Aml and GDPR Compliance | Key Issues

AML and GDPR Compliance: There can be a perceived conflict between the obligations under Anti Money Laundering (ALM) legislation/regulation and data protection regulation. We explain some of the most common data protection concerns and suggest solutions.

Four Key Factors and Solutions:

While collecting Valid Photo ID and Proof of Address for KYC

These documents are essential for Know Your Client KYC but are frequently obtained in ways that may conflict with AML and GDPR Compliance. AML Legislation provides a lawful basis for obtaining these documents, however, the process used to transfer these documents is often inconsistent with security obligations mandated by the GDPR. Sensitive data, in particular, should have a security level that is proportional to the risk to your clients.

The type of information required to comply with your AML obligations includes many of the key elements that a bad actor would require for identity theft. Particular care should be taken not to expose your client to harm and requesting KYC documents by e-mail is likely be deemed insufficient. The solutions can include.

● Use an AML specialist system to obtain photo ID and proof of address documents securely. These processes should not store a copy of the information on any intermediary IT systems or platforms (best solution).

● Use a secure document transfer system. Most of these systems require that you download documents to your document file system and then upload them into your AML process. The documents are stored in multiple locations, increasing the risk (next-best solution).

● Password-protect these documents and send them via email. It is not recommended as many copies will be kept in locations like the e-mail outbox or filing system or in backups. This leads to several points of vulnerability and significantly increases the risk to your client. (least advisable)

The storage of Photo IDs in your practice

Practices routinely store these sensitive documents in their general document management system, case management systems (e.g. Leap), or SharePoint. Data protection regulations require that personal data is only used for the purpose for which it is collected and not processed further. However, these systems are often open to many members of staff.

Relevant staff must know about the existence of the documentation. They also must not have access to view or use the information on these documents. Typically, the MLRO should be the only one with access to the originals and be able to produce them in the event of a practice review or other regulatory inspection. A range of common processes are used.

Use a system to store these documents securely, however, deny access to the document or to the data on these documents to staff in general. These systems will typically show that the ID is valid, without displaying it. (best solution).
Limit access to these documents to the MLRO only (good, but difficult to manage)
Restrict access to files to a business group or department who have a legitimate need to see the AML documents (not in full compliance with data protection regulations)
Allow all employees to have access to AML files (highly inadvisable)

It is advisable to consider carefully any process that allows broad access to ID documents. And also, the risks that this may cause to your clients and to your business.

Disclosure of Information to Clients

Clients can submit an access request for their information in accordance with their rights under the GDPR. This raises the question of whether you provide information obtained while doing your due diligence or in the case of a Suspicious Activities Report, whether you disclose a copy of that document.

Furthermore, where a controller of personal information decides to deny access to data, there is a legal obligation to provide the basis for denial. Is this required?

Answers to these questions are short and simple. AML legislation/regulation mandates confidentiality, including an obligation ‘not to tip-off’. These laws typically allow you to refuse access to any data processed to fulfil your AML obligations and to refrain from giving a reason.

Another consideration is the obligation of a controller to inform subjects when they obtain personal data indirectly. You can typically refrain from notifying the subject if the data was obtained directly in relation to your AML obligations.

In the above advice, I used the word “typically”. There are many situations where the advice above could be questioned, e.g. When excessive information was requested.

If you are unsure, seek professional advice from an experienced person.

Requests for information from state authorities.

When a state authority asks for personal data to investigate a crime. It is vitally important that this is done legally. This may seem like a simple requirement, however, it does not always happen in practice. In a previous post titled “Managing Your AML Obligations – How this can play out at court”. We discussed the implications of not complying with this obligation.

The two key factors to be aware of;

If a court order has been provided, provide data that is within a tight interpretation of the order. Do not release any data that could possibly be interpreted as being outside of scope.

The authorities are relying on provisions of the data protection legislation to access personal data. Be extra careful to ensure that the request provided is clear and unambiguous. In our experience, some of these requests have been questionable and needed to be re-written. In any event, ONLY provide data that is specifically detailed on such a request. If in doubt, should seek professional advice.

Your obligation is to release personal data on foot of a lawful request. If that request is not lawful or you provide data outside the document’s technical scope. That data can be relied upon in a court proceeding, it is likely to be challenged. If the lawful release of data is challenged in court this can result in your attendance and the loss of a significant amount of time. It is advisable to make the effort to avoid the unlawful release of personal data and to avoid unnecessary court appearances.

Please contact us at www.firstdd.com! If you need assistance with any of these issues or to find a solution for your company

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
rc::a	never	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c	session	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
CONSENT	16 years 4 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
_pk_id.1.1e46	1 year 1 month	Description is currently not available.
_pk_ses.1.1e46	1 hour	Description is currently not available.

Cookie	Duration	Description
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

While collecting Valid Photo ID and Proof of Address for KYC

The storage of Photo IDs in your practice

Disclosure of Information to Clients

Requests for information from state authorities.

The two key factors to be aware of;

Solutions

Trust

Company

Why 'AML Manager'

While collecting Valid Photo ID and Proof of Address for KYC

The storage of Photo IDs in your practice

Disclosure of Information to Clients

Requests for information from state authorities.

The two key factors to be aware of;

Solutions

Trust

Company

Why 'AML Manager'

NEW

Secure and easy transfer of documents