GDPR and Money Laundering Regulations
As you will know, accountants, as part of the Regulated sector for anti-money laundering purposes, are required to carry out customer due diligence (CDD) for their clients. CDD includes verifying the identity of individuals which might typically involve seeing and taking a copy of a passport/driving licence or other identity evidence.
It would appear that some marketing companies are giving out plenty of advice on what you can and cannot do under GDPR. Remember though that these companies are no doubt talking about GDPR from the marketing perspective and to follow their advice in respect of all aspects of data processing could be disastrous.
Take, for example, the advice that some companies have given that photos of individuals or their identity documents should not be kept. In certain situations this advice is probably correct, but you cannot view it too narrowly. The Money Laundering Regulations require, under Regulation 40(2) that a copy of any documents or information obtained to satisfy CDD requirements must be kept for at least five years after the business relationship has ceased. So, if you have taken a photocopy of a passport as part of your CDD information you MUST keep it for the specified period.
GDPR requirements
Now, you might be thinking that this conflicts with the GDPR but that is not the case. There are a number of bases on which data can be processed as encapsulated by this quote from the ICO website:
“You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.”
There are six lawful bases for processing:
- Consent
- Contract
- Legal obligation
- Vital interest
- Public task
- Legitimate interests
The one we are interested in for money laundering purposes is the legal obligation one, where the ICO website again clarifies that:
Article 6(1)(c) provides a lawful basis for processing where:
“processing is necessary for compliance with a legal obligation to which the controller is subject.”
The upshot of this is that whilst you couldn’t just randomly hold peoples’ personal information on file, such as a copy passport, if you have a lawful basis for this processing, you can. And as we have explained above, if the photocopy of the passport etc is part of your CDD information you must hold a copy on file until five years after the end of the business relationship.
In conclusion therefore, whilst GDPR does require us to rethink when and for what purpose we hold and process data, there are a number of legal bases available for this. When it comes to money laundering requirements, we must be sure to ask for and keep the relevant information as required by law. If clients question the basis on which we are doing this, we can explain to them the way in which GDPR sets out a number of bases for processing information and that in the case of identity information we are collecting it for legal reasons.