Federal compliance regulations require us to check DOBs against a federal list to determine whether the user is able to use Divvy.
Why is Divvy requiring & collecting DOBs?
We are requiring DOB to support updates to our card program, for our new banking partner, and to ensure we are compliant with the federal guidelines and regulations.
While we have always required PII from beneficiary owners in the past as part of compliance checks, with guidance from our banking partner and third party compliance consultants, we have decided to expand this to all cardholders to reduce risk and increase vigilance.
Collecting a date of birth will also assist Divvy in account verification and security. Specifically, when a customer contacts Divvy to inquire about financial information, to discuss fraud or process a fraud dispute, or any sensitive interaction that requires positive customer identification, a DOB will be used as one of many verification points to ensure the person we are talking to is in fact who they say they are.
Security questions and answers do not sufficiently cover the requirement because:
Security questions and answers do not typically qualify as personally identifiable information (PII).
This information can be easily socially engineered or guessed.
Security questions and answers do not satisfy regulatory requirements.
More information about why we require PII can be found here: Personally Identifiable Information in Divvy.
I have security concerns around providing personal information for my users. Why do you need this information?
We completely understand concerns with collecting personally identifiable information (PII), but we do it for good reason. We are requiring DOBs for two reasons:
It is required in order to remain in compliance. We need dates-of-birth to positively identify individuals and ensure there is no reason they should not be spending on a financial platform.
We can use PII to positively identify individuals in support, fraud, and loan servicing interactions. Having a DOB helps our internal teams positively identify you in any interaction requiring additional verification. This is commonplace when working with financial institutions and FinTech companies in general.
We go to extraordinary lengths to keep your PII safe and confidential and will only use it for the two use cases described above. We complete regular security audits to make sure we are not simply meeting security standards but exceeding them.
Other card programs do not make me do this. Why is Divvy?
All financial institutions have to comply with federal regulations. Different card programs have different ways in which they satisfy compliance requirements.
Some banks, for example, collect personally identifiable information (PII) at an admin or partner level (users are never asked directly). Our banking partner requires PII such as date of birth and SSN (only if additional information is needed) for each individual Divvy user.
At Divvy, we comply with federal regulations applicable to our Bank Partner by collecting certain personal identifying information on an authorized user level. At times, this information may include the date of birth and/or social security number for authorized users opting to spend on their Divvy business card.
What do I do if I have cards that are non-human & will not have a birthdate?
We are aware that there are use cases in Divvy where a "person" in your company is not an actual person. In these cases, we recommend inputting the name and date-of-birth of the admin who created them and who is ultimately responsible for this user if issues arise. More features are on the way that will address these nonperson users.
More information can be found here: Updating Users
Can I just provide fake information for my users?
We recommend against this because:
We use DOBs for verifying users when they call in and ask for financial information.
This could lead to the user being flagged and us requesting this information so they can spend properly.
To make sure we don't run into false positives and/or issues, we recommend supplying accurate date-of-births in Divvy.