The search for a balancing act between combating AML and GDPR compliance | FSI | Deloitte Netherlands


The search for a balancing act between combating AML and GDPR compliance

Financial institutions’ need to raise their bar to meet higher demands

The recent implementation of the fourth directive on anti-money laundering (“AML”), the upcoming fifth directive on AML that is to be implemented as of January 10, 2020 and recent scrutiny of financial institutions and supervisory authorities regarding AML all share the same essence: financial institutions need to raise their bar to combat AML and have to perform a more thorough customer due diligence. On the other hand, the General Data Protection Regulation (“GDPR”) imposes serious responsibilities on financial institutions processing and storing personal data. How to find a balancing act between these priorities?

The Current

The recent cases and publicity around financial institutions’ AML failings, the national and European financial supervisory authorities prioritizing the combat on AML, the Dutch government wanting a “black list” for settling institutions and with the extension of the compliance of financial institutions, AML seems to be more relevant than ever. This increasing importance is reinforced by the use of new technologies and trends in cryptocurrency trading and asset tokenization. AML is however not the only challenge in the fairway of nowadays financial institutions. On the basis of the GDPR, financial institutions need to act in accordance with data protection requirements whilst complying with AML obligations. Both financial supervisory authorities, the Dutch Central Bank and Authority for the Financial Markets, as well as the Dutch Data Protection Authority are actively supervising these compliance obligations. There is some tension between the restriction on the use of personal data in line with the GDPR and  financial institutions’ AML requirements to assess such data for the purpose of their customer due diligence and transaction monitoring procedures.

The Framework

One of the legitimate grounds for processing of personal data in terms of the GDPR is compliance with a legal obligation. AML demands your institution to process personal data of your clients for the purpose of screening, due diligence, transaction monitoring, and eventually reporting procedures to the so-called Financial Intelligence Unit. Such reporting procedures are subject to stringent confidentiality duties, whilst the GDPR prescribes to inform your customer about the processing activity. This however is not the only potential conflict arising of sometimes contrasting requirements in the GDPR and AML:

  • Data minimization: AML requires your organization to process personal data of your clients for AML purposes, whereas the GDPR requires to minimize the use of personal data. Do you challenge your organization whether the data processed is strictly necessary for the AML purpose?
  • Re-using data: the GDPR stipulates that personal data used for one purpose, may be re-used for another compatible purpose. AML obligations are however often broadly defined and leave room for interpretation. How can you make a decent secondary purpose assessment if the purpose is not explicitly specified enough? 
  • Retention periods: the GDPR notes that personal data may no longer be stored than necessary. AML and financial administration purposes however require to maintain (personal) data in accordance with legally required retention periods. These different retention periods should be taken into account while designing controlled and sound business operations. Have you designed these business operations in a compliant and efficient manner?
  • The ultimate beneficial owner (“UBO”): institutions subject to AML-obligations will be required to maintain up-to-date information regarding the UBO of their clients in the UBO-register. The UBO should be informed about this processing activity, noting that the information is available to various parties that can demonstrate a legitimate interest with an exposion to a disproportionate risk exception. This register is subject to legislative approval and will most likely be discussed in the House of Representatives in March 2019. What are your institution’s expectations regarding the UBO-register from a GDPR-perspective?

The Future

So, how can you turn these, at first sight, conflicting obligations into opportunities for your institution in a fast changing environment? To use the requirements of the GDPR and AML in your advantage, your organization should have a clear legal strategy that focuses on compliance with current and future legal challenges and in addition identifies opportunities.

To become the financial institution of tomorrow, Deloitte focuses on positive compliance using technology-driven solutions. Legal obligations are rather seen as an opportunity than a requirement. In the landscape of the multiplicity of legal and regulatory requirements and the tightened regulations covering enforcement, positive compliance can serve as an enabler to your corporate strategy. In such way, your organization can gain a competitive advantage, whilst complying with the GDPR and AML at the same time.

More information

Would you like to know more about GDPR, AML and positive compliance? Please contact Peter Kits, Maria van Duijvenbode or Myrthe van Dam via the details below.

Did you find this useful?