The Anti-Money Laundering Law vs. the GDPR - what is worth knowing?

Companies are required to comply with various regulations. Noteworthy among them are the Anti-Money Laundering Law and the General Data Protection Regulation (GDPR). How do these issues interconnect, and what can be done to operate in compliance with the law?

What is the AML/CFT law?

AML/CFT stands for Anti-Money Laundering and Countering the Financing of Terrorism. It applies to all money-handling businesses. It imposes the following obligations on businesses:

  • Monitoring, analysing, and recording all transactions and business relationships,
  • Reporting potential or actual violations of the AML Law to the FIU, the Financial Intelligence Unit,
  • Identifying individuals and their beneficial owners.

The AML Law is thus directly related to the processing of personal data and thus the provisions of the GDPR. An entity subject to this law can take a scan of a customer's or contractor's ID card. Its duty is to collect, store, process, share, and delete personal data.

Personal data collection in accordance with the AML Law

Users must use data collected under the AML Act in a specific way and keep it for as long as needed in a particular case. All actions taken in this regard must be adequate for their intended purpose. An entrepreneur may not collect more information than he is required to have. If he collects additional data, he must request permission to process it. This is especially the case when collecting phone numbers, addresses, or emails—this is information other than that listed in the AML Law.

The GDPR and AML regulations do not indicate ready-made solutions, so each entity should adapt the scope of the data collected to its individual situation. Relevant factors include the industry, size of the company, geographic scope, scale and type of activity, and potential risks.

GDPR regulations in relation to the AML laws

The AML law requires collecting and analysing personal data in compliance with the GDPR.  It is worth noting that the processes concerning this information occur without the knowledge of the individuals involved.

The AML Law indicates the obliged entities that must fulfil the relevant formalities seeking to counter money laundering and terrorist financing. However, it is also possible to carry out these operations voluntarily. Entities not designated by the AML Law as obligated institutions must obtain the person's consent to process their data. Under the Polish law, Article 6 (1) (a) of the RODO Regulation sets forth details on this.

The period for which personal data is stored

According to the GDPR, data can only be kept for the time necessary to fulfil its purposes. The AML law, however, is much more precise. In general, an institution must collect information for 5 years from the first day of the year following the termination of the business relationship with the customer in question. The 5-year period for a transaction undertaken with a customer of an occasional nature starts from the date of the transaction.

After 5 years, the FIU may verify the necessity of further data storage. There is an option to extend this time period if it deems them necessary. The exact period for collecting personal information is decided by the FIU.

Obligations under GDPR regulations

Businesses must comply not only with the AML Act but also with GDPR. Under this regulation, they are required to:

  • Maintain a Register of Personal Data Processing Activities; this includes information on AML and terrorist financing activities, the basis of data processing, the scope of information collected, the purpose of its use, and the retention period.
  • The preparation of the AML risk assessment document includes information on the assessment criteria that involve access to the collected personal data.
  • Preparation and communication of the GDPR information clause to entities; it contains similar information to the Register of Personal Data Processing Activities, but it must be signed by the entity affected by the data processing.
  • Training of employees responsible for personal data processing: this covers issues such as authorizations to process data or agreements to entrust these duties to an external company.
  • To take care of data security, it is necessary to maintain data confidentiality and integrity. It is also important to provide access to data only to authorised and properly trained people.

Currently, all obligations required by the AML and CFT laws are compliant with the GDPR.

Outsourcing AML as a way to comply with GDPR

It is convenient for businesses to use external services related to the AML and CFT. AML outsourcing allows for easier compliance with both these laws and the GDPR. Specialists ensure that records are kept correctly to avoid serious consequences.

Outsourcing AML is especially important for entities bound by the AML/CFT laws (obliged entities). The knowledge and experience of specialists help to properly manage the collected data.