Spanish Data Protection Agency Fines BBVA €70,000 for Identity Theft Due to Lack of Proper Identity Verification

The Spanish Data Protection Agency (AEPD) imposed a fine of €70,000 on Banco Bilbao Vizcaya Argentaria (BBVA) for failing to securely verify a client’s identity, leading to identity theft and unauthorized transactions.

Incident Details

According to the AEPD’s decision [1], the incident occurred in July 2021 when a client lost his ID card. A third party gained access to the account holding €9,400 and withdrew the money, providing a forged signature on the bank document. Despite the signature not matching the one on the ID card, the withdrawal was approved.

AEPD’s Decision

The AEPD held BBVA responsible for not implementing appropriate security measures to verify the client’s identity in accordance with the GDPR. The agency emphasized that the bank’s negligence could have been preventable if they had followed available protocols, such as comparing and verifying both the photograph and signature on the document presented for the transaction [2].

The AEPD determined that BBVA had breached both Article 6 and Article 32 of the GDPR. They argued that the bank had not taken adequate technical and organizational measures to protect personal data, specifically, the client’s identity. The fine was issued under case number PS/00456/2022 and was based on Articles 83(4)(a) and 83(5)(a) of the GDPR.

The Importance of Identity Verification

This media article underscores the importance of financial institutions implementing robust identity verification procedures to secure clients’ accounts and protect them from identity theft [3]. The incident serves as a reminder that financial organizations bear a significant responsibility for safeguarding personal data and must remain vigilant to prevent unauthorized transactions.

Regulatory Environment

The AEPD’s decision underscores the regulatory environment in Spain that holds organizations accountable for GDPR compliance. The fine imposed on BBVA highlights the need for financial institutions to ensure that they provide secure, reliable, and GDPR-compliant services to their clients.

Related Resources

More resources and information regarding identity theft can be found in related articles and blogs discussing best practices and the latest developments in the field.

[1] AEPD Decision: https://www.aepd.es/sites/default/files/2023-09-12_PS_00456_2022-ES.pdf

[2] AEPD Press Release: https://www.aepd.es/sites/default/files/2023-09-12_COMUNICACION_SANCION_BBVA.pdf

[3] Identity Theft and Financial Institutions: https://www. identitytheft.gov/Business/Financial