GDPR v. Money Laundering Regulations

 This month, technical expert Julia Penny tackles the confusion around how the General Data Protection Regulations work with money laundering rules.

Our lives often seemed filled with a variety of regulations which test both our comprehension of the legalese in which they are written and our patience. One area that has come to my attention in the past month is some confusion as to how the Money Laundering Regulations (Statutory Instrument 2017/692) interact with the General Data Protection Regulations (GDPR).

As you will know, as part of the regulated sector for anti-money laundering purposes, accountants are required to carry out customer due diligence (CDD) for their clients. CDD includes verifying the identity of individuals, which might typically involve seeing and taking a copy of a passport or driving licence.

It would appear that some marketing companies are giving out plenty of advice on what you can and cannot do under GDPR. Remember, though, that these companies are talking about GDPR from the marketing perspective and to follow their advice in respect of all aspects of data processing could be disastrous.

For example, take the advice that some companies have given that photos of individuals or their identity documents should not be kept. In certain situations, this advice is probably correct, but you cannot view it too narrowly.

The Money Laundering Regulations require, under Regulation 40(2) that a copy of any documents or information obtained to satisfy CDD requirements must be kept for at least five years after the business relationship has ceased. So, if you have taken a photocopy of a passport as part of your CDD information you MUST keep it for the specified period.

This doesn’t conflict with GDPR because there are a number of bases on which data can be processed. As the ICO website says: “You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.”

The six lawful bases for processing are:

  • Consent
  • Contract
  • Legal obligation
  • Vital interest
  • Public task
  • Legitimate interests

The one we are interested in for money laundering purposes is the legal obligation one: Article 6(1)(c) provides a lawful basis for processing where “processing is necessary for compliance with a legal obligation to which the controller is subject”.

This means that identity information, such as passport copies can, and should, be kept just as they were before GDPR.

Julia Penny FCA is London ICAEW Council Member and Technical Director at SWAT UK @JSPenny   

ArtIcle available at:

https://www.icaew.com/en/groups-and-networks/local-groups-and-societies/london-ds/london-accountant/tax-and-financial-reporting/jan19-gdpr-money-laundering