This notice was updated on 4 November 2022 to inform you of how your personal data is used when using our investment service. We have also added that you may receive marketing from BLME or Nomo.
We are Bank of London & The Middle East PLC (“we”, “our”, “us”, “BLME”) and we own and operate Nomo.
We’re registered in the UK and our registered address is at Cannon Place, 78 Cannon Street, London, United Kingdom, EC4N 6HL. Our company registration number is 05897786. We are also registered with the UK data protection authority (the Information Commissioner’s Office or “ICO”) under number Z9829862. BLME is a member of the Boubyan Bank Group.
This notice applies when you download and use our App or Website and it sets out who we are, and how and why we use your personal data. We would recommend that you read through this notice carefully so that you fully understand our data protection practices. This notice, our Cookie Notice, Website and App Terms and Conditions of Use, the Current Account Terms and Conditions and Fixed Term Deposit Account Terms and Conditions, outline how we provide services to you through our App and Website. If you have any questions about this notice or our use of your data, please contact us using the details set out below.
We may collect, use, store and transfer different kinds of personal data about you. This information:
We may also collect, use and share aggregated data (for example, statistical or demographic data) for any purpose. Aggregated data could be based on a subset of your personal data but is not considered personal data in law because it will not directly or indirectly reveal your identity (because it’s combined with the data of other people – none of whom are identifiable). For example, we may aggregate your usage data to calculate how many people are using a particular part of our App or Website.
However, if we combine or connect aggregated data with your personal data so that it directly or indirectly identifies you, we treat the combined data as personal data which will be used in accordance with this notice.
We only process your personal data when the law allows us to do so. Data protection laws require that we have a “lawful basis” for processing your personal data. The lawful bases include processing for a contract, to comply with law, legitimate interest, vital interest, substantial public interest, or consent. We have explained below what lawful bases we rely on to use your personal data.
Contractual requirement – we use your personal data to fulfil a contract that we have with you or in order to enter into a contract with you (for example, to provide online banking, Property Finance or Investment services to you). This includes using details about you to: (i) consider whether we can provide services to you; (ii) provide the services that we say we will provide in our terms; (iii) exercise our rights under a contract with you; (iv) resolve complaints and other disputes; and (v) contact you.
Compliance with law – we use the personal data you have provided, we have collected from you, or we have received from third parties to meet our obligations which we are required to do under law. For example, as a bank, we are required to make sure that we run appropriate KYC and AML checks on all our customers. We collect personal data such as your name, address, date of birth, contact details, financial information, employment details and device identifiers including IP address to: (i) verify your identity when you register for our services (including by cross checking the details you have provided with immigration, credit check and fraud prevention agencies); (ii) prevent illegal activities like fraud and money laundering; (iii) check your credit history and other details about your financial circumstances so that we can make responsible lending decisions; and (iv) comply with our legal obligations (for example, banking laws). These can include legal record keeping obligations. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime. We may also be required to share information with other third parties where we are compelled to do so or we consider this necessary – further details can be found in the “Other parties who we share your data with” section below. For certain types of investment products, we are required by UK financial services regulation to determine if you have adequate knowledge and experience of such products. We will do this by asking you to complete our appropriateness questionnaire.
Legitimate interests – we may need to use your data for our legitimate interests or those of a third party. These include:
Consent – We may sometimes need to ask for your consent to use your data. We will always make clear what data we wish to use and how we wish to use it. In these cases, you don’t have to share information about yourself if you don’t want to. If you choose to give consent, you can withdraw it at any time by contacting us using the “Contact Us” section of the App or Website. However, if you don’t consent (or later withdraw your consent), you may not be able to use some (or any) of our services.
• Vital interest – We may share information about you with other parties (e.g. law enforcement) if it is necessary to protect your or another person’s life.
• Substantial public interest – We may need to process ‘special category’ personal data in some cases. Special category personal data is data that can reveal your or another person’s racial or ethnic origin, religious or philosophical beliefs, trade union membership, political opinions, genetic or biometric data, health information, or sex life or sexual orientation. We process this type of data where it is necessary to prevent or detect crime or unlawful acts, or where it is necessary to protect your financial wellbeing (and obtaining your consent would be unreasonable or otherwise impact our ability to help you).
• Exercising legal rights – We may also need to process special category personal data to establish, defend or conduct legal claim (this includes obtaining legal advice).
Further information on the lawful bases for processing personal data can be found on the ICO website.
Your personal data may be shared and processed by other companies within our group, for example, where they provide services to us, for marketing purposes or for entering into a contract with you for the provision of our products or services, or to perform obligations under that contract. When you open an account with us and you already have an account within the Boubyan Bank group, we may request your KYC documentation from that group company to assist in the account opening process or ongoing maintenance of your account.
We may also share your personal data with the following parties:
• Our service providers – for example, we use: (i) ComplyAdvantage and Refinitiv to help us with the KYC and AML checks described above; (ii) Onfido to help us verify the identity of users, and(iii) LexisNexis for identity and verification services. We also use third parties to: (i) make our bank cards and provide card processing services; (ii) monitor transactions; (iii) provide network services; and (iv) help us run the App and Website (including by providing cloud computing and storage services). We share basic information such as your name, address, date of birth and contact details with Currency Cloud to create multi-currency accounts with the ability to receive funds, manage, convert and pay in multiple currencies. For Display Advertising we use a Mobile Measurement Partner, Adjust GmbH, to help us measure our advertising campaigns by matching the take up of a Nomo product or service to the advertisements they were converted from.
• Verification, fraud prevention and responsible lending – we use credit reference agencies and similar service providers to assess whether we can provide services to you, to fulfil our obligations as a responsible provider of banking services and to comply with laws and prevent fraud. We share certain information about our customers and potential customers with credit rating agencies to: (i) help them maintain accurate registers of individuals’ financial status; (ii) help with the tracing of debts; (iii) understand whether you are eligible for our products and services; and (iv) manage your account with us. The information we may share with credit reference agencies include: (i) your identification information including your name, address and date of birth; (ii) details of the accounts and related transactions; (iii) any product or service applications you’ve made (including any loans or repayments); and (iv) details of the balances of any cards you have with us. You can find further information on the main credit reference agencies in the UK and Kuwait here:
• Law enforcement and other similar parties – as a bank, we’re under legal obligations to identify and report financial crime (which includes money laundering and tax evasion). We may share your details with official authorities, regulators or other government or law enforcement bodies including the police or courts in any jurisdiction where the law requires us to or if we otherwise think necessary. We may also share information with other banks for similar reasons. We may also have to share your information with other third parties where we are required to do so under law. These other third parties could be in any jurisdiction.
• Third parties - If you ask us to, we will share your information with any third party that provides you with account information or payment services. If you sign up to use the services of a third party provider which is registered as an Account Information Service Provider or Payment Initiation Services Provider, you’re allowing that third party to access information relating to your account. We are not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and their privacy notice.
• Others – we may share your information with a Broker you have appointed to lead your engagement with us, for example, you may instruct a Broker to manage your Property Finance application. We may also share your details with people or companies if there’s a corporate restructure, merger, acquisition or takeover.
When we refer to automated decisions, we mean any decisions relating to you which don’t involve any people (for example, by only using computers). We may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.
We use automated decision making to verify your identity and the information you provide in your application, prevent fraud and money laundering, and check whether you are eligible for our products.
We do this by taking information contained in your application or that we have received from third parties (for example, publicly available registers like the Public Authority of Civil information (PACI)) or credit reference agencies and passing this onto third parties who perform fraud prevention, ‘KYC’ (know your client) and ‘AML’ (anti-money laundering) services. These third parties provide us with relevant information about your identity and may include your financial history, credit information, and fraud prevention information.
If these third parties believe you are a fraud or money laundering risk, or if we otherwise believe you have adverse credit, we may reject your application for an account, decide not to offer you a product or change your existing products or services.
Some service providers above may also keep records of your credit history, fraud or money laundering risk on file, which may result in other parties refusing to provide services or financing to you.
Our appropriateness questionnaire automatically assesses your knowledge and experience of the type of investment product offered. The outcome will determine whether we can offer you our investment service. If the outcome is not favourable you can access our educational material to increase your understanding and knowledge of investment products and re-take the questionnaire at your convenience.
We may build profiles about you so that we can better understand your circumstances, behaviours and preferences in relation to marketing and improve the relevance of products and services offered to you. We do this by collecting information you provide to us or our affiliates (or information that we otherwise obtain) and, in some cases, combining this with other information we know about you.
You have rights in relation to automated decision making for example, you may have a right to request human intervention and to challenge the decisions made by us on the basis of automated decision making. You can do this by contacting us using the “Contact Us” section below.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us by using the “Contact Us” section below.
How long we hold your personal data for will depend on the circumstances. The retention period we apply will be based on many factors including:
• The purpose for which we are using the data – we will need to keep the data for as long as is necessary for that purpose; and
• Legal obligations – laws or regulation may set a minimum period for which we have to keep your personal data.
To work out how long we keep different categories of data, we consider why we hold it, how sensitive it is, how long the law says we need to keep it for, and what the risks are.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
You have a number of legal rights in relation to the personal data that we hold about you. These rights include:
For more information or to exercise your rights contact us using the details set out in the “Contact us” section below.
You also have a right to complain to the Information Commissioner’s Office, which regulates the processing of personal data. You can find out more information about your rights by contacting the ICO, or by searching their website.
We may transfer and store the data we collect about you to organisations outside the United Kingdom.
When we do this, we make sure that your data is protected and that the transfer is subject to appropriate safeguards or is otherwise permitted under applicable law. For example, in the context of personal data transferred outside the United Kingdom or the EEA, the country to which the personal data is transferred may be approved by the ICO or the European Commission, or the recipient may have agreed to model contractual clauses approved by the European Commission or the ICO that oblige them to protect the personal data.
Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your information continues to be protected by ensuring appropriate safeguards are in place.
If you’d like a copy of the relevant data protection clauses, please get in touch using the “Contact us” section below.
If you would like further information on the collection, use, disclosure, transfer or processing of your personal data or the exercise of any of the rights listed above, or would like to speak to our Data Protection Officer, please address questions, complaints, comments and requests by email to firstname.lastname@example.org or by post to Data Protection Officer, Bank of London and the Middle East plc, Cannon Place, 78 Cannon Street, London, EC4N 6HL.
If you have a complaint and you are not happy with our response, you can refer your complaint to the ICO. For more details, you can visit their website at ico.org.uk.
We will post any changes we make to this notice on this page. We will also email you to let you know if we make significant changes to this notice.