Compliance at the Intersection Between Protection & Prevention
The Court of Justice of the European Union has delivered two decisions in a short period of time which may have a significant impact on how anti-money laundering (AML) should be managed in relation to the General Data Protection Regulation (GDPR). Moreover, in October, the Swedish Data Protection Authority published a decision whereby the obligation to perform a customer risk profile does not constitute a legal obligation to process data under the GDPR.
This article seeks to address the potential challenges of navigating the complex regulatory environment, analyses the decisions made, and provides recommendations.
From an AML perspective, it is clear that placing AML compliance above “everything else” is no longer a viable option. Companies must now ensure that their processes are designed to prevent money laundering while also protecting personal data. This is certainly a difficult balancing act.Maximilian Krackhardt, Senior Manager at FCG Financial Crime Prevention
The first decision: The Market Abuse Regulation in relation to the General Data Protection Regulation and ePrivacy
The competent authority has, under the Market Abuse Regulation (MAR), the power to require existing recordings of telephone conversations, electronic communications, or data traffic records held by investment firms, credit institutions, or financial institutions.
It is important to differentiate the legal concept of traffic data from the concept of content data. Content data is the information content transmitted over a communications network, while traffic data is (simplified) any data, including personal data under the General Data Protection Regulation (GDPR), used for the purpose of transferring content data to a recipient or the billing of a communications network. Both traffic and content data may constitute personal data within the scope of the GDPR.
The Court’s first conclusion in the joined cases VD and SR was that MAR cannot be interpreted as a legal obligation on the communication service provider, investment firms, credit institutions, or financial institutions to retain traffic data. Consequently, the power of the competent authority to require existing recordings of telephone conversations, electronic communications, or data traffic records held does not indirectly entail an obligation to store said data. While such an interpretation may seem logical based on the wording in MAR, it is not possible to construe MAR in isolation from the court’s longstanding case-law or other legal acts. When interpreting Union legal acts, such as MAR, the AML Directive, or the GDPR, it is necessary not only to refer to its wording, but also to consider its context and the objectives of the legislation of which it forms part, and in particular the origin of that legislation.
The Court’s second conclusion was that the general and indiscriminate retention of traffic data could only be justified by the objective of safeguarding national security. The Court reasoned that the judgment in La Quadrature du Net would not be respected if its findings on what may be permissible with regards to national security interests were extended to cover serious crime, including in the context of market abuse.
It is necessary to differentiate between the fundamental rights of natural persons and objectives of general interest.
- Examples of fundamental rights in this context include the right to privacy and the right to data protection.
- Examples of objectives of general interests in this context include serious crimes such as drug trafficking, money-laundering activities, fraud, corruption, human trafficking, kidnapping, illegal restraint and hostage-taking, crimes against the financial interests of the European Union, counterfeiting and product piracy, computer crime, and environmental crime.
Thus, even though market abuse and money laundering activities constitute serious – and potentially criminal – offenses, they do not hold a unique status in relation to the fundamental rights of natural persons, in this case the rights of privacy and data protection. This will require all firms to evaluate their compliance arrangements in light of the requirements of the GDPR and the ePrivacy Directive.
The second decision: The AML Directive in relation to the GDPR
The second Court decision is the joined cases Luxemburg Business Register and Sovim. In accordance with the AML Directive, a Luxembourg law established a Register of Beneficial Ownership and provides that a whole series of information on the beneficial owners of registered entities must be entered and retained in that register. Some of that information is accessible to the general public.
The Court ruled that the provision of the AML Directive whereby Member States must ensure that the information on the beneficial ownership of corporate and other legal entities incorporated within their territory is accessible in all cases to any member of the general public is invalid. The Court has the power to invalidate legal acts and decisions, in part or in whole, by Union bodies if a legal act constitutes an unproportional infringement of fundamental rights.
The purpose of the AML Directive is to prevent money laundering and terrorist financing. The objectives of preventing money laundering and terrorist financing constitute objectives of general interests, as described in the section above. The Court concludes that these objectives may justify even serious interferences with the fundamental rights such as the right of privacy and protection of personal data.
The Court holds, however, that the interference, as a consequence of the way the business register is designed in Luxembourg, according to the current case, is neither limited to what is strictly necessary nor proportionate to the objective pursued. In addition to the fact that the provisions concerned allow for data to be made available to the public which are insufficiently defined and identifiable, the regime introduced by the AML Directive amounts to a considerably more serious interference with the fundamental rights. Consequently, the Court declared the part of the legal act making this information accessible to the public invalid.
At first glance, this decision is of importance only for legislatures – Union legislatures when deciding the upcoming AML Package and the national legislatures on how Union law is transposed into national law.
For companies at large, it is important to understand the basis for the Court’s decision, as this reasoning applies to the interplay between the AML Directive and the GDPR. It is the AML Directive that must be interpreted in the light of the GDPR, not the other way around.
The Court explicitly states that the principle of data minimization must be applied strictly in the context of AML. The data controller must be able to demonstrate that all data collected, stored, analyzed, and processed (either by itself or by a data processor on its behalf) is strictly necessary and proportional to the objectives pursued.
This is in many ways contrary to one of the fundamental assumptions of AML, i.e., that more data is better in order to make an accurate customer risk profile. The EBA Risk Factor Guidelines sets requirements on the collection of sensitive data from, for example, adverse media screening, and in several investigations and reports by the Swedish SFA, tough requirements have been conveyed regarding specifically the collection and use of sensitive information about, for example, citizenship. This makes the current development even more challenging to navigate.
The principle of data minimization, however, is not a theoretical excursion in the context of AML. As we will further elaborate below, it may be necessary to disclose this information to the Data Protection Authority (DPA) to have a legal basis for the processing of data relating to criminal activities.
The third decision: Data relating to criminal activities in relation to the AML Directive
To process data relating to criminal activities lawfully, it must have a basis in Union or Member State law. In accordance with Swedish law, such data may be processed if it is necessary for compliance with a legal obligation. This requires that the legal obligation is sufficiently clear and precise in its application, and that it is reasonably predictable for a customer how their data will be processed.
According to Chapter 2 Section 3 of the Swedish AML Act, an entity has the obligation to assess the risk of money laundering or terrorist financing that may be associated with the customer relationship (the customer’s risk profile), and it is assumed that this is sufficiently clear to constitute a legal obligation to process said data.
Contrary to this longstanding interpretation, the Swedish DPA concluded that the obligation is too unclear and imprecise to be interpreted as a legal obligation of such precision and clarity that it could form the basis for the current processing of personal data.
Even though Chapter 2 Section 3 of the Swedish AML Act does not constitute a legal obligation to process data in the context of the GDPR, anti-money laundering and counter-terrorist financing constitute a legitimate interest to process personal data. However, a legitimate interest cannot serve as the basis for the processing of data relating to criminal activities.
Chapter 5 Section 6(1) of the Swedish AML Act states that it is permissible to process data relating to criminal activities if necessary to assess the risk associated with the establishment of a customer relationship. The Swedish DPA determined that Chapter 5 Section 6(1) does not include the matching of data sets within the company group with a central watchlist (database) containing, for example, previously rejected customers. The general option of matching data sets based on Chapter 5 Section 9 of the Swedish AML Act did not change this assessment of the Swedish DPA. The probable interpretation is that matching of these datasets was not deemed necessary in the context of the GDPR to assess a customer risk.
An unfortunate consequence of the Swedish DPA’s decision is the room it leaves for interpretation with regards to what processing of data relating to criminal activities is permitted under the Swedish AML Act and what processing requires the DPA’s formal approval. The decision takes aim at the narrow question of matching datasets with a central watchlist for the company group. This cannot be interpreted as meaning that all other processing of data in the context of assessing the customer risk profile falls under the umbrella of Chapter 5 Section 6(1) of the Swedish AML Act.
To summarise, the Swedish DPA has created three additional obligations in the Swedish context:
The first additional obligation is that a company, as a general rule, is required to closely examine which processing operations require a formal request of approval from the Swedish Data Protection Authority (DPA) to process personal data relating to criminal activities, including suspected criminal activities in the context of AML. This analysis is of higher importance when matching different datasets. This application will not be rubber-stamped by the Swedish DPA; for the application to be approved, it is necessary to demonstrate that the planned processing of data is compliant with the GDPR.
Consequently, it is necessary to demonstrate how compliance with the GDPR will be achieved, relating to, for example, the principle of data minimization. The question of the actor’s GDPR processes interplaying with AML purposes cannot be avoided.
The second additional obligation is the performance of a Legitimate Interest Assessment (LIA) to provide a legal basis for the processing of data in the context of a customer risk profile. The right of the controller to perform the processing on this basis cannot be taken for granted. The Swedish DPA as well as Swedish courts have in some decisions concluded that the actor’s legitimate interest is overridden by the customers’ interests in the context of AML.
The third additional obligation is additional transparency obligations and the right of the customer to object to the processing of their personal data in the context of the customer risk profile. An assessment must be made in each individual case relating to the particular situation of the customer(s). As the right to objection has been constructed, the objection must be accepted unless the controller demonstrates compelling legitimate grounds.
The decision by the Swedish DPA will have far-reaching consequences for the AML processes of obliged entities. Not least because it will require obliged entities to strike a balance between compliance with the AML laws, rules, and regulations on one hand, and compliance with the GDPR and the ePrivacy Directive on the other. Overcompliance with the AML rules (i.e. using personal data “just in case”) as an easy way out of a dilemma such as this is now a thing of the past. As an added level of complexity, personal data and non-personal data are often inextricably linked together in datasets, for example in data lakes or data warehouses. Consequently, the GDPR is increasingly becoming the law of everything when non-personal data, as a consequence, becomes infected by the GDPR.
At this point, uncertainty remains as to whether some consequences were intended by the Data Protection Authority (DPA) in its decision, foremost among which is the possibility for a customer to object to processing their personal data for customer risk classification, which has the potential to disrupt the usage of specific (and often highly complex) models for this classification – something that the Swedish Financial Supervisory Authority (FSA) has come to expect of most obliged entities in its AML supervision. Further guidance from the Swedish DPA and Swedish FSA is required before these consequences can be fully understood.
There is no fully coherent interpretation of what constitutes data relating to criminal activities in relation to all Member States. For example, there is case-law from the Swedish Supreme Administrative Court that needs to be considered in the Swedish context. In addition to determining which DPA is competent to receive the application, different national interpretations of the GDPR must be taken into account.
For more information about the Swedish DPA’s decision, please find our previously published analysis here.
The decisions by the court and the Swedish DPA suggest that organizations will need to rethink the interplay between the AML Directive, the MAR, and the GDPR.
It is clear that neither the AML Directive nor MAR override the GDPR. Nor should the GDPR be interpreted in the light of the AML Directive or MAR; rather, the opposite is true—the AML Directive and MAR must be strictly interpreted in the light of the GDPR in all instances. This changes the fundamental assumption that more data is better to establish an accurate customer risk profile.
Our general recommendations are:
- Make an assessment to establish if it is required to request permission from the competent DPA to collect, store, and process personal data relating to criminal activities and ensure that a Legitimate Interest Assessment has been performed and documented if necessary.
- Perform a coherent data mapping of all data processed in the scope of AML and AMR. Based on this information, perform a Data Protection Impact Assessment to assess the AML processes in the light of the GDPR in order to be able to demonstrate GDPR compliance.
- Revisit the processes relating to the storage of traffic and meta data to ensure an adequate legal basis for the storage of such data—and not only the disclosure of such data at the request of a competent authority.
Experience shows that it is one thing to be compliant, and another to be able to demonstrate compliance. The responsibility is placed on the data controller to demonstrate compliance with the GDPR. Therefore, compliance alone is not enough; compliance must always be demonstrated.
FCG can pro-actively support you in a constantly changing and complex GRC environment. Our experts in Financial Crime Prevention and Data Privacy operate in seven different markets and provide hands-on solutions tailored to our clients’ needs. As part of our full-service offering, we can advise banks and other financial institutions in their applications to the Data Protection Authorities to process data relating to criminal activities.
For further information, please contact: