage methods being used.

Under the forthcoming GDPR, companies will have an obligation to have organisational and technical measures in place to protect, transmit and store personal data. Receiving hard copies by post does not meet that standard IMO.

flashinthepan

CeilingFly wrote: »

Its a copy of your passport OR a copy or your driving licence OR a copy of your pps card

While I do not expect an apology
You are entirely wrong
attached is a copy of the letter with relevant details removed I hope it attaches ok
But in the letter it CLEARLY reads that this company SBS wants
Read it
One copy of each of the below


Not sure how to make it bigger if someone could advise
Thanks

While not wanting to start any argument
this to me was and I say was a very threatening letter
Some crowd of what could be ( painter decorators for all I know ) threatening to cut off access to my savings unless I post them copies of all the data they requested not Either Or but all the data
This is an incredibly insecure means of gathering data and one that I make no apologies for rejecting and will have nothing to do with
this putting a gun to your head attitude will not wash with me
and as such the account was closed and the threat has been dealt with

CeilingFly

flashinthepan wrote: »

While I do not expect an apology
You are entirely wrong
attached is a copy of the letter with relevant details removed I hope it attaches ok
But in the letter it CLEARLY reads that this company SBS wants
Read it
One copy of each of the below

I can barely read it, but it looks like it says "OR" to me

PPSN card OR passport OR driving licence.

yes it also needs a payslip - or something with PPS number (so PPSN card can probably suffice for both docs)

Its on official An Post letter head. It is form the SBS Communications "SECTION" - This not a different company. Its a section within AN Post.


I just cannot see the issue - as I said, far far far more infoamtion is handed out willy nilly to private compnaies without a though in the world, yet some peopel suddenly have an issue because its a semi state company.

Frankly I find the whining utterly ridiculous - an excuse for a whinge because its state owned.

flashinthepan

No need to be uncivil

"an post will have a profits warning with your account closure."

"Frankly I find the whining utterly ridiculous"


It clearly says Provide one copy of each of the below
I could try to upload a better attachment but I think I am done here replying to you provocative comments
Good luck

L1011

You are misinterpreting the request. Ceilingfly is not.

They want photo ID - the public service card will suffice for that. You do not need to send in passport or licence details in this case. Some people have neither.
The want proof of PPSN - the public service card will suffice for that.

kevinbad2010

Ongo Goblogian wrote: »

Had not heard the term KYC before

It means Know your customer usually it is a authentication in which you need a picture of you, your passport, full name and address and phone number to access some features

carltonleon

Correct. SBS just stands for Savings Bank System Section. I have had 2 different letters for 2 diff accts and sent in the details. 7057080 is a number in the GPO. Nothing dodgy in it at all but if people prefer not to send in info that is entirely their perogative