UK government encourages regulated firms to share customer information within corporate groups, highlighting interaction with firms’ obligations under the Proceeds of Crime Act 2002 and GDPR.
The UK government has published a statement endorsing the Financial Action Task Force’s (FATF’s) recommendations that regulated financial institutions should be required to implement group-wide anti-money laundering (AML) and counter-terrorist financing (CTF) programmes that provide a framework for information to be shared within the group for AML and CTF purposes. The statement agrees with the FATF’s position that cross-border information sharing:
- By the private sector is a key component of a well-functioning AML and CTF regime
- On a group-wide basis is a useful tool to prevent, recognise, investigate, and ultimately report specific cases of money laundering or terrorist financing
- Enables firms to perform effective global risk assessments of customer relationships and avoids information being “siloed” within a particular group entity
- Ensures firms are better able to perform customer due diligence, identify suspicious activity more readily, and file higher quality Suspicious Activity Reports (SARs) that take account of all of a customer’s transactions with group members
The Fourth Money Laundering Directive ((EU) 2015/849) (MLD4) implemented the FATF’s recommendations as they related to information sharing. In turn, the UK’s implementation of MLD4 by way of the Money Laundering Regulations 2017 (MLRs 2017) included Regulation 20, which requires an in-scope UK firm (i.e., a “relevant person”) to:
- Ensure that all AML and CTF controls, policies, and procedures apply to all subsidiary undertakings (including those located outside the UK) and to any branches established outside the UK
- Establish and maintain throughout its group the policies, controls, and procedures for data protection and information sharing for the purposes of preventing money laundering and terrorist financing with other members of the group
However, since the EU’s adoption of MLD4, the FATF updated its recommendations on this point and extended the information sharing obligation such that: “[g]roup-level compliance, audit, and/or AML/CFT functions should be provided with customer, account, and transaction information from branches and subsidiaries when necessary for AML/CTF purposes” (emphasis added).
When the UK transposed the Fifth Money Laundering Directive ((EU) 2018/843) (MLD5) into national law, it also took the opportunity to incorporate FATF’s updated recommendation by amending Regulation 20 of the MLRs 2017 to require in-scope firms to have policies for intra-group information sharing as it relates to customer, account, and transaction information. Therefore, the UK government’s statement is a timely reminder to firms to ensure that they have implemented this recommendation and other changes to business-as-usual processes that were included in the UK’s implementation of MLD5.
The statement also reminds firms that UK customers’ personal data should only be shared in a way that is compliant with the General Data Protection Regulation ((EU) 2016/679) (GDPR). Personal data is broadly defined in the GDPR and means any information from which an individual can be identified. In performing AML and CTF KYC checks, firms likely will process significant volumes of personal data, including names, identification documents, social security numbers, and contact details. While firms will invariably have in place robust policies and procedures for handling such personal data when interacting with third parties, the statement serves as a useful reminder that these robust procedures must also be followed internally for intra-group data sharing.
The statement specifically refers to the guidance of the Information Commissioner’s Office (the ICO) on restricted transfers (i.e., transfers outside of the EEA). As the UK prepares for the end of the Brexit transition period on 31 December 2020, international transfers of data are a hot topic of discussion. Firms must ensure that “appropriate safeguards” are in place when sharing personal data in line with FATF and the UK government’s cross-border data sharing framework. For many organisations, this will require execution of an intra-group data transfer agreement containing Standard Contractual Clauses, however, others may be able to rely on binding corporate rules, a Privacy Shield certification, or the adequacy decisions of the European Commission. The intra-group agreement should be under review and updated accordingly as greater clarity is forthcoming regarding the UK’s adequacy position following Brexit.
The statement also references the ICO’s draft Data Sharing Code of Practice (the Code), which remains subject to review by the ICO in light of public consultation. The Code provides guidance on sharing personal data, and advises organisations to identify a legal basis for the sharing and to ensure that data is shared in a fair and transparent manner (i.e., by providing a privacy notice to the data subject). The Code also states that organisations should consider whether data protection impact assessments and/or data sharing agreements are required.
Further to the UK government’s statement, it would be prudent for firms to review their intra-group data sharing practices to ensure that AML and CTF documentation is shared in a compliant manner and that intra-group processes and policies are subject to the same rigour as external data sharing practices.