With GDPR in effect, financial institutions in the EU and beyond must manage their AML compliance obligations in a new data protection regime.
The General Data Protection Regulation (GDPR) was put into effect on May 25th, 2018, transforming the way organizations within the EU’s customer and clients personal data handling. GDPR creates, clarifies, and harmonizes data security regulations across all EU member-states – but also affects outsiders that want to do businesses with the block.
Moreover, GDPR limits the ways about the data collection of their clients– it also creates results for institutions with AML obligations.
Since anti-money-laundering efforts (AML) demands intensive focus on personal data, the restrictions introduced by GDPR may represent a challenge for financial institutions. More specifically, the legal scope of GDPR may clash with the way institutions identify customers during their due diligence procedures and how they manage their risk thereafter.
Financial institutions have to comply with GDPR while complying with AML regulations. Organizations that do not comply with GDPR regulations are subject to heavy fines. With high stakes, it’s worth exploring the points at which the two legislative frameworks fight and how any regulatory issue may be solved.
GDPR’s Article 6 requires a legal basis for collecting and processing personal data to be established for data collectors – including data required for AML purposes. There are some clauses that must be observed by institutions with AML obligation. Some of these are those:
Article 6(c) allows the processing of personal data “for compliance with a legal obligation to which the controller is subject”, AML laws or sanctions.
Article 6(f) allows data processing for “legitimate interests”, justifiable on a case-by-case basis.
Sanction Scanner justifies its data processing activities under Article 6(f)– since that data is necessary to serve our clients’ legitimate interests in delivering AML and sanctions compliance.
One of the most significant aspects of the GDPR Article 17 is that it introduces the right to be forgotten. That right allows subjects to ask their personal data deleted under certain circumstances. This rule might be in contention with AML law, which demands data to be held long after a business relationship has ended.
GDPR Article 17(3)(b) states legal requirements take precedence over the right to be forgotten. From an AML perspective, the EU’s 4th anti-money-laundering directive (4AMLD) introduced the obligation that both customer due diligence and transaction records be kept for 5 years after the end of the customer relationship. In this context, the right to be forgotten would only be enforceable after the end of this period.
Article 28 of GDPR states that data controllers must appoint data processors, like Sanction Scanner, who can offer and demonstrate “sufficient guarantees” of GDPR compliance. Considering the case, it might be essential to include GDPR compliance demands and the right auditing with third-parties. Similarly, the transmission of data between controllers and third-party processors must be secure and in compliance with relevant GDPR regulations.
Since Sanction Scanner processes personal data for each of our clients for AML purposes, our GDPR compliance guarantees are set out, as standard, in our terms of service agreements.
As a data processor, the Sanction Scanner offers clients complete clarity over the protections we put in place to safeguard personal data. Our advanced data security policies enable our clients to remain GDPR compliant while every necessary AML checks are performed safely. Our Information security protections include:
Data encryption during check and on transit.
We understand that our clients need to ensure that their customers are not laundering money or involved in terrorist financing and this takes priority concerns over certain data security. Even under the GDPR regime, it obligates you to store personal information and keep an audit trail of checks and processes. Both AML and data protection laws are evolving constantly and with the wake of new legislation (5th anti-money-laundering directive (5AMLD)), your compliance solution must allow you to adapt to new legal regulations introduced to cope with financial crime strategies.
With those factors in mind, your GDPR anti-money laundering solution must keep personal information safe with wider objectives of the data protection landscape.