Privacy legislation such as the GDPR requires a legal basis for processing personal data. AML legislation is an example of such a statutory legal basis. As an entity subject to AML requirements, you process personal data of clients, representatives and beneficial owners for mandatory customer due diligence. In this case, AML legislation provides the legal basis and therefore takes precedence over the GDPR.
What data must I request?
This depends on the type of client. Different information must be requested when identifying natural persons and legal entities. In our article on the documents you are required to obtain, we set these out in detail.
How should I request the personal data?
Personal data can be requested in various ways: by email, in person, or by using AML compliance software. When requesting such information, bear in mind that it concerns sensitive data, such as identity documents. You must therefore ensure that this is always transmitted via a secure environment or connection.
How should you store the personal data?
You have carried out AML customer due diligence. You are now required to retain the file. It is important that this is done securely. But where should you store a file containing sensitive information such as a copy of an identity document?
Personal data can be recorded and stored in different ways. We see that many firms still request identity documents by email and also store them there. However, this has disadvantages. Data can easily be lost, spread across multiple email accounts, or be difficult to retrieve.
Would you like to avoid this? Then consider AML compliance software. By using software such as RegLab, you can receive and store the data in one secure environment. This makes it easier to comply with both AML requirements and the GDPR.
How long should you retain the personal data?
AML legislation prescribes a retention period of five years. This period starts on the date of the transaction or at the end of the business relationship.
It is important to store AML matters separately from other data. This helps you maintain an overview and makes it easier to delete the data after five years. When everything is stored together, it becomes more difficult to monitor whether the five-year period has expired and whether matters contain AML-related data.
Transparency in data processing
Under the GDPR, you are also required to inform individuals about the processing of their personal data. This applies not only to your own clients, but also to third parties such as ultimate beneficial owners (UBOs). This can easily be done by including an AML clause in your engagement letter.
Please note: data subjects always have the right of access and may request a copy of their data.
More Information?
Are you unsure which data you may or may not request or retain? Do you not know the best way to request and/or verify the data? Our compliance specialists can advise you.
Discover the essential AML compliance terminology and gain instant access to a comprehensive guide