On 20 July 2021, the European Commission adopted a proposal for an anti-money laundering (AML) legislative package that has a major impact on financial institutions. This package aims to harmonize the existing AML legal framework in the European Union and to increase the effectiveness of the fight against money laundering and terrorist financing.
In May 2022, the European Data Protection Board (EDPB) raised concerns about the proposed legislation. Specifically, the proposed AML package contains a Regulation for the prevention of money laundering and terrorist financing for the financial sectors (the Proposed Regulation) which appears to contradict with the GDPR on several counts and poses challenges for financial institutions in terms of data protection and GDPR compliance. On the one hand, you have a regulation which compels financial institutions to collect vast amounts of (special) personal data on a person in the name of combatting money-laundering and terrorist financing, while on the other hand, the GDPR compels those same institutions to collect as little personal data as possible.
This blog aims to assess what the implications of the opinion of the EDPB are and what steps you can take as a financial institution to comply with seemingly contradictory legal obligations.
The EDPB’s concerns are mainly related to a section dedicated to data protection in chapter VI of the proposed Regulation. This chapter contains specific obligations for financial institutions to verify the identity of clients, screen their backgrounds and monitor suspicious transactions. To comply with these obligations, financial Institutions must collect and process significant amounts of personal data. Article 55 (1) of the proposed Regulation states that financial institutions may process special categories of personal data and data relating to criminal convictions when this is strictly necessary for the purposes of preventing money laundering and terrorist financing.
However, according to the EDPB, this article does not specify the meaning of “strictly necessary” and does not define the types of personal data that fall under the special categories of personal data that may be processed. The EDPB considers that this infringes the data minimization principle of the GDPR. The EDPB therefore recommends specifying for each activity (for example identification, screening and FIU reporting) which category of personal data may be processed. Due to the lack of concreteness, there is a risk that financial institutions will process special categories of personal data that are not necessarily relevant for the intended purpose. For instance, data revealing someone’s personal union membership, health data, genetic data, or biometric data are mentioned by the EDPB as not being necessarily relevant for the purposes pursued.
The EDPB further believes that the processing of data revealing a person’s ethnic origin and data on a person’s sexual orientation should be completely prohibited. The EDPB therefore calls on the legislator to explicitly define which special categories of personal data may be strictly necessary to prevent money laundering and terrorist financing.
Next to that, the proposed Regulation lays down that financial institutions may not only process personal data relating to criminal convictions but also ‘allegations’. The EDPB therefore advocates that financial institutions should have procedures in place that allow for distinction between allegations, investigations, proceedings, and convictions while considering the right to a fair trial, the right of defense and presumption of innocence.
Furthermore, the EDPB recommends that the proposed AML package further substantiates the risk-based approach in the Customer Due Diligence (CDD) process. This means, for instance, that more personal data will be collected for Politically Exposed Persons (PEPs) compared to non-PEPs, because generally, PEPs represent a higher risk for involvement with money laundering due to the positions that they hold. Therefore, it is reasonable that non-PEPs are exposed to less intrusive screening procedures and less personal data will be collected about them.
The takeaway message from the EDPB is that it welcomes the proposed Regulation, but there are still serious concerns about the interplay between the proposed Regulation and GDPR compliance. Emphasis is placed on specifying which types of (special) personal data may be collected for AML purposes. While the EDPB’s concerns are very much valid, it will be interesting to see to what extent legislators will follow the advice of the EDPB. For instance, the EDPB states that the processing of personal data revealing a person’s ethnic origin should be prohibited. This could be problematic in practice, as financial institutions can collect copies of identity cards for customer identification purposes. By default, the photo on the ID-card will reveal that person’s race or ethnicity. So, it is not clear how the opinion of the EDPB should be reconciled with existing KYC procedures for identity verification.
Similar problems can arise in the field of processing data about a person’s sexual orientation, which according to the EDPB should not be allowed at all. AML obligations prescribe that suspicious transactions must be monitored. Since a person’s purchase history can reveal a lot about a person’s sexual preference, it seems obvious that in some cases financial institutions would be required to monitor transactions that could possibly reveal a person’s sexual preference (e.g. a person paying for drinks at a gay bar on a weekly basis). And even if those transactions are not individually monitored, the data revealing the person’s purchase history is still processed by the financial institution.
Moreover, the legislator is urged to review the processing of criminal allegations made against individuals as this would pose a high risk as the sources from which information about allegations can be collected are not precisely identified. The use of criminal allegations in the Customer Due Diligence process may have significant impact (such as refusal to enter into a business relationship), especially when the allegation cannot be substantiated at a later stage or is found to be false. Therefore, even if the use of allegations would be allowed in the final text, financial institutions should be restrained in relying on such information for CDD purposes since allegations do not carry the same weight as a final conviction and may turn out to be false or can be revoked.
Finally, a risk-based approach is essential in the proposed AML package, which is also a key component of the GDPR. In that sense, both regulations have a very similar approach. However, the EDPB recommends to further incorporate a risk-based approach in the proposed AML package specifically with regards to data protection. This means that in situations where the risk of money laundering is higher, it naturally makes sense to carry out more intrusive screening and background checks, which will result in more (special) personal data being collected. Where the risk of money laundering is lower, less intrusive screenings should be carried out. This also somewhat mirrors the risk-based approach in the GDPR, where processing activities that pose higher privacy risks require stricter technical and organizational measures. As such, where the AML regulation and the GDPR are seemingly contradictory, the aim should be for them to be dynamic and harmonious with regard to reducing the risk of money laundering while still complying with the GDPR.
The foregoing begs the question: what can your financial institution do to prepare and comply with the proposed AML obligations and the GDPR? The answer lies in making core GPDR principles (lawfulness, transparency, purpose limitation, data minimization, storage limitation and confidentiality) part of your Customer Due Diligence processes. This requires your organization to assess which types of personal data you collect, why you do this and whether this is necessary for the purpose for which you are collecting data. For instance, within the financial sector, facial recognition (biometrics) can be used for identification of clients. One can debate whether this is truly necessary and whether identification can also be reliably established through less intrusive means. For example, by carrying out verification by human agents instead of AI.
In addition, your organization also should consider how long it wishes to retain the personal data and how it is going to ensure proper deletion once a retention term has expired. Relevant questions to answer are: which IT systems are used to collect the Customer Due Diligence data? Who has access to the information? What security measures have been taken? In which location/country is the data stored and for how long?
A good solution is always to start with mapping out your process for CCD data collection and identify the data protection risks that are involved with a processing activity. A useful tool to do so is a Data Protection Impact Assessment (DPIA). This way, insights in the GDPR compliance risks are gained. Any measures that are then taken to mitigate the established risks should become an integrated part of your CDD procedures and protocols, ensuring accountable compliance with data privacy legislation.
If you want to know more about carrying out a DPIA and how to make your CDD processes GDPR compliant, you can contact DPO Consultancy.