In May 2020, the European Commission issued a communication on an action plan for a comprehensive Union policy on preventing money laundering and terrorist financing. The goal of the action plan is to adapt the existing regulatory framework to the specific threats and vulnerabilities that the EU faces while allowing room for it to evolve as needed. The European Data Protection Supervisor (EDPS), as the institution tasked with advising Union institutions and bodies, in order to ensure that the fundamental rights and freedoms of individuals are respected, has issued an opinion on the Commissions’ action plan. On the plan, the EDPS notes the need to strike a balance between the important objectives of Anti-Money Laundering (AML) and the need to minimise the interference with an individual’s fundamental right to privacy and personal data protection.
The EDPS’s observations on the Commission’s action plan, as well as their previous opinions on AML directives, illustrate a common theme of the need to consider data protection when applying measures to prevent money laundering and the financing of terrorism. Indeed, as the means evolve to conduct an enhanced analysis of individuals for the purposes of AML, assessing such processing against the core data protection principles of necessity and proportionality take on an even greater role in striking the balance that the EDPS refers to.
In this article, we explore the legal framework for AML, examine the components of AML known as Customer Due Diligence (CDD) and Know Your Customer (KYC), and discuss data protection considerations with respect to achieving AML objectives.
The legal and regulatory framework governing Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) in the EU is set out both at Member State and EU-level, with the first European Anti-Money Laundering Directive stretching back to 1991. We are now currently in the fifth iteration of the AML Directive (5AMLD), with 4AMLD having replaced previous AML Directives, and subsequent updates being amendments to 4AMLD. The sixth Anti-Money Laundering Directive (6AMLD) is due for transposition by 2021. In addition, the EU legal framework takes into account the recommendations of the Financial Action Task Force (FATF) – the international body tasked with setting standards and issuing guidance that aims to prevent activities such as money laundering and terrorist financing. As can be concluded by the quick succession of AML directives, there has been rapid development in the realm of AML in recent years.
AML and CTF
Anti-money laundering is aimed at preventing the use of the financial system to process or make ‘clean’ the proceeds of crime. In addition to general AML obligations, further requirements known as Countering the Financing of Terrorism (or CTF) requires organisations to take action based upon individuals who are linked to ‘greylisted’ or ‘blacklisted’ countries. CTF in particular presents a marked increase in the risk of discrimination or widespread surveillance that disproportionately affects minorities.
What is ‘Know Your Customer’ and ‘Customer Due Diligence’?
The Anti-Money Laundering Directive requires obliged entities (e.g., financial institutions) to carry out Customer Due Diligence (CDD) in order to prevent the holding of anonymous accounts, as well as in circumstances that meet certain monetary thresholds, or where there is suspicion that activity may be related to money laundering or terrorist financing. The term Know Your Customer (KYC) is associated with the stage of CCD related to establishing the customer relationship, or onboarding of the customer. More broadly, CCD is the ongoing due diligence activity that continues beyond the KYC onboarding component. Any customer undergoing CCD may be subject to further review under Enhanced Due Diligence (EDD). The customer may not always be informed of the further monitoring or the reasons for it. In certain cases, EDD requires not only the customer to provide additional information regarding their circumstances but the circumstances of their personal and business relationships.
Personal data and KYC
The processing of personal data is required to carry out the Know Your Customer process. AML legislation is not prescriptive about which data will satisfy KYC checks, although forms of identity issued by trusted parties such as passports or national identity cards are examples of documents, among other proofs of identity that may be requested. The AML Directive and guidance from the Financial Action Task Force recommend that entities take a risk-sensitive approach in carrying out such checks. Risk-focused approaches may take account of the context of the business, its operating environment, the reason that the customer is engaging the business, and geographical risks, among other factors.
The interplay of AML and data protection
There is a danger that AML objectives take precedence at the expense of data protection obligations. However, data protection requirements should be understood alongside those of AML. The risk-based approach advocated for Customer Due Diligence requirements can result in subjective assessments with varying outcomes from one entity to another, even when the risk profiles of those entities may be quite similar. One financial institution could end up requiring significantly more onerous levels of personal data than another to complete the KYC check of a customer onboarding process. The correct application of data protection principles such as data minimisation, purpose limitation, storage limitation, and assessing the necessity and proportionality of personal data requested, can result in more positive outcomes for data subjects while still meeting the objectives of AML in the Customer Due Diligence process. Tools to help achieve these positive outcomes can be found in the GDPR; for example, applying a ‘data protection by design and by default’ methodology to the development of the AML/KYC process, and by carrying out a Data Protection Impact Assessment, as provided by Article 35 of the regulation.
Innovation in KYC
The Fifth Anti-Money Laundering Directive (5AMLD) acknowledges that secure remote electronic identification is now possible. Regulation 910/2014 on electronic identification and trust services in the internal market (eIDAS) provides an assurance framework for EU citizens to access online services. In times such as these, when accessing services remotely is becoming even more necessary, facilitating digital onboarding to financial services while meeting the level of assurance required for KYC is crucial to protecting the interests of both providers and consumers. Such innovation presents data protection challenges. For example, when individuals use their mobile device to open a bank account, a bank may consider it necessary to request all of the data points that a mobile device can provide including GPS location, behavioural data and even phone contact details to feed into a risk assessment process of the customer, as part of KYC. Access to such volumes and specificity of data was not possible in the past, and without appropriate measures in place to limit data collection to what is truly necessary, the potential for overreach and negative impact (e.g., rejection via automated decision-making) is significant.
Get the basics right
Data protection obligations need to be considered alongside AML and KYC. Getting the basics right, by applying data protection principles and carrying out a Data Protection Impact Assessment will yield results in meeting both objectives while ensuring that the rights of individuals are respected. Both data protection and AML obligations require organisations to be able to evidence their decision-making process and as such, be accountable for those decisions. As the EDPS notes, it is in striking a balance between both, that everyone’s interests are best served.