The impact of the General Data Protection Regulation, effective 25 May 2018, will be felt for some time to come. One area where GDPR will present a significant ongoing challenge for the financial services industry relates to the personal data collection and processing obligations created under anti-money laundering (AML) regulations. The tension between the AML and privacy requirements is not new, but GDPR’s ratcheting up of the data privacy requirements brings it into fresh focus.
On the one hand, AML regulations require the collection, processing and analysis of large volumes of personal data, with the aim of preventing the financial services industry from being exploited as a means of laundering money and committing financial crimes. On the other hand, GDPR not only places restrictions on how, when and why personal data can be collected, processed and used but also broadens the definition of “personal data,” bringing all information collected under the AML regulations squarely within the jurisdiction of GDPR.
Therefore, the two sets of requirements – one aimed at limiting the use of personal data and the other aimed at maximising the use of personal data – create a number of tension points in a firm’s overall compliance framework. We explore this metaphorical tug-of-war in this blog post, highlighting some of the areas where firms need to be mindful of potential conflicts and providing suggestions on how firms can adjust their compliance policies and processes.
A Tale of Two Worlds – AML and GDPR
AML rules require the collection, processing and use of personal data for the following overarching tasks to comply with regulatory obligations:
- Customer due diligence (including enhanced and simplified due diligence);
- Transaction monitoring;
- Behavioural monitoring;
- Internal data sharing (including within a group);
- External data sharing (including with regulators and other financial institutions);
- Data sharing for outsourced arrangements; and
- Cross-border processing of data (especially for the processing of international payments).
The European Union (EU) Fifth AML Directive and further proposed changes to it (termed the “sixth” money laundering directive) are also set to broaden the scope of these requirements by extending coverage to new areas such as virtual and digital currencies.
GDPR provides a broad definition of “personal data” – any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR sets out six data protection principles that apply to the processing of personal data. In brief, these principles stipulate that personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed
- Accurate and, where necessary, kept up-to-date
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- Processed in a manner that ensures appropriate security of the personal data.
Under GDPR, the processing of data in the absence of a clear “lawful basis” is a violation that can attract penalties of up to 20 million euros or 4 percent of global revenue, whichever is higher. Firms must document their lawful basis for processing personal data, which could be one or more of the following six lawful bases established by GDPR:
- Contractual obligations
- Legal obligations
- Necessary for the vital interests of the data subject
- Necessary for tasks in the public interest
- For a legitimate purpose/interest
However, a risk-based approach to AML compliance has many variations. This gives rise to different levels of personal data collection and use, which don’t always sit well with GDPR’s six lawful bases approach.
Exploring the Challenges
The following are some of the key challenges that financial firms may face as a result of the tension between the two sets of regulations:
- Documentation of lawful basis – Firms will need to document the legal basis for processing (including collecting of) personal data for the purposes of complying with AML regulations. This can prove challenging, as these rules tend to be principles-based and require the development of a risk-based approach. For instance, a number of the key industry assumptions that underpin the processing of personal data in this area, such as risk ratings, risk indicators, red flags and so on, are not strictly derived from legal obligations, nor are they representative of an interest (legitimate, public, vital, etc.). As such, firms may need to obtain consent under certain circumstances for data retention purposes. This consent will need to be explicit and in line with GDPR’s stringent requirement that the consent is freely given, informed and specific. (The instances in which processing data without consent is lawful are noted above.) Think about the implications of knowing your customer’s customer, or KYCC, in relation to high-risk services such as correspondent banking or pooled account products, and the challenge becomes clear. Similarly, since the data collected must be proportionate to the risk level of the customer, firms may need to reexamine the practice whereby they collect the same data for a low-risk customer as they do for some high-risk ones.
- Rectification of inaccurate data – Keeping data up-to-date is also now more important under the GDPR. Historically, firms have not always been good at keeping their customer files up-to-date. Now this will have to be considered not just as an AML regulatory obligation but as a GDPR requirement too, especially where the data is being relied upon to make decisions that impact the customers’ ability to access banking or financial services. Additionally, where online or other database-sourced searches are conducted to create an AML risk profile for a customer, firms will have to use reliable and reputable data sources, placing additional burden on the financial services industry and data source providers to establish the reliability of the information used.
- Data security – Data security is integral to GDPR compliance, and firms will need to review who has access to customer data required for AML compliance, including all data collected and processed as part of KYC activities and transaction monitoring alerts. Firms will have to scrutinize the use of such data and document the access requirements that employees may need to engage with the data. Personal data should be shared on a need-to-know basis. Firms will also have to identify ways to secure “dormant” personal data that is no longer connected to an existing business relationship but must be retained for a period of at least five years for the purposes of AML regulations.
- Privacy notice – Given that data subjects have the right to be informed of the processing and usage of their personal data, firms will have to consider the steps that they need to take to inform their individual customers and the beneficial owners (BOs) of various types of corporate customers of the firm’s privacy notice and the legal basis for processing their personal data. The fact that these BOs are sometimes two or three steps removed from the relationship with the corporate customer is a complicating factor that will also need to be considered.
- Retention – AML rules and/or internal policies may require personal data to be retained long after the business relationship giving rise to processing has come to an end. This is in direct tension with GDPR, which stipulates that data may not be retained “longer than necessary for the purposes for which the personal data is processed.”
- Outsourcing and secure transmission to third parties – Firms today are outsourcing a wider range of activities. Firms will need to put in place controls to monitor their vendors’ and third parties’ ability to be compliant with both AML and GDPR regulations. Firms should consider incorporating these compliance requirements – and the right to audit them – directly into their third-party contracts.
What Should Regulated Firms Be Doing?
In summary, firms should review areas where GDPR and AML regulations overlap, and do so as a matter of priority. Firms must begin documenting the legal basis for collecting and processing personal data and put in place appropriate privacy notices, and they must further assess whether and how they are addressing the challenges highlighted above appropriately. Over the medium term, the tension between these regulations is set to increase as firms incorporate newer data types and technology into their AML compliance controls. For example, where previously firms have perhaps held a copy of a passport, today they may hold a voice pattern or biometric data. As firms launch projects to use these newer data types and technology, compliance with GDPR should be incorporated into their planning from the very beginning – keeping in mind the considerable penalties GDPR will bring for unlawful use and violation of personal data restrictions.
The views included herein are intended to assist companies with their compliance efforts. However, the information provided is not intended to be legal analysis or advice. Firms should seek the advice of legal counsel or other appropriate advisers on specific questions as they relate to their unique circumstances.