This notice was updated on 13 January 2022 to inform you of how your personal information is used to prevent fraud and money laundering and to verify your identity. We have also provided information on Display Advertising and the service provider we use to assist us with measuring our campaigns with reliable attribution.
We are Bank of London & The Middle East PLC (“we”, “our”, “us”, “BLME”) and we own and operate Nomo.
We’re registered in the UK and our registered address is at Cannon Place, 78 Cannon Street, London, United Kingdom, EC4N 6HL. Our company registration number is 05897786. We are also registered with the UK data protection authority (the Information Commissioner’s Office or “ICO”) under number Z9829862. BLME is a member of the Boubyan Bank Group.
This notice applies when you download and use our App or Website and it sets out who we are, and how and why we use your personal data. We would recommend that you read through this notice carefully so that you fully understand our data protection practices. This notice, our Cookie Notice, Website and App Terms and Conditions of Use, the Current Account Terms and Conditions and Fixed Term Deposit Account Terms and Conditions, outline how we provide services to you through our App and Website.
If you have any questions about this notice or our use of your data, please contact us using the details set out below.
We may collect, use, store and transfer different kinds of personal data about you. This information:
• May be provided by you when using our App to open your account or to express interest in future products or services – for example, when onboarding via the App we will ask you for basic information such as your name, address, date of birth, contact details and country of residence. We will ask you to provide details such as your personal wealth, tax status, assets, income, expenditure, source of wealth, your intended use of the account and other financial information. We will also collect your identity documents and visual images and a short video of yourself or audio file. You will also need to confirm whether you are a current customer of the Boubyan Bank Group. We may ask you to provide your email address and contact number if you wish to be notified of launch dates for new products or services.
• May be provided by you when you contact us – the personal data we may collect here include your email address and any information you provide in the email (if you contact us by email) or your phone number and any information you provide on the call (if you call us).
• May be collected or created when you use our App or Website – this includes any unique identifiers (such as your IP address), type of device, location data, language and login details, and any information you provide when engaging with the App or Website. Also, information we learn about you through our relationship with you and the way you operate your account.
• May be collected or created when you use our App and the services offered on it – this includes details about any payments to and from your account, your saving activities and any financial products that you apply for using our App. It also includes your login details and any information you provide when engaging with the App.
• May be obtained from the technology you use to access our App or Website – this includes login details, details of your phone network, your IP address, location data, device identification numbers and any other unique identifiers. As an example, this information can be collected when you click on advertising provided by or on behalf of Nomo on other websites.
• May be collected using cookies – cookies are pieces of information stored directly on your device. Most browsers allow individuals to automatically decline cookies or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website. Please refer to www.aboutcookies.org or www.allaboutcookies.org for more information. Declining cookies may cause certain parts of the Website to cease working. Information about the cookies we use and their purposes can be found in our Cookie Notice.
• May be collected from other parties – before we provide services or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identify. For example, we obtain data from, companies providing fraud prevention and ‘KYC’ (know your client), AML (anti-money laundering) checks and credit reference agencies (we will also need to share data with these types of agencies). For more information about data we collect from and share with credit reference agencies, see ‘Other parties who we share your data with’ below. We may also collect personal data about you from Brokers, Introducers or Solicitors in relation to your application for Home Finance.
• May be collected from public sources – for example, we may review information available on public and government registers or information you have made public on social media, such as Facebook, Twitter or LinkedIn.
• May be collected through your participation in testing Nomo products and services – we will record your feedback and opinions in relation to existing Nomo products and services, and the development of new products and services.
We may also collect, use and share aggregated data (for example, statistical or demographic data) for any purpose. Aggregated data could be based on a subset of your personal data but is not considered personal data in law because it will not directly or indirectly reveal your identity (because it’s combined with the data of other people – none of whom are identifiable). For example, we may aggregate your usage data to calculate how many people are using a particular part of our App or Website.
However, if we combine or connect aggregated data with your personal data so that it directly or indirectly identifies you, we treat the combined data as personal data which will be used in accordance with this notice.
We only process your personal data when the law allows us to do so. Data protection laws require that we have a “lawful basis” for processing your personal data. The lawful bases include processing for a contract, to comply with law, legitimate interest, vital interest, substantial public interest, or consent. We have explained below what lawful bases we rely on to use your personal data.
• Contractual requirement – we use your personal data to fulfil a contract that we have with you or in order to enter into a contract with you (for example, to provide online banking or Home Finance services to you). This includes using details about you to: (i) consider whether we can provide services to you; (ii) provide the services that we say we will provide in our terms; (iii) exercise our rights under a contract with you; (iv) resolve complaints and other disputes; and (v) contact you.
• Compliance with law – we use the personal data you have provided, we have collected from you, or we have received from third parties to meet our obligations which we are required to do under law. For example, as a bank, we are required to make sure that we run appropriate KYC and AML checks on all our customers. We collect personal data such as your name, address, date of birth, contact details, financial information, employment details and device identifiers including IP address to: (i) verify your identity when you register for our services (including by cross checking the details you have provided with immigration, credit check and fraud prevention agencies); (ii) prevent illegal activities like fraud and money laundering; (iii) check your credit history and other details about your financial circumstances so that we can make responsible lending decisions; and (iv) comply with our legal obligations (for example, banking laws). These can include legal record keeping obligations. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime. We may also be required to share information with other third parties where we are compelled to do so or we consider this necessary – further details can be found in the “Other parties who we share your data with” section below.
• Legitimate interests – we may need to use your data for our legitimate interests or those of a third party. These include:
(i) Analytics – tracking, analysing and improving the services we provide and the performance of the App and Website, which helps us make our products better and understand how they are used by our customers. Includes analysing feedback you provide to us in relation to your participation in testing or review of existing and proposed Nomo products and services.
(ii) Protection – protecting our rights and property as well as those of our staff, customers and the public more generally, and managing our business. We may also need to share information with other bodies (for example, fraud prevention agencies) and take other steps to ensure that we maintain our reputation as a responsible provider of banking services. We may also need to process information to help fight financial crime.
(iii) Receiving services – we may need to provide information to other third parties in order to receive products and services, which, in turn, allows us to provide the App, Website and services to you (further details on the types of parties we share data with can be found in the “Other parties who we share your data with” section below.
(iv) Marketing – we may contact you from time to time to tell you about products and services that we think you might be interested in (which may be based on how you use our products and services and other things we know about you). If you do not wish to receive these communications, you can opt out of these at any time by contacting us using the “Contact Us” section of the App or Website.
(v) Promotions - we may run promotions, competitions, campaigns and similar activities from time to time to promote our App, Website and other services.
(vi) We use Display Advertising on websites, apps or social media to deliver Nomo advertising and messages to site visitors.
(vii)Fraud prevention – we process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
• Consent – We may sometimes need to ask for your consent to use your data. We will always make clear what data we wish to use and how we wish to use it. In these cases, you don’t have to share information about yourself if you don’t want to. If you choose to give consent, you can withdraw it at any time by contacting us using the “Contact Us” section of the App or Website. However, if you don’t consent (or later withdraw your consent), you may not be able to use some (or any) of our services.
(i) Marketing – we may wish to contact you about products and services that we think you might be interested in (which may be based on how you use our products and services and other things we know about you). We will only send you these communications if you agree to receive them. If you no longer wish to receive these communications, you can opt out of these at any time by contacting us using the “Contact Us” section of the App or Website.
(ii) Promotions – we may run promotions, competitions, campaigns and similar activities from time to time to promote our App, Website and other services.
(iii) Feedback and testing - we may record and discuss your feedback and opinions in relation to existing Nomo products and services and the development of new products and services.
• Vital interest – We may share information about you with other parties (e.g. law enforcement) if it is necessary to protect your or another person’s life.
• Substantial public interest – We may need to process ‘special category’ personal data in some cases. Special category personal data is data that can reveal your or another person’s racial or ethnic origin, religious or philosophical beliefs, trade union membership, political opinions, genetic or biometric data, health information, or sex life or sexual orientation. We process this type of data where it is necessary to prevent or detect crime or unlawful acts, or where it is necessary to protect your financial wellbeing (and obtaining your consent would be unreasonable or otherwise impact our ability to help you).
• Exercising legal rights – We may also need to process special category personal data to establish, defend or conduct legal claim (this includes obtaining legal advice).
Further information on the lawful bases for processing personal data can be found on the ICO website.
Your personal data may be shared and processed by other companies within our group, for example, where they provide services to us, for marketing purposes or for entering into a contract with you for the provision of our products or services, or to perform obligations under that contract. When you open an account with us and you already have an account within the Boubyan Bank group, we may request your KYC documentation from that group company to assist in the account opening process or ongoing maintenance of your account.
We may also share your personal data with the following parties:
• Our service providers – for example, we use: (i) ComplyAdvantage and Refinitiv to help us with the KYC and AML checks described above; and (ii) Onfido to help us verify the identity of users. We also use third parties to: (i) make our bank cards and provide card processing services; (ii) monitor transactions; (iii) provide network services; and (iv) help us run the App and Website (including by providing cloud computing and storage services). For Display Advertising we use a Mobile Measurement Partner, Adjust GmbH, to help us measure our advertising campaigns by matching the take up of a Nomo product or service to the advertisements they were converted from.
• Verification, fraud prevention and responsible lending – we use credit reference agencies and similar service providers to assess whether we can provide services to you, to fulfil our obligations as a responsible provider of banking services and to comply with laws and prevent fraud. We share certain information about our customers and potential customers with credit rating agencies to: (i) help them maintain accurate registers of individuals’ financial status; (ii) help with the tracing of debts; (iii) understand whether you are eligible for our products and services; and (iv) manage your account with us. The information we may share with credit reference agencies include: (i) your identification information including your name, address and date of birth; (ii) details of the accounts and related transactions; (iii) any product or service applications you’ve made (including any loans or repayments); and (iv) details of the balances of any cards you have with us. You can find further information on the main credit reference agencies in the UK and Kuwait here: (i) https://www.transunion.co.uk (ii) https://www.equifax.co.uk/crain (iii) www.experian.co.uk/crain (iv) https://www.cinet.com.kw/en/home (v) www.cifas.org.uk/fpn
• Law enforcement and other similar parties – as a bank, we’re under legal obligations to identify and report financial crime (which includes money laundering and tax evasion). We may share your details with official authorities, regulators or other government or law enforcement bodies including the police or courts in any jurisdiction where the law requires us to or if we otherwise think necessary. We may also share information with other banks for similar reasons. We may also have to share your information with other third parties where we are required to do so under law. These other third parties could be in any jurisdiction.
• Third parties - If you ask us to, we will share your information with any third party that provides you with account information or payment services. If you sign up to use the services of a third party provider which is registered as an Account Information Service Provider or Payment Initiation Services Provider, you’re allowing that third party to access information relating to your account. We are not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and their privacy notice.
• Others – we may also share your details with people or companies if there’s a corporate restructure, merger, acquisition or takeover.
When we refer to automated decisions, we mean any decisions relating to you which don’t involve any people (for example, by only using computers). We may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.
We use automated decision making to verify your identity and the information you provide in your application, prevent fraud and money laundering, and check whether you are eligible for our products.
We do this by taking information contained in your application or that we have received from third parties (for example, publicly available registers like the Public Authority of Civil information (PACI)) or credit reference agencies and passing this onto third parties who perform fraud prevention, ‘KYC’ (know your client) and ‘AML’ (anti-money laundering) services. These third parties provide us with relevant information about your identity and may include your financial history, credit information, and fraud prevention information.
If these third parties believe you are a fraud or money laundering risk, or if we otherwise believe you have adverse credit, we may reject your application for an account, decide not to offer you a product or change your existing products or services.
Some service providers above may also keep records of your credit history, fraud or money laundering risk on file, which may result in other parties refusing to provide services or financing to you.
We may build profiles about you so that we can better understand your circumstances, behaviours and preferences in relation to marketing and improve the relevance of products and services offered to you. We do this by collecting information you provide to us or our affiliates (or information that we otherwise obtain) and, in some cases, combining this with other information we know about you.
You have rights in relation to automated decision making: for example, you may have a right to request human intervention and to challenge the decisions made by us on the basis of automated decision making. You can do this by contacting us using the “Contact Us” section below.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us by using the “Contact Us” section below.
How long we hold your personal data for will depend on the circumstances. The retention period we apply will be based on many factors including:
• The purpose for which we are using the data – we will need to keep the data for as long as is necessary for that purpose; and
• Legal obligations – laws or regulation may set a minimum period for which we have to keep your personal data.
To work out how long we keep different categories of data, we consider why we hold it, how sensitive it is, how long the law says we need to keep it for, and what the risks are.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
You have a number of legal rights in relation to the personal data that we hold about you. These rights include:
• The right to obtain information about the processing of your personal data and access to the personal data which we hold about you.
• When we are relying on your consent to process your personal data, you have the right to withdraw your consent to our processing of your personal data at any time. Please note that we may still be entitled to process your personal data if we have another basis (other than consent) for doing so.
• In some circumstances, the right to receive some personal data in a structured, commonly used and machine-readable format and/or request that we transmit those data to a third party where this is technically feasible. Please note that this right only applies to personal data which you have provided to us.
• The right to request that we correct your personal data if it is inaccurate or incomplete.
• The right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data, but we are required to keep it (for example, under law).
• The right to object to, and the right to request that we restrict our processing of your personal data in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal data but we are legally entitled or required to continue processing your personal data and/or to refuse that request.
• The right to complain to the ICO (details of which are provided below) if you think that any of your rights have been infringed by us.
For more information or to exercise your rights contact us using the details set out in the “Contact us” section below.
You also have a right to complain to the Information Commissioner’s Office, which regulates the processing of personal data. You can find out more information about your rights by contacting the ICO, or by searching their website.
We may transfer and store the data we collect about you to organisations outside the United Kingdom.
When we do this, we make sure that your data is protected and that the transfer is subject to appropriate safeguards or is otherwise permitted under applicable law. For example, in the context of personal data transferred outside the United Kingdom or the EEA, the country to which the personal data is transferred may be approved by the ICO or the European Commission, or the recipient may have agreed to model contractual clauses approved by the European Commission or the ICO that oblige them to protect the personal data.
Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your information continues to be protected by ensuring appropriate safeguards are in place.
If you’d like a copy of the relevant data protection clauses, please get in touch using the “Contact us” section below.
If you would like further information on the collection, use, disclosure, transfer or processing of your personal data or the exercise of any of the rights listed above, or would like to speak to our Data Protection Officer, please address questions, complaints, comments and requests by email to firstname.lastname@example.org or by post to Data Protection Officer, Bank of London and the Middle East plc, Cannon Place, 78 Cannon Street, London, EC4N 6HL.
If you have a complaint and you are not happy with our response, you can refer your complaint to the ICO. For more details, you can visit their website at ico.org.uk.
We will post any changes we make to this notice on this page. We will also email you to let you know if we make significant changes to this notice.