When Can Measures Against Money-Laundering Become Unlawful?
Navigating at the intersection between anti-money laundering and data privacy is one of the most complex issue areas that financial institutions have to deal with.
The fight against money laundering is an uphill battle. With all eyes on the money on both sides of the law, financial institutions are levied with growing pressure to demonstrate efficiency of their AML programs, while in parallel financial crime continues to thrive. The Swedish Economic Crime Authority amongst others are pointing towards how corporate entities are misused as conduits to commit crime
The KYC process and the ability to properly identify unique beneficial owners, including their relatives and close associates, money mules, strawmen and individuals linked to criminal networks remain very challenging. Last year, a leading Nordic bank was granted permission by the Swedish Authority for Privacy Protection (IMY) to share personal data of clients that have previously been reported to a FIU within their group of companies. This particular case is the first of its kind and indicates that additional scenarios will require approval by IMY to process personal data relating to suspected or confirmed criminal offences.
In addition, the decision by IMY expresses the principle that anyone who bases a processing activity on a legal obligation shall make sure that such legal obligation is specific enough to be lawful. Further, in line with accountability requirement, the assessment should be properly documented. If processing of data is likely to result in a high risk for the data subjects, such processing shall also undergo a Data Protection Impact Assessment (DPIA) before it is launched.
According to Aron Klingberg, lawyer and member of FCG’s Data Privacy expert team, there are currently three main problems to consider with regards to AML and GDPR.
“Firstly, there is a general sense that the bureaucratization of compliance does not benefit neither anti-money laundering nor data protection and privacy. Second, there is a lack of legal predictability for obliged entities with regards to what may or may not be unlawful at this particular intersection. There is so far an almost unilateral focus on data protection and privacy by the Data Protection Authorities (DPA). And lastly, there is still a lack of harmonisation of legal provisions of the different Member States.”Aron Klingberg
Join our webinar “Data Privacy & Financial Crime Prevention – Precedence & Conflicts” on the 19th of September to gain further insight into:
- Data on previously rejected (or off-boarded) customers should be shared within the legal entities within the bank group to prevent renewed suspected money laundering activities.
- Understanding the Fundamental Conflict: Balancing Data Privacy vs. Financial Crime Prevention
- Interpretations of AML measures in light of GDPR obligations
- The application of the current legal situation and how to navigate the necessary compromises between the regulations
- Future outlook: EU regulations, AMLA, EDPB, and the Court of Justice of the EU EU, AMLA, EDPB, and the Court of Justice of the EU.