As global art sales continue to hit record highs (https://www.digitaljournal.com/business/art-sales-hit-all-time-high-in-2021/article) it’s unsurprising that the number of art buyers being asked to share their information at the point of purchase is also increasing.
For auctioneers like Christie’s and Sotheby’s, this is business as usual. Major auction houses have been asking for ID and proof of address documents for decades. For the UK, EU and US galleries, however, new regulations mean they need to do the same.
In the UK the regulations are unavoidable. Since being announced in January 2020, the business is required to comply with all relevant sales above €10,000. This entails taking receipt of information about the buyer, building a report, and storing this information for a minimum of 5 years. Much to the surprise of art buyers who are now being asked to share sensitive information about themselves when they previously didn’t have to.
Amongst this sensitive information are their ID documents (such as a passport or driving license) and proof of address (a utility bill or similar.)
Naturally, art buyers are sceptical about the systems and processes a gallery has in place to ensure the safety of their information in an increasingly volatile online environment where phishing scams and cyber-attacks are a constant threat and becoming all too common.
“We hear horror stories about how art businesses are handling this information on a daily basis, including questions from buyers about where and how the information will be stored,” said Matthew Whiteley, Head of Product at Art Market Due Diligence Platform, Arcarta
“Galleries must focus on doing what they do best, dealing in works of art. There are services available that can take the work of data security and infrastructure off of their shoulders. It is completely unrealistic to think that gallery staff become experts in data security and encryption overnight to safeguard the information they are now legally required to store.”
With regulations creating an additional burden for the art market, it appears the big auction houses haven’t understood this threat either. UK galleries report being asked to share information about their clients to email addresses such as compliance@ or PostSaleUK@.
For high-net-worth clients, the challenge of meeting the requests for information while maintaining privacy and security is even greater. The consequences of loss of client data due to an email breach could be catastrophic and yet completely unavoidable.
A gallery needs to have systems in place to ensure they are not building a ‘honey-pot’ of ID documents that could be visible to anyone after being unfortunate to fall victim to a phishing scam or malware. Let’s not forget too that in the eyes of Regulators, ID theft is a prerequisite to money laundering.
Notifying a client that your email account was hacked and that their passports are now visible to the world will no doubt cause significant reputational damage. In a world where more clients are entering the market each year and purchasing entirely remotely, there need to be guidelines and best practices to establish data discipline and safeguard this information.
With the right systems in place, a gallery can not only ensure security for its information but in turn, provides a seamless experience for its clients.