8th November 2018
GDPR and AML
What is GDPR?
The General Data Protection Regulation (GDPR) was implemented on May 25th 2018, transforming the way organizations within the EU handle the personal data of their customers and clients. GDPR creates, clarifies, and harmonizes data security legislation across all EU member-states – but also affects organizations from outside territories wishing to do businesses within the bloc.
Practically, GDPR limits the ways in which businesses can collect, use, and store the personal data of their customers and clients – it also creates consequences for institutions with AML obligations.
Since Anti-money Laundering (AML) efforts require an intense focus on personal data, the restrictions introduced by GDPR may represent a challenge for financial institutions. More specifically, the legal scope of GDPR may clash with the way institutions identify customers during their due diligence procedures and how they manage their risk thereafter.
As a financial institution, delivering GDPR compliance while managing your AML obligations is an important priority – especially since GDPR compliance penalties can reach up to €20 million (or 4% of global revenue). With the stakes so high, it’s worth exploring the points at which the two legislative frameworks clash and how any regulatory friction may be resolved.
Article 6 of GDPR requires data controllers to establish a legal basis for collecting and processing personal data – including data required for AML purposes. For institutions with AML obligations, the most relevant justifications provided by Article 6 are:
- Article 6(c) – which allows for the processing of personal data “for compliance with a legal obligation to which the controller is subject” – typically, AML laws or sanctions.
- Article 6(f) – which allows for data processing for “legitimate interests”, justifiable on a case-by-case basis.
ComplyAdvantage justifies its data processing activities under Article 6(f) – since that data is necessary to serve our clients’ legitimate interests in delivering AML and sanctions compliance.
One of the most significant aspects of the GDPR is Article 17, which introduces the “right to be forgotten”. That right allows data subjects to request the deletion of their personal data under certain circumstances. This rule may be in contention with AML law, which requires data to be held long after a business relationship has ended.
Under GDPR Article 17(3)(b), however, legal requirements take precedence over the right to be forgotten. From an AML perspective, the EU’s 4th Anti- Money Laundering Directive (4AMLD) introduced the requirement that both customer due diligence and transaction records be retained for 5 years after the end of the customer relationship. In this context, the right to be forgotten would only be enforceable after this period had ended.
Article 28 of GDPR states that data controllers must appoint data processors, like ComplyAdvantage, who can offer and demonstrate “sufficient guarantees” of GDPR compliance. That being the case, it may be necessary to include GDPR compliance requirements – and the right to audit them – in contracts with third-parties. Similarly, the transmission of data between controllers and third-party processors must also be secure and in compliance with relevant GDPR rules.
Since ComplyAdvantage processes personal data for each of our clients for AML purposes, our GDPR compliance guarantees are set out, as standard, in our terms of service agreements.
As a data processor, ComplyAdvantage offers clients complete clarity over the protections we put in place to safeguard personal data. Our stringent data security policies enable our clients to remain GDPR compliant, while safely performing every necessary AML check. Our Information security protections include:
- Data encryption during transit and at rest
- An AWS hosted infrastructure globally renowned for information security
- ISO27001 certification – an Information Security Management System certified to ISO27001 across all our systems and locations by the British Standards Institute – the gold standard Information Security protocol
We understand that our clients need to ensure that their customers are not laundering money or involved in financing terrorism and this must take priority over certain data security concerns. Even under the GDPR regime, that need entitles you to store personal information and keep an audit trail of checks and processes. Both AML and data protection laws are constantly evolving and in the wake of new legislation, such as the Fifth Anti-Money Laundering Directive (5AMLD), your compliance solution must allow you to adapt to new legal measures introduced to address the changing strategies of financial crime.
With those factors in mind, your GDPR anti-money laundering solution should, above all other concerns keep personal information safe – a goal which converges with the wider objectives of the data protection landscape.