This month, technical expert Julia Penny tackles the confusion around how the General Data Protection Regulations work with money laundering rules.
Our lives often seemed filled with a variety of regulations which test both our comprehension of the legalese in which they are written and our patience. One area that has come to my attention in the past month is some confusion as to how the Money Laundering Regulations (Statutory Instrument 2017/692) interact with the General Data Protection Regulations (GDPR).
As you will know, as part of the regulated sector for anti-money laundering purposes, accountants are required to carry out customer due diligence (CDD) for their clients. CDD includes verifying the identity of individuals, which might typically involve seeing and taking a copy of a passport or driving licence.
It would appear that some marketing companies are giving out plenty of advice on what you can and cannot do under GDPR. Remember, though, that these companies are talking about GDPR from the marketing perspective and to follow their advice in respect of all aspects of data processing could be disastrous.
For example, take the advice that some companies have given that photos of individuals or their identity documents should not be kept. In certain situations, this advice is probably correct, but you cannot view it too narrowly.
The Money Laundering Regulations require, under Regulation 40(2) that a copy of any documents or information obtained to satisfy CDD requirements must be kept for at least five years after the business relationship has ceased. So, if you have taken a photocopy of a passport as part of your CDD information you MUST keep it for the specified period.
This doesn’t conflict with GDPR because there are a number of bases on which data can be processed. As the ICO website says: “You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.”
The six lawful bases for processing are:
The one we are interested in for money laundering purposes is the legal obligation one: Article 6(1)(c) provides a lawful basis for processing where “processing is necessary for compliance with a legal obligation to which the controller is subject”.
This means that identity information, such as passport copies can, and should, be kept just as they were before GDPR.
Julia Penny FCA is London ICAEW Council Member and Technical Director at SWAT UK @JSPenny
ArtIcle available at:
Here discussed GDPR versus money Laundering regulations. There is certainly money-laundering rules and regulations. Thank you for sharing this relevant information to us. cable providers in my area by zip code Its very helpful information to us
What are the main money laundering regulations? Can you share some of the details over here so that it is easy for the people to get details? Please share as soon as possible so that more people will know about it. ? engagement rings
Great application to hear... get information : 9Apps
Lucineux Nowadays, medical coding and billing jobs have grow to be one of the most crucial again-office paintings in healthcare institutes, clinics and studies. Medical coders are accountable for changing affected person reports into alphanumeric codes which could then be utilized by insurance companies and studies institutes.