Requiring of sensitive and personal data of clients is now at the utmost priority for many organisations to ensure that organisation’s compliance with legal and regulatory requirements. Laws such as the Anti-Bribery Act of UK 2010, the EU’s Third, Fourth and what is now being referred to as the Fifth Anti-Money Laundering (AML) Directive require the collection, process and retention of personal data (and this extends to personal data for example obtaining copies of passports falls within the definition of sensitive data under the EU Directive 95/46/EC for Data Protection in that you are presented with the name, age, nationality, gender and through the picture you can commonly ascertain the ethnic composition of an individual as well) during what is known as the due diligence process before an organisation can provide a product/service to a third party.
With this growth in the requirement to carry out due diligence (this is also commonly referred to as “Know Your Client”) it seems that privacy and data protection is seen as an added complication to the whole due diligence process. This is because it requires organisations to carry out additional consideration during the due diligence process and after completion of the process.
Whether one is in favour of privacy and data protection at least from a commercial standpoint, it is important to note that privacy and data protection is a fundamental human right that is recognised in numerous international, national and regional wide laws and regulations. This article aims to highlight the importance of privacy and data protection through the due diligence process given that many countries have signed up to complying with these national, regional and international standards. Additionally, this article will provide a very useful summary of the key regional and international data protection and privacy laws and regulations so that you don’t have to!
So, whether you like it or not you need to evidence compliance to privacy and data protection matters throughout your due diligence process otherwise while you may be carrying out effective compliance with your due diligence requirements you may be found in breach of privacy and data protection obligations leaving you and your organisation open to criticism and sanctions.
[bctt tweet=”It is important to note that privacy and data protection is a fundamental human right.” username=”datapalert”]
Due Diligence in relation to AML (and similar laws such as the UK Bribery Act 2010, FCPA 1977 of the US) relates to information that is required in order to establish clear facts about a customer/third-party/beneficial owner etc. that should enable an organisation to assess the extent to which the customer/third-party/beneficial owner exposes both itself and associated parties to a range of risks. These risks include and are not limited to money laundering, criminal activities, tax evasion and terrorist financing. Organisations need to ‘Know their Clients’ for several reasons:
- to comply with the requirements of relevant legislation and regulation
- to assist Financial Intelligence Units (FIU) with their investigation in illegal activities such as money laundering and terrorist activities
- to increase transparency and reduce the veil of secrecy used by many individuals to stay under the radar (please note not all attempts to stay unnoticed is due to an illegal reason but can extend to legitimate reasons such as tax avoidance (which is not a crime while tax evasion is), privacy etc.)
- to guard against fraud, including impersonation and identity fraud
- to assist organisations in understanding who their clients are and therefore provide appropriate products and/or services to accommodate their clients
- to help an organisation identify, during a continuing relationship, what is unusual and to enable the unusual to be examined
- to enable the organisation to assist law enforcement, by providing available information on customers being investigated following the making of a suspicion report to the FIU.
Consequently, a prohibition on setting up anonymous accounts or relationships is the baseline for the international standards and in order to meet these standards organisations need to collate, process and retain certain data which extends to personal & sensitive data of their clients.
Additionally, the level of data and personal data requested depends on the associated risk of engaging with the third party for example if the third party is located in a high-risk jurisdiction or operating in an industry that is susceptible to illegal activity such as the energy industry then it is often common for organisations to carry out enhanced due diligence which is the collation, process and retention of additional data and personal data to get a more complete understanding of the third party.
The role and impact of data protection rules are rarely discussed despite the growing awareness and importance of data protection in this modern technology savvy world.
The legal requirements stressing the need for due diligence in laws such as the Fourth AML Directive acknowledge and stress the importance of complying with data protection and privacy requirements yet fall short in expressing how organisations can show compliance in balancing both legal requirements.
Furthermore, one cannot avoid data protection considerations from the due diligence process given the fact that there are numerous international, national, and regional laws stressing the importance of privacy and data protection as a fundamental human right. Many countries have signed up to one or more of these laws and this highlight further the need for organisations carrying out due diligence to consider how data protection and privacy of its data subjects are affected otherwise failing to do so will open up many legal and regulatory avenues for complaints and sanctions.
With the increasing sophistication of financial information technology and with its capacity to collect, analyse and disseminate information on individuals this has introduced a sense of urgency for showcasing how data protection and privacy is being considered by organisations throughout the collection, analysing and dissemination of personal data arising during the due diligence process. This is because technological advancements are always faster than the legal world as it takes time for laws to be introduced. Therefore, while we wait for the legal instruments to be introduced clarifying how data protection should be balanced within the due diligence process the onus of responsibility remains on organisations to act in what is deemed as a fair balance between these two key principles.