OakNorth Bank plc (“We”, “us”, “our” or “Bank”) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 629564). Registered in England No. 08595042. Registered Office: 57 Broadwick Street, London, W1F 9QS. References to “You” or “Your” is to the applicant who wishes to avail any service or product of the Bank and from whom the Bank shall collect and process the personal data to provide the service and/or product, as well as to previous and current customers of the products and/or services.
You can contact our Business Desk:
3, By emailing:
[email protected].uk
You can contact our Data Protection Officer directly by emailing: [email protected].uk
Before we provide services, products or financing to you, we shall collect and process your personal data to verify your identity and your nominated bank account details and undertake checks in order to prevent fraud and financial crime. For this, we may verify the information supplied by you from the records of fraud prevention and risk management agencies. We may ask you to provide physical forms of identity verification when you apply for an account. Alternatively, we may search credit reference agency files in assessing your application. The credit reference agency also gives us other details and information from the Electoral Register to verify your identity. The credit reference agency keeps a record of our search, and whether or not your application proceeds. Our search is not seen or used by lenders to assess your ability to obtain credit. You must notify us immediately of any change in your name, your home address, your email address or your telephone number.
The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. For further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, please contact Experian, Equifax, Cifas, National Hunter, Refinitiv, GBG, Comply Advantage or Dow Jones, in order to make a Data Subject Access Request to see the information which is recorded against your name and address, or visit their website. We accept no responsibility or liability for the actions of any such agencies which act as separate and independent controllers, in particular, any information which is controlled by them and used for the purpose of fraud prevention/credit checks are not governed by our Privacy Notice. In addition, if you use the Relay UK Service when contacting us, you will share your information with this third party. You can learn more about Relay UK’s privacy policy here. To contact Relay UK directly to understand how they process your information, you can do that here.
We will share your information with providers of payment-processing services and other service providers to fulfil a payment or other service as part of a contract with you.
When you apply for an OakNorth savings product through a Partner, we will collect your Identity and Contact details to comply with statutory customer identification requirements. If you would like access to the information we use from our Partners, please contact them directly here – Hargreaves Landsdown, Monzo, Flagstone, Insignis, Raisin and Bondsmith.
Furthermore, we shall process your personal data for:
| Category of Personal Data | Purpose for Processing | Processing Grounds |
| Contact information
Financial information Transactional information Identity information Historical address information Tax residency information Security information Employment status information Online identifier information Risk and/or fraud information |
Account opening, operating, maintaining, administering and closing your account(s) and/or our business;
We will share your information with providers of payment-processing services and other service providers to fulfil a payment or other service as part of a contract with you. Providing you with the services and products you have requested
Providing you with the payments services you need to fund your savings account
Preventing or detecting money laundering, fraud or any other illegal activity, carrying out electronic verification checks, and Politically Exposed Person, financial crime and Sanctions checks |
Contract
Legitimate interest
Contract
Contract
Legal obligation Legitimate interest |
| Contact information
Financial information Transactional information Identity information Historical address information Tax residency information Employment status information Online identifier information Risk and/or fraud information Health Information Executor/Administrator Information Power of Attorney Information |
Internal reporting (for business operation purposes) and external reporting (for compliance with any legal and/or regulatory obligations)
Our confidential research and analysis; (including customer surveys that are anonymised and not used for marketing)
Complying with any other legal and/or regulatory requirements including legitimate requests for information from law enforcement or regulatory bodies/agencies |
Legitimate interest
Legal obligation
Legitimate interest
Legal obligation Legitimate interest |
| Contact information
Financial information Identity information Historical address information Tax residency information Security information Employment status information Online identifier information Power of Attorney Information |
Pre-populating recurrent or partially completed application forms with your details should you decide to open new or consecutive account(s) with us | Contract Legitimate interest |
| Contact information
Financial information Transactional information Identity information Historical address information Tax residency information Security information Risk and/or fraud information Health Information Estate Executor/Administrator Information Power of Attorney Information |
Responding to your queries and communicating with you about your account(s) and the services you have received | Contract |
| Contact information
Financial information Transactional information Identity information Historical address information Tax residency information Employment status information Risk and/or fraud information |
General record keeping requirements as stipulated by laws, regulations, and/or Regulatory Authorities (e.g. Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA)) | Legal obligation |
| Contact information
Financial information Transactional information Identity information Tax residency information Employment status information Online identifier information |
Developing the products and services we provide and notifying you of these developments that can affect you by sending you non-marketing communications to ensure you are informed of how developments to products and services may impact you | Legitimate interest |
| Contact information | Marketing purposes, including marketing newsletter emails, (only if you have positively opted in to receive marketing from us) | Consent |
The personal data collected from you, or which we have received from third parties like the credit reference agencies may include your:
| Information Obtained Directly from You | |||
| Category of Personal Data | Source | Requirement | Consequence of Failure to Provide |
| Contact Information
Financial Information Identity Information Tax Residency Information |
You | Statutory | It would not be possible to complete an application for the requested product and/or service. |
| Security Information
Employment Status Information |
You | Contractual | It would not be possible to complete an application for the requested product and/or service. |
| Health Information
|
You | Contractual | If you submit a request for Early Account Closure based on health-related hardship it may not be possible to complete an Early Account Closure Request. |
| Contact Information
Identity Information Historical Address Information Estate Executor/Administrator Information
|
Her Majesty’s Courts and Tribunals Service | Contractual | It would not be possible to complete the OakNorth Bereavement Process. |
| Contact Information
Identity Information Historical Address Information Health Information Power of Attorney Information
|
UK Government Lasting Power of Attorney Service | Contractual | The process to complete an application for the requested product and/or service via Power of Attorney (if required) would have to be completed manually and may cause a delay in the processing of your application. |
| Information Obtained from Other Sources | |||
| Category of Personal Data | Source | Requirement | Consequence of Not Evaluating |
| Contact Information
Identity Information Historical Address Information Financial Information Risk and/or Fraud Information |
Credit Reference Agencies | Contractual | The identity verification process would have to be completed manually and may cause a delay in the processing of your application. |
| Fraud Prevention Agencies | Statutory | It would not be possible to complete an application for the requested product and/or service. | |
| Contact Information
Identity Information |
Partners | Statutory | It would not be possible to complete an application for the requested product and/or service. |
| Contact Information
Identity Information Historical Address Information Employment Status Information Risk and/or Fraud Information |
Risk Management Agencies |
Statutory | It would not be possible to complete an application for the requested product and/or service. |
| Contact Information
Identity Information Employment Status Information Directorship Information Shareholding Information |
Companies House | Contractual | It would not be possible to complete an application for the requested product and/or service. |
| Contact Information
Identity Information Historical Address Information Estate Executor/Administrator Information |
Your Executor(s)/Administrators(s) of your Estate | Contractual | In the unfortunate event of your death, it would not be possible to complete the OakNorth Bereavement Process. |
| Contact Information
Identity Information Historical Address Information Health Information Power of Attorney Information |
Your Attorney/Deputy | Contractual | The process to complete an application for the requested product and/or service via Power of Attorney (if required) would have to be completed manually and may cause a delay in the processing of your application |
| Online Identifier Information | Contractual | This is optional and based on your explicit consent which you are not required to provide. | |
We only collect data from Companies House for business deposit accounts. We do not collect data from Companies House for individual deposit accounts.
| Glossary of Categories of Personal Data | |
| Category of Personal Data | Included Information |
| Contact Information | Postal address, email address, telephone number(s) |
| Identity Information | Title, name, nationality, gender, age, photograph, signature, electoral roll data, passport |
| Historical Address Information | Minimum two years of address history |
| Employment Status Information | Employed, self-employed, student, retired, other. We will also ask for the company name and job title if applicable. |
| Financial Information | Nominated bank account number and sort code, existing ISA account(s) details |
| Transactional Information | All deposits, withdrawals, and payment history of your OakNorth account(s) |
| Tax Residency Information | National insurance number, foreign tax identification number(s), citizenship(s) |
| Health Information
|
Patient data, prescriptions, medical expenses |
| Estate Executor/Administrator Information
|
Death certificate, death certificate verification form, coroner’s fact of death certificate, will, grant of probate, certificate of confirmation, letter of administration, grant of representation, inheritance tax form, letter from permitted regulated entity confirming executors/administrators of estate, additional permitted prescription forms |
| Power of Attorney Information | Lasting power of attorney (LPA), enduring power of attorney (EPA), Court of Protection/Deputyship, LPA code |
| Risk and/or Fraud Information | Information held by Fraud Prevention and Risk Management Agencies which may include information about your identity, activities, credit information, allegations or criminal convictions |
| Security Information | Security questions and answers, online banking login credentials |
| Online Identifier Information | IP address, cookies |
| Directorship Information | Directorship role of business |
| Shareholding Information | Beneficial ownership of business |
We will retain your personal data, that you supply in the application form and elsewhere, e.g. through a Partner (including identification data, product data, email correspondence, and transactional information) on paper and on computer, and/or other electronic devices for six years after the closing date of your last active account to comply with legal and regulatory obligations (including any possible fraud, financial crime and complaints investigations), to retain a reference and audit trail of any discussions, and to preserve a record of account history to facilitate a streamlined customer journey for any future new account applications. If you apply for an account, but do not fund and activate the account for any reason, the same personal data will be retained for at least three years after the closing date of your last account application for the same reasons.
We will retain records in accordance with our retention policy and to comply with laws and regulatory requirements, which can be up to six years after you last closed an OakNorth account. This includes retaining backups of our systems infrastructure for disaster recovering purposes and for the protection of data and collecting temporary logs of online applications to record your application progress and provide support in the case of any application issues.
We may monitor or record calls, emails, text messages or other communications in accordance with applicable laws. Such recording or monitoring may take place for business purposes such as quality control and training, prevention of unauthorised use of our telecommunication systems and website, ensuring effective systems operation, prevention or detection of crime, and protection of confidential information relating to the bank, including personal data of any user connected with their account(s). Call recordings may be retained for six months from the day of the call, or three years in case the call recording is part of a complaint which has been raised and may be necessary to comply with any legal and/or regulatory requirements.
We may process your personal data from business cards where the information was captured in a personal networking capacity as part of our business operations, relying on legitimate interest. We will ensure the processing is fair, proportionate and in line with normal business practice.
We may use third-party processors for our confidential research and analysis. This may include customer surveys that are anonymised and not used for marketing.
When you visit our website, we will set essential cookies on your device, but request your consent to set non-essential cookies. You can find out more about how we use cookies in our Cookie Policy. However, please note that we use Google Analytics who is a third-party web analysis service provided by Google Inc, which uses performance cookies and targeting cookies. The information generated by these cookies about your use of the Website (including your IP address), will be transmitted to and stored by Google Inc on servers in the United States of America. Google will use the information collected for the purpose of evaluating your use of our website on our behalf, compiling reports on website activity and providing other services relating to activity and internet usage to us. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser as described above. Furthermore, you can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available under https://tools.google.com/dlpage/gaoptout?hl=en-GB. This creates an opt-out cookie which prevents the further processing of your data. For more information about Google Analytics cookies, please see Google’s help pages and privacy policy. If you prevent these cookies, we cannot guarantee how the Website will perform for you.
We shall inform you by way of a dedicated email if our privacy notice has changed because of an update in the law or if there are changes to the nature of the processing of your personal data. We will not email you when we make minor changes (such as to correct typographical errors, or to add information about other products or services which do not affect the processing of personal data), but we shall make the updated privacy notice available on our website at all times.
We will take appropriate security measures to ensure that your personal data is protected and secured in accordance with the relevant data protection laws and regulations, including the General Data Protection Regulation (GDPR). We will only disclose information about you to third-party data processors who shall process your personal data on our behalf (like our service provider and affiliate entity, OakNorth Global Private Limited in India). We may also disclose information about you to credit reference, fraud prevention, and risk management agencies, or if we are required by law or regulation to do so. We shall ensure that our data processors shall process your data based on our instructions and have appropriate data security measures to protect personal data.
In some cases, we may need to transfer your information to third parties overseas including our affiliate entity: OakNorth Global Private Limited in India, i.e. outside the European Economic Area. However, we will ensure that adequate procedures and safeguards such as the European Commission Model Contract Clauses as an example, are in place to protect your personal data at all times and that the affiliate and the third parties are contractually obligated to provide an adequate level of data protection in accordance with the EU data protection laws and regulations.
The UK government has and is agreeing to inter-governmental agreements to share tax information. We ask for details of your tax residency and in some cases tax reference numbers to enable us to comply with the related UK legislation. If you are a US person (US passport or US Born or US Registered address or US Taxpayer) we may be obliged to provide any required details about you and your account(s) with us to comply with the Foreign Account Tax Compliance Act (FATCA).
If we believe that we have tax obligations in other countries, we may disclose information about the bank directly to those tax authorities or to HM Revenue & Customs, who may share that information with other tax authorities. We may disclose information we hold about you directly to those tax authorities or to HM Revenue & Customs, who may also share that information with other tax authorities.
If we determine that you pose a fraud or financial crime risk (which may be based on information provided to us by a fraud prevention or risk management agency), we may refuse to provide the services and financing you have requested, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by us for so long as is permitted by law as well as by fraud prevention agencies. This may result in others refusing to provide services, financing or employment to you.
If false or inaccurate information is provided and fraud is identified or suspected, we may pass information to financial and other organisations involved in fraud prevention to protect us and our customers from theft and fraud.
Law enforcement agencies may also access and use this information to detect, investigate and prevent crime. We may provide the law enforcement agencies with information about you or your account which we consider relevant to assist with any investigation of criminal activity.
As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if:
3.1 our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers,
3.2 is inconsistent with your previous submissions, or
3.3 you appear to have deliberately hidden your true identity.
However, this process does not include profiling based on your employment status, tracking cookies or marketing. Rather, we use the “Identity Authentication” service from Experian and/or Equifax which provides an identity verification check meeting our regulatory requirements such as Anti-Money Laundering (AML), while simultaneously providing identity verification. The specific information that is authenticated is: name, date of birth, and address history. If the outcome of the identity verification check is a positive result, your application is approved automatically. If the outcome of the identity verification check is unconfirmed, we may request additional proof of identification and/or address. If the outcome of the identity verification check is an adverse result, your application will be declined automatically.
Your personal data is protected by legal rights (where applicable), and may include:
4.1 The right to be informed
4.1.1 The right to be informed encompasses our obligation to provide ‘fair processing information’ through a privacy notice. It emphasises the need for transparency over how we use personal data.
4.2 The right of access
4.2.1 You have the right to access your personal data and supplementary information. The right of access allows you to be aware of and verify the lawfulness of the processing of your personal data. The right of access allows you to submit a Data Subject Access Request (DSAR) for a copy of the personal data that we hold about you.
4.3 The right to rectification
4.3.1 The GDPR gives you the right to have personal data rectified if it is inaccurate or incomplete.
4.4 The right to erasure
4.4.1 The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing in specific circumstances, such as:
4.5 The right to restrict processing
4.5.1 You have the right to ‘block’ or suppress processing of personal data, which will make it restricted, and permit us to store the personal data, but not to further process it. We would retain just enough information about you to ensure that the restriction is respected in future. We will be required to restrict the processing of your personal data in the following circumstances:
4.5.2 We must inform you when we decide to lift a restriction on processing.
4.6 The right to data portability
4.6.1 The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability only applies to personal data you provided to us, where the processing is based on your consent or for the performance of a contract; and when processing is carried out by automated means.
4.7 The right to object
4.7.1 You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. You must have an objection on “grounds relating to your particular situation” if processing is based on performance of a legal task, our legitimate interests, or research purposes.
4.8 The right in relation to automated decision making and profiling
4.8.1 Article 22 of the GDPR has additional rules to protect you if we are carrying out solely automated decision-making that has legal or similarly significant effects on you. We will only carry out this type of decision-making where the decision is: necessary for the entry into or performance of a contract, authorised by Union or UK law applicable to us, or based on your explicit consent.
For more information or to exercise your data protection rights, please contact our Business Desk using the contact details above.
If you have a complaint about how we have used your information, you should contact our Business Desk using the contact details above so that we can assist you in dealing with your complaint, however, you also have the right to complain to the Information Commissioner’s Office (ICO), which regulates the processing of personal data. Information on how to report a complaint to the ICO can be found on their website: www.ico.org.uk or by calling them on 0303 123 1113.
This Privacy Notice was last updated 25 July 2024.