Privacy Policy

A separate policy exists for applicants of job openings shown in our Join our team web page. We are committed to protecting your personal data and being transparent about how we collect, use, and store it. Privacy and data protection are integral to our systems and services. We maintain comprehensive security measures including access controls, encryption, monitoring, and regular staff training to protect your personal data. We encourage you to read this policy carefully. If you have any questions, please contact our Data Protection Officer using the details provided in Section 2.

If you are a website user

This policy applies to all personal data which you provide or which we collect when you browse our website, complete forms or make enquiries, subscribe to newsletters or marketing, or interact with our website features.

If you are a representative of our client and associated individuals

This policy also applies to any individual associated with a client or prospective client of Bank of London. This includes authorised users and signatories, directors, partners, and beneficial owners, shareholders and company secretaries, trustees and members, employees and contractors, contacts and relationship managers, and anyone whose personal data we process in connection with our services.We process this personal data when you use our services directly or indirectly, as a result of processing payments involving you, through communications and interactions with us, to comply with our legal and regulatory obligations, and for verification, anti-money laundering, and sanctions checks.

We are a bank authorised by the Bank of England’s Prudential Regulation Authority and we are regulated by the Financial Conduct Authority and the Bank of England’s Prudential RegulationAuthority under Financial Services Register number 930379.For data protection purposes, we typically operate as the "data controller" of your personal data, which means we determine how and why your personal data is processed. In some

circumstances, we act as data processor on behalf of clients when processing third-party personal data in payments under client instructions.We have appointed a Data Protection Officer to oversee our compliance with data protection laws and this privacy policy. If you have any questions about how we use your personal data, please contact our Data Protection Officer at the following email address: dataprotectionofficer@bankoflondon.com. We may make changes to this policy from time to time, including as may be necessary or prudent to reflect any changes in the ways in which we process personal data or any changes in data protection laws. Any changes and updates to this policy will be posted on the Bank ofLondon website (Bank of London: Home). Please check this notice regularly so that you are aware of any changes.

‍

Information collected directly from you – website users

For website users, we collect information, including personal data directlyfrom you when you:

·       browse our website and interact with its features;

·       complet eforms on our website (such as contact or enquiry forms);

·       communicate with us by email, telephone, live chat, WhatsApp, or other means;

·       apply for an account or any of our services, or sign-up to our sandbox environment;

·       request technical support or assistance;

·       apply for a job using our website;

·       make a complaint or provide feedback; and/or

·       subscribe to our newsletters or marketing communications.

Information collected directly from you – client users

For individuals associated with our business clients, we collect information directly when:

·       your organisation applies for or uses our banking services;

·       you are designated as an authorised user, signatory, or contact for your organisation;

·       you access our Online Banking Portal or use any API services;

·       you create or manage login credentials for our systems;

·       you correspond with us regarding transactions, queries, or support requests;

·       you participate in client onboarding, due diligence, or periodic reviews;

·       you are identified as a director, beneficial owner, or person with significant control;

·       you make or receive payments processed through our systems;

·       you request technical support or report issues with our services;

·       you attend meetings, calls, or other interactions with our team; and/or

·       you provide information for audit and/or regulatory compliance purposes.

Information from client organisations

If your employer or organisation you represent is a business client, we may receive your personal data from:

·       your employer or the organisation you represent;

·       other individuals within your organisation (such as administrators or senior management);

·       third parties authorised by your organisation to act on its behalf;

·       payment originators or beneficiaries when you are referenced in transactions; and/or

·       other financial institutions involved in processing transactions.

Information from business and regulatory sources

In connection with our services to business clients, we obtain information from:

·       CompaniesHouse and similar corporate registries;

·       sanctions, politically exposed persons (PEP), and adverse media databases;

·       business information services and trade registers;

·       professional networks and industry directories;

·       publicly available sources including company websites and professional profiles;

·       other banks and financial institutions (for reference checks and transaction processing);

·       regulatory bodies and law enforcement agencies; and/or

·       professional service providers engaged by us or your organisation.

Marketing data sources

We may receive your information from:

·       marketing event organisers when you attend industry events;

·       social media platforms when you interact with our content;

·       third-party webinar platforms when you register for our online events; and

·       business partners for co-marketed events and initiatives.

Information we collect automatically

When you visit our website, we automatically collect certain technical information through cookies and similar technologies. This includes information about your device, how you use our website, and your browsing behaviour. For more details, please see our Cookie Policy.

Information from third-party sources

We obtain information from various third parties to verify identities, conduct due diligence, and comply with our regulatory obligations. These include identity verification services such as Lexis Nexis and Jumio, credit reference agencies, fraud prevention agencies like CIFAS, Companies House and other corporate registries, financial crime databases, sanctions and PEP screening databases, other financial institutions for references and transaction processing, payment originators or beneficiaries, law enforcement and regulatory bodies, professional advisers and service providers, and publicly available sources and professional networks.

Identity and contact information

We collect personal identification information including your name, title, gender, email addresses (both personal and business), telephone numbers (mobile and landline), postal addresses (home and business), date of birth and age, nationality and country of residence, identification documents such as passport, driving licence, or national ID, photographs for identity verification purposes, and signature specimens where required.

Professional information - client representatives

For individuals representing our business clients, we collect professional details including your job title and role within your organisation, professional qualifications and memberships, areas of responsibility and authority levels, employment history and professional experience, languages(preferred and spoken), directorships and other positions held, shareholdings and beneficial ownership details, information from business cards and email signatures, and publicly available professional profiles such as LinkedIn.

Account and access information

To provide secure access to our services, we collect usernames and unique identifiers, account numbers and sort codes, API keys, and integration credentials where applicable, multi-factor authentication details, security questions and answers, access permissions and authority limits, login history and session data, and password reset information.

Financial and transaction data

In the course of providing our services, we process bank account details, payment instructions and transaction history, information about transaction approval workflows, payment references and descriptions, source of wealth and source of funds information for compliance purposes, credit card numbers (if processed for any purpose), financial statements and position details, credit history and references, and income and asset information where required.

Digital and behavioural data

Our systems automatically collect IP addresses and device identifiers, MAC address, [browser type and version, operating system and platform information, time zone and] location settings, [browser plug-ins and technologies installed], information about pages visited and features used, click paths and journey tracking data, cookie identifiers, GPS/location data, app usage data and search history within our platforms, social media profile ad activity, browsing behaviour on our website and purchase history. For the purposes of maintaining client profiles, we also collect your service usage patterns and preferences, transaction behaviours and trends, interaction history with our services and predicted interests based on service activities and client segment classifications.

Communications and Interactions

We maintain records of our interactions with you including emails, letters,SMS, phone call recordings where you have been notified, instant messages, audio recordings, video recordings, meeting notes and minutes, support tickets and queries, complaints and feedback, survey responses, training and webinar participation records, your marketing preferences and, if relevant, consent records.

Compliance and Due Diligence Information

To meet our regulatory obligations, we collect identity verification results, proof of address documents, know your customer (KYC) information, anti-money laundering (AML) check results, politically exposed person (PEP)status, sanctions screening results, adverse media findings, beneficial ownership structures, source of wealth documentation, tax residency, place of birth (for enhanced due diligence), marital status (may be collected for KYC or beneficial ownership purposes), number of children (if relevant for financial assessments), homeownership status (for creditworthiness assessments), NationalInsurance numbers and taxpayer IDs, biometric data including facial recognition for identity verification (with explicit consent), and voice recognition data from phone calls (where applicable).

Special Category and Criminal RecordsData 

In limited circumstances, we may process special categories of personal data including:

Biometric data: we may use facial recognition for identity verification, voice recognition from recorded calls for security purposes, and other biometric identifiers where you provide explicit consent.

Health and vulnerability information: we may process limited health data including mental health vulnerability indicators for customer protection, disability information for accessibility requirements, and health-related information to identify any special needs.

Criminal records data: we process information about criminal convictions and offences for anti-money laundering checks, fraud prevention, and regulatory compliance.

Through our services, we may inadvertently receive racial or ethnic information from identity documents or screening databases, religious or philosophical beliefs revealed in payment references, political opinions through PEP screening, trade union membership in payment descriptions, or sexual orientation if disclosed in communications.

When we process SpecialCategory data or Criminal Records data, in addition to the lawful basis we also identify an additional condition for processing pursuant to Art.9 of the UKGDPR and the Data Protection Act 2018, commonly “Regulatory requirements relating to unlawful acts and dishonesty”, “Fraud prevention” or “Equality of opportunity and treatment”.

Website operation and user experience 

We process personal data to operate, maintain and improve our website. This includes providing website functionality and features, managing user accounts and preferences, offering troubleshooting and technical support, analysing usage patterns and user journeys, testing new features and improvements, and ensuring website security and performance.

Legal basis: legitimate interests in operating our website effectively and improving user experience.

Service provision to business clients

We process personal data to provide banking and payment services to business clients. This encompasses account opening and management, payment processing and settlement, providing online banking and API access, generating transaction reports and statements, delivering customer support and handling queries, and sending service notifications and updates.

Legal Basis: performance of our contract with your organisation and legitimate interests in efficient service delivery.

Application processing

When you or your organisation applies for our services, we process personal data for identity and address verification, creditworthiness assessments, eligibility checks, risk assessments, application decisions, and onboarding processes.

Legal Basis: performance of contract (taking steps prior to entering a contract) and legal obligation for regulatory checks.

Client due diligence and monitoring purpose

We conduct initial and ongoing due diligence which involves know your customer (KYC) verification, beneficial ownership identification, source of wealth and funds verification, periodic reviews and updates, enhanced due diligence for high-risk clients, and professional reference checks. Please note that the process is risk-based and the intensity of scrutiny and the data required to complete it may vary depending on your circumstances.

Our comprehensive onboarding process involves multiple stages of verification and assessment. For standard account opening, we verify identity, conduct initial KYC checks, and set up account access. For technology integrations, we additionally process technical user credentials, API configurations, and engineering contact details.

We use specialised identity verification platforms to verify the identity of clients and their representatives, comply with AML/KYC regulations, and manage secure access to our systems and services.

Legal Basis: legal obligation under anti-money laundering regulations and legitimate interests in managing business risk.

Regulatory compliance and reporting

We must comply with extensive financial services regulations, which requires us to conduct AML monitoring, sanctions and PEP screening, transaction monitoring, suspicious activity reporting, regulatory reporting to authorities, maintaining legally required records, responding to regulatory enquiries, and cooperating with official investigations.

Once you become a client, we conduct ongoing monitoring including sanctions and PEP screening, regular KYC refresh cycles, transaction pattern analysis, and periodic risk reassessments. This continuous monitoring is essential for maintaining the integrity of the financial system and protecting against financial crime.

We process personal data to comply with specific regulatory reporting obligations including contributing to the Financial Services CompensationScheme (FSCS) Single Customer View to maintain centralised records of protected deposits, and submitting returns to the Bank of England under the SterlingMonetary Framework.

Legal Basis: legal obligation under financial services laws and regulations.

Security and fraud prevention

Maintaining the security of our systems and preventing fraud involves user authentication and access control, fraud detection and prevention systems, security incident investigation, protection against cyber threats, audit logging and monitoring, physical security measures, and sharing information with fraud prevention agencies.

Legal Basis: legal obligation and legitimate interests in protecting systems, clients, and preventing crime.

Communications and marketing

We communicate with you about matters relating to our business and services, including service updates and changes, regulatory and compliance matters, new products and features, events and training opportunities, newsletters and thought leadership, and satisfaction surveys and feedback requests.

Legal Basis: legitimate interests in client relationship management, consent for electronic marketing where required, and performance of contract for service communications.

We process personal data when you register for or attend our branded events, third-party events where we participate, and webinars. This includes managing registrations, sending event communications, and following up with attendees.

Legal basis: legitimate interests in event management.

We analyse client data to segment clients based on their interests, behaviours, and service usage patterns. This helps us provide more relevant services and communications.

Legal Basis: legitimate interests in improving service delivery and customer experience.

Business operations and analytics

We process personal data to manage and improve our business through service usage analysis, product development and innovation, quality assurance and testing, business intelligence and reporting, strategic planning, and staff training and development.

Legal basis: legitimate interests in improving services and business efficiency.

Legal and risk management

We process personal data for managing legal and business risks, including establishing, exercising or defending legal claims, debt recovery and enforcement, credit risk assessment, insurance claims, business continuity planning, and mergers, acquisitions, and restructuring.

We maintain systems for regulatory engagement and whistleblowing reports.While primarily for internal use, these may involve processing personal data of individuals mentioned in reports or involved in regulatory matters. We handle such data with enhanced confidentiality and security measures.

Legal Basis: legitimate interests in protecting our legal and commercial position and legal obligation.

We conduct specific screening for politically exposed persons (PEPs) and sanctions checks on all clients and connected parties, including daily re screening against updated lists.

Legal Basis: Legal obligation under anti-money laundering regulations.

Responding to enquiries

We process personal data when handling general enquiries about our services, technical support requests, complaints, feedback, and information requests. We use automated chatbot services and contact forms on our website to provide initial customer support, answer frequently asked questions, and route enquiries to appropriate teams.

Legal Basis: Legitimate interests in providing customer service and performance of contract.

Identity and access management

Managing user access to bank accounts including creating and managing user profiles, assigning role-based permissions, monitoring access patterns, and ensuring secure authentication.

Legal Basis: Performance of contract and legitimate interests in maintaining security.

Payments and transaction monitoring

Beyond basic transaction processing, we conduct real-time monitoring of payment patterns to detect unusual activities, generate regulatory reports, identify potential money laundering or fraud, and ensure compliance with transaction monitoring requirements.

Legal Basis: Legal obligation and legitimate interests in preventing financial crime.

Targeted advertising and audience building purpose:

We share limited data with social media and display advertising platforms to show targeted advertisements and create "lookalike audiences" for marketing purposes. This includes sharing hashed email addresses with platforms like LinkedIn and using tracking cookies for retargeting.

Legal Basis: Consent (through cookie preferences) and legitimate interests in marketing our services.

‍

Understanding Mandatory and Optional Information Requirements

Mandatory information

Certain information is mandatory because we need it to verify your identity as required by law, perform anti-money laundering checks as required by regulations, assess applications for services, provide access to our systems, comply with regulatory obligations, and enforce our terms and conditions.

If mandatory information is not provided, we cannot open accounts or provide services, we may need to suspend or terminate existing services, we cannot process certain transactions, and we may be unable to comply with legal obligations.

Optional information

Some information is optional and used to improve your experience, provide additional features, send marketing communications, and conduct research and analytics. If optional information is not provided, you would ordinarily still be able to use our core services unless we notify your otherwise, although some features may be unavailable, we may be unable to personalise services, and you won't receive marketing communications.

Consequences for your organisation

If you represent a business client and don't provide required personal data, your organisation's application may be rejected, services to your organisation may be affected, you may be unable to access systems or approve transactions, and your organisation may need to nominate alternative representatives.

Group companies and partners

We may share data with subsidiaries within Bank of London Group, parent companies and their subsidiaries, joint venture partners, and strategic business partners. These entities may only use your data for the purposes described in this policy.

Service providers

We engage third-party service providers who may process personal data on our behalf. These include agency banking partners and correspondent banks as well as third parties that provide services for the purposes of payment processing, identity verification, document management, compliance screening, website analytics, cloud infrastructure, IT security and professional advice, such as legal and accountancy advice.

All service providers who act as our processors are engaged under written contracts that meet applicable legal requirements, including obligations to process personal data only on our documented instructions, maintain appropriate security, assist with data subject rights requests, and delete or return personal data at the end of the service provision.

Marketing and Advertising Partners

For the purpose of advertising and promoting our services, we may share limited personal data with:

·       social media platforms (for targeted advertising and lookalike audiences);

·       display advertising networks (for retargeting campaigns);

·       event management platforms (for webinar and event registrations); and

·       marketing automation platforms (for newsletter distribution).

Financial services ecosystem

We share data within the financial system with other banks and financial institutions, payment systems and clearing houses, card networks and schemes, credit reference agencies, fraud prevention agencies such as CIFAS, and financial services compensation schemes. This sharing is necessary for processing payments and transactions, fraud prevention and detection, credit risk assessment, and maintaining system integrity and stability.

Legal and regulatory authorities

We disclose data to authorities including the Financial Conduct Authority(FCA), Prudential Regulation Authority (PRA), the Financial ServicesCompensation Scheme, Bank of England, HM Revenue & Customs (HMRC), NationalCrime Agency (NCA), Information Commissioner's Office (ICO), courts and tribunals, and law enforcement agencies.

Disclosures are made when required by law or regulation, when responding to official requests, for reporting suspicious activities, when cooperating with investigations, or when defending legal claims.

Credit reference and fraud prevention agencies

We share data with these agencies who will verify your identity and address, assess creditworthiness, prevent and detect fraud, trace and recover debts, and manage credit risk. These agencies may retain search records, share information with other organisations, and link your record with others at your address.

Other recipients

We may also share data with prospective buyers of our business under strict confidentiality, insurers and insurance brokers, debt collection agencies, organisations you ask us to share with, and anyone you give us consent to share with.

‍

Right of Access

You can request a copy of the personal data we hold about you, along with information about how we use it.

Right to Rectification

You can ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

In certain circumstances, you can request that we delete your personal data, for example where it is no longer necessary for the purposes for which it was collected.

Right to Restrict Processing

You can ask us to restrict the processing of your personal data in certain circumstances, for example while we verify its accuracy.

Right to Data Portability

Where we process your data based on consent or contract and by automated means, you can request to receive your data in a structured, commonly used format.

Right to Object

You can object to our processing of your personal data where we rely on legitimate interests. You also have an absolute right to object to direct marketing.

Rights relating to automated decision-making

Where we make decisions about you based solely on automated processing, you can request human intervention and challenge the decision.

Rights relating to profiling activities

When we conduct profiling for client segmentation and service improvement, we rely on legitimate interests. You have the right to object to profiling activities, and we will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.

Further information about your rights can be found on the Information Commissioner’s Office (ICO) website at http://www.ico.org.uk.

How to Exercise Your Rights

We have established procedures to ensure your rights requests are handled promptly and within statutory timescales. We maintain a dedicated process for data subject request fulfilment, with tracking and monitoring to ensure compliance with legal timeframes.

To exercise any of these rights, please contact our Data Protection Officer using the details in Section 2. We will respond to your request within one month, although this may be extended by two months for complex requests.

We may need to verify your identity before processing your request. There is no fee for exercising your rights unless your request is manifestly unfounded or excessive.

You also have the right to make a complaint at any time to the regulator for data protection issues which is, in the United Kingdom, the Information Commissioner's Office (ICO) (http://www.ico.org.uk)

‍

To determine appropriate retention periods, we consider:

·       the purpose for which we hold the data and on going business needs;

·       our legal and regulatory obligations (for example, financial services regulations require us to keep certain records);

·       statutory limitation periods for legal claims; and

·       guidelines issued by relevant regulatory authorities

We maintain a data retention policy that sets out retention periods for different categories of personal data. When your personal data is no longer required, we will securely delete or anonymise it.

Please note that in some circumstances we may need to retain your data for longer periods, for example where required for regulatory investigations or legal proceedings.

‍