eBay

---

@insidethe93 wrote:

 

Major areas where the FCA doesn't regulate eBay include age verification checks for restricted goods, product safety, data protection (I hope/believe that's regulated by the ICO), and general marketplace. So I ask again: does eBay explain how they'd keep photo ID secure? 

---

Their (lengthy) explanation can be found in the User Privacy Notice - photo ID is included under the remit of "personal data".

From memory.  The FCA was set up after several high profile mis-selling scandals.  Endowment mortgages that didn't pay off the loans, PPL insurance to the self-employed when the small print specifically excluded them from claiming, there were probably more.  These hit the reputation of the UK Financial Services Industry for reliability amongst consumers and its income.

The govt. set up the Financial Conduct Authority  to regulate companies engaged in financial services, clean up providers and restore confidence.  They do this by issuing Guidelines designed to ensure that consumers of the services are not disadvantaged by firms seeking to increase their profits by shady practices.

IMHO some of ebay's practices are definitely on the shady side and need firmer guidelines, or at least some pointed "discussions" between the FCA and .uk execs. to make it clear to them what the guidelines are and where ebay is on thin ice.

If they don't heed the guidelines the FCA can revoke ebay's licences to operate in the UK.

---

@4_bathrooms wrote:

---

---

Also:

"when it’s necessary for existing customers — for example, if their circumstances change"

I saw that too, but then when you read on, the example circumstances are:

• a big change in the level or type of business activity
• a change in the ownership structure of a business

Again, all very business focused. It seems like an over aggressive application of a policy to trigger this for small scale private sellers.

'Again, all very business focused. It seems like an over aggressive application of a policy to trigger this for small scale private sellers.'

------------------------------------------------------------------------------------------------

Oh yes, sledgehammer to crack a nut.

But this particular sledgehammer method earns ebay interest on the held monies.

So, yeah. They're going to do it for the tiniest little reason they can think of...

its just a pretext to harvest everybodys data , safety is the fig leaf they use to justify the policies , sharing our data with dozens of global organisations and their staff is designed to keep us safe because our privacy is very important to ebay, facebook, Google , Paypal and Onlyfans 

---

@leighbayuk wrote:

---

@4_bathrooms wrote:

---

---

Also:

"when it’s necessary for existing customers — for example, if their circumstances change"

I saw that too, but then when you read on, the example circumstances are:

• a big change in the level or type of business activity
• a change in the ownership structure of a business

Again, all very business focused. It seems like an over aggressive application of a policy to trigger this for small scale private sellers.

---

This is the applicable section quoted verbatim:

"The changing circumstances of your customers

You need to keep up-to-date information on your customers so that you can:

• update your risk assessment of a particular customer if their circumstances change
• carry out further due diligence measures if necessary

Changes of circumstance may include:

• a big change in the level or type of business activity
• a change in the ownership structure of a business"

The first two points apply to all the regulated organisation's customers that are subject to KYC checks; not just businesses. Even where businesses are concerned the last two points are only given as examples.

If you change your name by deed poll your circumstances have changed as you are no longer legally identified by your previous name. If you change your address the address eBay previously verified is no longer valid for you. If you change your bank account or change any details recorded against your bank account then eBay's previous verification is no longer valid. Changing any of these details in your eBay account will automatically trigger eBay's KYC due diligence checks.

The FCA can fine organisations who fail to carry out their due diligence requirements under the money laundering regulations. For example, Barclays Bank was recently fined a total of £42M for failing to carry out the necessary due diligence checks against one of their customers. Although an extreme case you can guarantee eBay will over-comply with the MLRs; especially when there is the risk of a financial penalty hanging over their head for any failure to comply. 

---

@4_bathrooms wrote:

---

This is the applicable section quoted verbatim:

"The changing circumstances of your customers

---

Surely the first two points are why they need to do it. The second two are examples of when.

I do not believe eBay have an individual risk assessment for each and every customer. Perhaps I should submit an SAR to see mine.

---

@leighbayuk wrote:

---

@4_bathrooms wrote:

---

This is the applicable section quoted verbatim:

"The changing circumstances of your customers

---

Surely the first two points are why they need to do it. The second two are examples of when.

Precisely.

---

@leighbayuk wrote:

I do not believe eBay have an individual risk assessment for each and every customer. 

---

A KYC check is eBay checking you are who you say you are, living where you say you live whilst holding a bank account from a recognised financial institution that can be verified as belonging to you; all requirements under the MLRs. If you change any of those details as recorded in your eBay account even slightly the KYC checks will be triggered.

---

@4_bathrooms wrote:
A KYC check is eBay checking you are who you say you are, living where you say you live whilst holding a bank account from a recognised financial institution that can be verified as belonging to you; all requirements under the MLRs. If you change any of those details as recorded in your eBay account even slightly the KYC checks will be triggered.

---

The point being, both the "when" examples given under changes in circumstance are business related ones and quite significant changes. I also note that the verification form states:

By selecting Upload and save, you agree to offer products and services that comply with applicable laws.

Are my private sales, really products and services? I really can't believe they do this verification process and write a new customer specific risk assessment every time someone changes address. They certainly haven't done this before in the 24 years I've been a member.

If this is something they are rolling-out to all customers then they need a better and more scalable process than uploading photo IDs.

Anyway, I'll await a response from their DPO before deciding if I will upload. Their privacy notice is rather vague about where it will be stored, how long it will be retained, and if it will be process by AI.

'my trigger request came when i wanted to remove an expired debit card , bank account sort code address not even changing, i only sold a very few low value items , nothing whatsoever should have been triggered , my debit card had simply expired , surely the system can be less petty in what gets flagged..' 

Will there be any escape from all this when we reach our own expiry dates, I wonder? These days, any portal to a better world will probably be manned by some ghostly twit asking for photo id... 'we need to make sure it's yoooo-whoo-hoo'... 👻

---

@leighbayuk wrote:

---

@4_bathrooms wrote:
A KYC check is eBay checking you are who you say you are, living where you say you live whilst holding a bank account from a recognised financial institution that can be verified as belonging to you; all requirements under the MLRs. If you change any of those details as recorded in your eBay account even slightly the KYC checks will be triggered.

---

The point being, both the "when" examples given under changes in circumstance are business related ones and quite significant changes.

---

That is the GOV.UK's guidance page for organisations subject to anti-money laundering supervision; it is intended for businesses rather than consumers and the (very general) advice is worded accordingly. Any organisation subject to AML supervision - which includes financial service providers (like eBay), accountants, estate agents and letting agents have to perform KYC due diligence checks against their customers; the initial KYC check is a risk-assessment. Where existing customers are concerned the legislation states:

"(8) A relevant person must also apply customer due diligence measures—

(a)at other appropriate times to existing customers on a risk based approach;

(b)when the relevant person becomes aware that the circumstances of an existing customer relevant to its risk assessment for that customer have changed."

---

@leighbayuk wrote:

I also note that the verification form states:

 

By selecting Upload and save, you agree to offer products and services that comply with applicable laws.

 

Are my private sales, really products and services?

---

The same verification form is sent to private and business sellers; it should really state "products and/or services".

---

@leighbayuk wrote:

---

I really can't believe they do this verification process and write a new customer specific risk assessment every time someone changes address. They certainly haven't done this before in the 24 years I've been a member.

 

---

The AMLs were introduced in 2018 and were further amended in 2019; the current customer due diligence requirements (as amended) came into force on 10th July 2020. When the new KYC requirements came into force eBay was not required to perform KYC checks against it's existing customers but was if their circumstances subsequently changed.

---

@leighbayuk wrote:

---

If this is something they are rolling-out to all customers then they need a better and more scalable process than uploading photo IDs.

 

---

It was the government who decided a "photograph on an official document which confirms their identity"

was the "best way" for a supervised organisation to confirm a customer's identity; specifically: "a government issued document like a passport". The only government-issued documents that officially confirm identity are a driving licence or a passport. This was probably decided because most of those who sit in the two houses can't imagine there's such a thing as a citizen who doesn't drive and/or who doesn't go abroad at least once every ten years. Anyway, there have been reports on these boards of eBay accepting other documentation in lieu of a driving licence or passport but ultimately it results in the person handing over even more personal information than just supplying a driving licence or a passport would have done.

---

@department28 wrote:

'my trigger request came when i wanted to remove an expired debit card , bank account sort code address not even changing, i only sold a very few low value items , nothing whatsoever should have been triggered , my debit card had simply expired , surely the system can be less petty in what gets flagged..' 

 

Will there be any escape from all this when we reach our own expiry dates, I wonder? 👻

---

Visa and Mastercard have automatic card update systems (Visa Account Updater & Automated Billing Updater) in place where debit and credit card details are updated with merchants when a new card is issued. If a card has expired and a new one (for the same account) has been issued the card details held by the merchant (i.e. eBay) should automatically update without requiring any intervention from the user; this should negate any KYC checks.

However, if you do anything manually to update your card details that very likely will trigger eBay's KYC checks as will opting-out of VAU/ABU in the issuing bank's mobile app.

---

@4_bathrooms wrote:

---

---

Any organisation subject to AML supervision - which includes financial service providers (like eBay), accountants, estate agents and letting agents have to perform KYC due diligence checks against their customers; the initial KYC check is a risk-assessment. Where existing customers are concerned the legislation states:

 

"(8) A relevant person must also apply customer due diligence measures—

 

(a)at other appropriate times to existing customers on a risk based approach;

(b)when the relevant person becomes aware that the circumstances of an existing customer relevant to its risk assessment for that customer have changed."

---

Thanks, that was a very insightful post. I still find it strange that none of the banking companies wanted photo ID when I changed my address, just eBay. I'm intrigued by their risk assessment that finds a simple change of address suspicious in a customer of many years with an account in good standing.

Luckily I have a zero balance and nothing I need to sell (surely the zero balance reduces the risk). So I can just wait on the DPO response and perhaps submit a SAR for my risk assessment.

A zero balance is no protection, they have a vable direct debit from your bank account or credit card they can use for any excuse.

Surely not if they have doubts about my identity. It would be inappropriate and irresponsible to conduct any financial transaction.

---

@leighbayuk wrote:

Surely not if they have doubts about my identity. It would be inappropriate and irresponsible to conduct any financial transaction.

---

Where eBay is concerned the MLRs only relate to money you receive; this is why buyers aren't subject to MLR checks. eBay will still debit any funds you owe but this would only be as the result of outstanding eBay fees or losing an MBG case/chargeback.

Should have guessed that the house always wins.

It's point 3 that's the sticking point for me.

"Data may be stored in the EEA, UK, or jurisdictions with adequate safeguards, under Binding Corporate Rules and EU Standard Contractual Clauses or ICO Standard Data Protection Clauses."

What is the EEA?

Who decides if jurisdictions have 'adequate safeguards'?

What are Binding Corporate Rules, Standard Contractual Clauses and Data Protection Clauses?

I've never heard of them.

Who decides if they can be amended or removed?

A hypothetical case:

I give photo I.D to ebay.uk (covered by UK D P Laws).  Presumably the USA and ebay.com will have passed the 'adequate safeguards' test.

Can ebay.uk back up my data in San Jose Ca.?

With Trump in charge is it likely that the UK D.P.A will be allowed to look at who is doing what with my personal data?