AML Compliance

GDPR in Business Partner Screenings: Top Considerations

Regulated entities are required to conduct business partner screenings to remain compliant with Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) regulations. These screenings, which include PEP and Sanctions Lists screenings, involve personal data and hence GDPR data privacy regulations must be taken into consideration. Let’s dive into GDPR and how it affects business partner screenings.

Thorsten J Gorny
,
October 26, 2020

Understanding GDPR

GDPR, or the General Data Protection Regulation, was put into place by the EU in 2016. This framework was designed to regulate how companies within the EU protect the data of its citizens.

It outlines the basic requirements for data processing and transfer, as well as data privacy. Organizations must obtain consent to process data, anonymize the collected data, transfer information securely across borders, and provide notification of any data breach.

Similarly, financial service organizations are required to have a designated data protection officer on staff that has expertise in data privacy to ensure the firm remains compliant.

These regulations apply to companies in the EU, but also to any business that markets to EU residents.

Any failure to comply with GDPR can lead to sanctions and fines up to the higher of €20 million or 4% total global annual turnover for the previous year. This ensures that businesses are complying with the data privacy requirements outlined in GDPR!  

How GDPR Affects Business Partner Screenings

In addition to GDPR requirements, regulated businesses are required to comply with anti-money laundering in counter-terrorism financing regulations. These regulations require financial organizations to have a know your customer process, which includes conducting PEP and sanctions list screenings.

A PEP screening determines if a potential customer has a higher business risk because they are a public officer or government official. For example, heads of state require additional due diligence measures because they are in a position that could be greatly affected by corruption.

Sanction screenings are another requirement, and this involved confirming that a potential customer is not on a sanction or terrorist list, like the one held by OFAC, that would legally prevent your firm from doing business with them.

So, how does this relate to data privacy and GDPR? Well, to conduct these screenings, you must collect personal information like name, date of birth, address, and even copies of legal identification. This means that all of the information that is collected falls under the data privacy regulations!

Financial service firms have been asking whether GDPR requirements like consent can hinder their ability to fight fraud and money laundering as required by other regulatory agencies. Do they have the right to have their data erased, and if so, does that make it harder to find patterns and suspicious activity? What about the conflicting regulatory issues regarding data retention?

We can break down the aspects of GDPR and how it affects business partner screenings by looking at the individual sections: lawfulness of processing, right of access, and right to erasure.

Lawfulness of Processing

As part of GDPR, organizations cannot assume that their customers consent to the processing of their data – there must be a clear statement of consent that can be withdrawn at any time. Businesses must also comply with stricter obligations surrounding data security and data breaches.

This poses an obvious hurdle for financial firms that need personal information to comply with anti-money laundering regulations – however, GDPR does offer exceptions.

GDPR permits financial firms to process information that is necessary to remain in compliance with a legal obligation, or if the processing is necessary to pursue legitimate interests. This exception means that as long as the data is processed is to complete business partner screenings, there should be no question regarding the lawfulness of processing.

It clearly states that "the processing of personal data strictly necessary for preventing fraud also constitutes a legitimate interest."

Moving forward, financial service firms that operate within the EU should have clear processes in place to document the data processing that is related to things like PEP and sanctions list screening.

Right of Access

Another pillar of GDPR relates to an individual’s right to access the personal data held by an organization. Individuals can file what is called a Subject Access Request to review this information, and GDPR prevents firms from charging a fee for this – they also have to respond within 30 days.

Concerning business partner screenings, providing access to processed data could affect your organization's ability to fight financial crime. GDPR addresses this by stating that the right of access obligation can be limited if providing the data will "adversely affect the rights and freedoms of others."

The 4th EU Anti-Money Laundering Directive applies to all financial firms in the EU. This directive states that access to processed information, like suspicious transaction reports or currency transaction reports, can significantly undermine their effectiveness in anti-money laundering and counter-terrorism financing efforts.

As a result, a regulated business can make the argument that keeping certain data private is protecting the public against financial crime threats – which supersedes their right to receive access to that information.

Member states must have legislative measures in place that restrict, in part or as a whole, the data that is being used for these purposes – so long as they are following the lawfulness of processing requirements.

Right to Erasure

The right to the erasure of personal data, upon request, is another aspect of GDPR that must be taken into consideration when conducting business partner screenings.

Individuals have the right, under GDPR, to request that their personal information be erased. They can request this if the data is no longer necessary for what it was originally intended to do, their consent to process has been withdrawn, or there is no legitimate interest to keep the data private.

Of course, financial institutions need to balance this requirement with others like the retention rules under the 4th EU Anti-Money Laundering Directive. This aspect of the framework states that transaction records must be retained for five years after the relationship has ended – and up to another five years if necessary.

In other words, businesses can retain data related to business partner screenings if it can be used to prevent, detect, or investigate suspected terrorist financing or money laundering.


Photo by Dayne Topkin on Unsplash

New Sanctions Screening Guide
Download our FREE Sanctions Screening Guide and learn how to set up an effective sanctions screening process in your organization.
New Case Study
Discover how technology companies streamline global sanctions compliance with sanctions.io
Thorsten J Gorny
Thorsten is Co-founder & CEO of sanctions.io. He has worked for more than 15 years in the tech industry with focus on bringing ideas to life, and building great teams and products. At sanctions.io he is mainly responsible for Business Development, Growth and Strategy.
Enjoyed this read?

Subscribe to our Newsletter right now and never miss again any new Articles, Guides and more useful content for your AML and Sanctions compilance.

Success! Your email has been successfully registered for our newsletter.
Oops! Something went wrong while submitting the form.