Telcos: privacy compliance for customer credit checks and identity verification

New Zealand's telecommunications companies — Spark, Vodafone NZ, 2degrees, and others — run credit checks and identity verifications for nearly every new customer sign-up. At this scale, manual compliance tracking is impossible.

The scale challenge

A major NZ telco might process 100,000+ new customer applications per year, each involving at least one credit check and often an identity verification through a third-party source. That is 100,000+ individual IPP3A compliance events that need to be recorded.

Current practice

Most telcos handle IPP3A through their terms and conditions, which include a clause about credit checks. The challenge is proving that each individual customer was made aware of the clause before the check was run — not just that the clause exists in the T&Cs.

Digital consent capture

For online sign-ups, telcos can capture specific, timestamped consent at the point where the credit check is initiated. This is stronger than a general T&Cs clause because it is:

• Specific to the credit check (not a general consent)
• Timestamped (proving it occurred before the check)
• Individually recorded (linking the consent to the specific check)

DEIS at scale

DEIS's API allows telcos to integrate compliance capture directly into their sign-up flow. When the system initiates a credit check, the DEIS API records the consent pathway automatically, creating individual compliance records at scale without manual intervention.