A picture containing graphical user interface

Description automatically generated

17 May 2022 T-PD(2021)8rev2

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION

OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING

OF PERSONAL DATA

CONVENTION 108

Draft guidelines on data protection in the context of

mechanisms for inter-state exchanges of data

for Anti-Money Laundering/Countering Financing of Terrorism, and tax purposes

REVISED VERSION OF THE ONE SENT FOR COMMENTS ON 12.04.2022

CHAPTER I

Draft guidelines on data protection in the context of mechanisms for inter-state exchanges of data for Anti-Money Laundering/Countering Financing of Terrorism

Section I. Data protection rules and principles

1. Introduction

1.1. Background

Money Laundering and Financing of Terrorism (ML/FT) often involves cross-border schemes and multiple institutions ~~through~~ which aims at ~~ensuring~~ ~~criminal proceeds to~~ preventing, investigating and prosecuting crimes that involve illegal or fraudulent money transfers and/or money laundering ~~are transferred and/or laundered~~. Data sharing is crucial for combatting ML/FT, which becomes increasingly complex to tackle. The Anti-Money Laundering/Countering Financing of Terrorism (AML/CFT) framework entails complex processing and exchanges of data between customers, obliged entities (OE), financial intelligence units (FIUs) and law enforcement authorities (LEAs).

These exchanges must be considered both by states Parties and possibly by other cooperating countries in the light of the provisions of multilateral data protection frameworks such as Convention 108+ and specifically its Article 14 on transborder data flows ~~both by states Parties and other cooperating countries~~, as illustrated in the following sections.

Processing of personal data may constitute an interference with the data subject’s right to respect for private life, as protected by international human rights instruments (such as Article 12 of the UNDHR, Article 17 of the IPPCR and Article 8 of the ECHR). According to Article 11 of the modernised Convention 108 lawful exceptions and restrictions with this right can only be carried out for an objective of public interest if they (i) are in accordance with the law, (ii) pursue a legitimate aim, (iii) respect the essence of the fundamental rights and freedoms and (iv) are necessary and proportionate in a democratic society to achieve the legitimate purpose.

In the AML/CFT area, the public interest is the main element regulating data protection issues. The legislation on the prevention of money laundering and terrorist financing (AML/CFT regime) is based on the objective of public interest of protecting the financial system from being used for those purposes. The AML/CFT regime provides for several contexts of processing of personal data, which are essentially based on that public interest, setting out detailed obligations on data controllers. This extends to processing of personal data by government authorities which are entrusted with the mandate to combat AML/CFT and are granted sovereign powers in this specific area. Nevertheless, the same does not extend to private sector institutions, which are OEs lacking the same legal status and mandate. As a result, data processing by private sector entities should be considered with caution on the legal basis of public interest, and can only be envisaged if a clear legal basis exists authorising such processing, notably in the context of data pooling emerging initiatives which entail data sharing between private sector entities (which are outside of the same financial group). In any event, public interest needs to be specifically defined and limited to the circumstances where measures benefit and increase the effectiveness of the AML/CFT regime. This entails, for instance, that excessive collection and processing of personal data should be prevented also because over data collection may not always serve operational objectives and generate additional legal and technical challenges (data quality/ update, data security, etc) for key stakeholders, including LEAs.

Since data protection is fundamental to ensuring the right to respect for one’s private life, family life, correspondence and home (Article 8 ECHR), regard must be given to data protection rules and principles when acting in AML/CFT interests, in compliance with Member States’ commitments and obligations under international law. Under these laws, the existence of a valid legal basis and appropriate safeguards for the processing of personal data is a prerequisite, for which the underlying rationale should be carefully analysed and articulated by international stakeholders from the AML/CFT, data protection and human rights field. Considering that data processing and sharing are crucial in combatting ML/TF, these guidelines aim to emphasize the requirements needed for compliance with data protection obligations included in Convention 108+ by controllers and processors, while complying with the AML/CFT framework.

1.2 Scope

The guidelines will cover data processing and sharing for AML/CFT purposes by public and private entities in state Parties to Convention 108+ and in cooperating countries.

The purpose of these guidelines is to provide orientation on how to integrate international data protection rules and standards in the area of AML/CFT in order to provide for an appropriate level of protection while facilitating transborder data flows, and to highlight blind spots in AML/CFT related issues where data protection safeguards should be put in place or strengthened

Considering the additional obligations imposed by Articles 6, 7, 9, 10 and 14 of Convention 108+, these guidelines also aim at providing governments and policy makers from state parties with basic recommendations that could be considered in designing policies and regulatory instruments that comply with international standards as provided by Convention 108+.

2. Terminology and context used for the purpose of the Guidelines

Personal data and data subject– Article 2 (a) of the Convention defines personal data as any information relating to an identified or identifiable individual (data subject). In the AML/CFT context, customers, beneficial owners (BOs)[1], parties to wire transfers, or individuals whose identifiable information is contained in data transfers, are to be considered as data subjects. They are the primary subjects of the Customer Due Diligence (CDD) measures[2], including identification and verification of identity. While Convention 108+ protects primarily personal data of natural persons, the Parties may extend the protection in their domestic law to data relating to legal persons in order to protect their legitimate interests[3], although corporate data is not personal data, unless it relates to an individual (i.e. one-person-owned corporations or customer related data).

Data processing – All operations performed on personal data for AML/CFT purposes, either automated or manual, can be defined as data processing – including collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, use, destruction of, and the carrying out of logical and/or arithmetical operations on such data (Article 2(b) and (c) of the Convention). The aforementioned operations shall only be performed when controllers and, where applicable, processors take all appropriate (and demonstrable) measures to comply with the provisions of the Convention 108+ (Article 10(1)).

Data controller – A natural or legal person, public authority, service, agency or any other entity which, alone or jointly with others, has the decision-making power with respect to data processing, the purpose and means of the processing, as well as data categories to be processed and access to the data (Article 2 (d) of Convention 108+). The decision-making power can derive from a legal designation or from factual circumstances that are to be assessed on a case-by-case basis (ER 22). Controllers are bound to ensure the legitimacy of data processing (Article 5 of the Convention).

From an AML/CFT standpoint, OE are controllers. The OE include financial institutions[4] (FI), virtual asset service providers and designated non-financial businesses and professions (DNFBP) such as casinos, real estate agents, dealers in precious metals and precious stones, lawyers, notaries, other independent legal professionals and accountants, trust and company service providers are data controllers. Recipients of the information such as FIUs, law enforcement authorities, and authorities holding public registers of information on basic and beneficial owners are to be considered also data controllers for the processing of personal data they perform.

The AML/CFT framework provides for different situations of information sharing, including between OEs; between legal persons and controllers of beneficial ownership registers; between OEs and FIUs or OE and other competent authority (“public-private partnerships/PPP); between the FIU of different countries; and between the FIUs and other competent authorities. In this scenario, if different controllers shared the same purpose ~~and there is personal data involved~~, they should be considered to be joint controllers[5]. Joint controllership leads to joint responsibility for a processing activity. For the purpose of catering for increasingly complex data processing realities, the joint controllership may take different forms and the participation of different controllers may be unequal. Therefore, joint controllers must determine their respective responsibilities for compliance with the obligations under the regulation of a specific agreement[6]. However, joint controllership is rare in the AML/CFT regime.

Moreover, as mentioned in the Introduction above, this is also in consideration of the fact that public authorities (such as LEAs) and private sector entities have different legal natures, mandates and powers and may therefore be subject to distinct legal frameworks.

Data processor – A processor is the natural or legal person who processes personal data on behalf of a controller. The activities entrusted to a processor may be limited to a very specific task or may, on the contrary, be quite general. Legal or natural persons applying CDD measures on behalf of financial institutions and other Designated Non-Financial Businesses and Professions are deemed to be data processors if they ~~process the same sets of data~~only follow instructions given by those financial institutions. The main differentiation from data controllers relates to having decision-making power with respect to the data processing at issue (in AML/CFT, to comply with the CDD measures). However, processors could also become controllers whenever the data processing is done for their own purposes or whenever the conditions for data processing as prescribed by the controllers are breached.

Special categories of personal data (sensitive data) – Under the framework of Convention 108+ (Article 6), there are special categories of personal data whose processing may intrinsically pose a greater risk to data subjects therefore their processing requires additional guarantees complementing those already put in place for “normal” categories of data. The following categories of personal data considered as sensitive are those: (i) revealing racial or ethnic origins, (ii) revealing political opinions, religious or other beliefs, including philosophical beliefs, (iii) revealing trade union membership, (iv) genetic data and biometric data processed for the purpose of uniquely identifying a person, (v) concerning health, sexual life or sexual orientation. Personal data relating to offences, criminal proceedings, convictions and related security measures in the list of special categories of data are dealt with under Art. 6(1) of the Modernised Convention.

3. Basic principles for the protection of personal data

3.1 The lawfulness of processing – legal basis

General principle

· To be lawful, data processing shall be carried out on a legal basis which may be the free, specific, informed and unambiguous consent of the data subject or other legitimate basis laid down by law (Article 5(2) of the Convention). Irrespective of the legal basis for data processing, which is relied upon by the controller, additional safeguards provided for special categories of data according to Article 6 of the Convention 108+, will need to be ensured.

AML/CFT contextualisation

· Data processing in the AML/CFT context shall be based on a clear and detailed legal basis that provides for the principles of necessity and proportionality.

· In respect of the appropriate legal basis it should be noted that For AML/CFT purposes, consent could not [always/in some cases] be used as a legal basis. First, while CDD data are to a large extent collected from customers and the customer has right of access to that data, the processing by OE of such data is based on legal obligations to which the controllers are subject. Failure by OE to comply with those obligations would entail risks of measure by ~~supervisory~~ financial authorities, including administrative and criminal law sanctions. Failure by customers to provide the requested data could, in turn, result in that the customer relationship is either not concluded or in the restriction of services. Second, the AML/CFT framework could provide for situations where the customer (data subject) is not informed of the processing, particularly in relation to so-called enhanced diligence and suspicion transaction report by the OE. That would imply prior information to the customer, which would contravene to AML/CFT prohibitions, in particular to tipping-off. Further, the right of access of customers to the data processed by competent authorities, including FIUs, is typically restricted[A1].

· Data processing in the AML/CFT context could be based when data are processed by public authorities either on the lawful ground of public interest or if the data is processed by a private entity on its legal obligations or the overriding legitimate interest of the controller or a third person provided that the rights and interest of the data subjects have been duly balanced against the rights and interest of the controller or a third person and that appropriate guarantees have been put in place. It should however be noted that the latter case would not apply to special categories of (including judicial) data.

Recommendation

· In the context of PPP sharing of transaction data that implies processing of a high amount of data, the processing should be done, to the extent possible, with anonymized or pseudonymized data. Personal data identifying a person related to a transaction should be only limited when the outcome of the processing based on conditions linked to a reasonable suspicion/probable cause reveals patterns or activities that might require reporting of the transaction to the FIU as suspicious, or when it is needed to identify links to an identified terrorist.

· Clear and detailed provisions that take into account all rights and interests concerned shall be established in relation to PPPs created for the sharing of operational information on intelligence on suspects preventing OE participating in PPPs from integrating information shared by law enforcement authorities in their own databases.

3.2 The fairness and transparency of processing principles

General principle

· According to Article 5(4) of the Convention, personal data shall be processed in a fair manner by both the controller and the processor. This principle requires the provision of information to the data subject regarding the ~~modalities of~~ processing of his/her data, including any risks which may have been identified by the controller or the processor. Articles 5 (4)(a) and 8 of the Convention 108+ require data processing to be performed “in a transparent manner in relation to the data subject”. In this regard, data subjects must be informed before processing their data, inter alia, about the categories of personal data processed, the purpose of processing and about the identity and address of the controller. Information on the data processing must be provided in clear and plain language (unless an exception according to Article 11 applies) to allow data subjects to easily understand the risks, safeguards and rights at stake. Moreover, the data subject should be informed about his/her rights, according to which a request can be made to the controller on whether personal data is being processed and if so, which data is subject to such processing (Article 9(1)(b) of the Convention).

AML/CFT contextualisation

· OEs collect personal data from their customers, primarily when establishing a business (customer) relationship and, in the case of occasional customers, before executing transactions or providing services outside of an established business relationship. FIs, particularly banks, typically inform the customer on the purpose for which data will be processed and may be eventually shared with third parties. The OEs may in certain specific circumstances also require their consent, particularly for the provision of certain services or on the occasion for the disclosure of customer data to third parties, although this is not an FATF requirement and practice may vary from country, depending on local laws about data protection and other laws. ~~However, consent is less typically necessary for the processing of personal data as such.~~ Personal ~~information~~ data canis also be collected from the customer when the OE is updating de CDD data.

· In some cases, besides data protection regulation, there are banking secrecy or other professional secrecy obligations that apply to some persons (e.g. lawyers).

· In order to facilitate access to accurate and up-to-date beneficial ownership information some States have created central registries, with information provided by legal persons. Access to that information is typically given for OEs for the purposes of CDD as well as for competent authorities, including the FIU. Access to such information is important particularly for the investigating and prosecuting authorities to trace criminal activities.

Recommendation

· When establishing business relationships with customers or when conducting transactions for occasional customers, OEs should inform the customer of his or her identity and habitual residence or establishment, the legal basis and the purposes of the intended processing, the categories of data that the FI and DNFBP (or other third parties) will be processing, the recipients or categories of recipients of the personal data, if any; the means of exercising the rights set out in Article 9 of the Convention and potential restrictions where appropriate, as well as any necessary additional information in order to ensure fair and transparent processing of the personal data and the use made thereof in an understandable and user-friendly way.

· OEs should assess the likely impact of intended transfers and/or other data processing activities on the rights and fundamental freedoms of data subjects prior to the commencement of such processing, and shall design the data processing in such a manner as to prevent or minimise the risk of interference with those rights and fundamental freedoms.

· There must be a clear legal requirement set out by law, under which customer data may be disclosed to third parties despite secrecy rules, where applicable.

· Access to central beneficial ownership registries information should only be allowed in the situations or to the extent provided by law, and in compliance with data protection regulations.

3.3 The principle of purpose limitation

General principle

· According to Article 5(4)(c), the processing of personal data must be done for a specific, well-defined purpose and only for additional purposes that are compatible with the original one. Further processing of data may not, therefore, be done in way that is unexpected, inappropriate or objectionable for the data subject. To assess whether the further processing is to be considered compatible, the controller should take into account, inter alia, for instance, the nature of personal data, the consequences of the intended further processing for data subjects, the context in which the personal data have been collected in particular concerning the reasonable expectations of data subjects based on the relationship with the controller on its further use, and/or the existence of appropriate safeguards in both the original and intended further processing operations[7].

AML/CFT contextualisation

· Personal data on the customer or transactional data that may be collected by OEs for customer due diligence purposes, may, under certain conditions provided by the law, be shared with other obliged entities belonging to the same group, for fulfilling additional purposes (e.g. inform an OE belonging to the same group of a common customer that may have been subjected to reporting to the FIU). For example, in correspondent banking relations, the correspondent bank may need to require additional information in relation to a client of the respondent bank, which would have been collected by that bank from its client in a different context.

· As an element of context, it is important to differentiate between the sharing of data by FIUs to other national law enforcement agencies and to foreign FIUs for the purpose of international cooperation as different rules may apply and the purpose limitation principle should be closely followed.

· There could be instances where data collected and processed for a defined purpose (e.g. customer due diligence information or suspicious transaction information) may have to be shared with third parties. For example, an FIU analysing a STR, finding international links that require that STR information (including personal information) to be shared with another competent authority or a foreign FIU in the context of a request of additional information.

· On occasion, the OE may need to file a suspicious transaction report to the FIU, and the processing of personal data by the FIU constitutes an additional purpose, which is considered compatible with the original purpose of processing. The FIU may further need to report a suspected criminal activity to a competent authority. The purpose of processing of the competent investigating and prosecuting authorities are normally governed by other laws.

Recommendations

· The purpose limitation principle should be clearly respected, both when automatic processing is carried out for several different purposes, or when the processing is carried out for a compatible purpose.

· OEs belonging to a group should have clear rules and procedures based on law to define what type of personal data (client, BO, transactional, account, suspicion transaction report –or STR-) can be shared among them on which legal basis and for what purpose. This could be achieved through the use of binding corporate rules (BCRs, SCCs, ad-hoc clauses).

· The FIUs processing suspicious transaction reports should have clear rules and procedures based on law, concerning the purposes for which personal data relating to STRs may be shared with other competent authorities.

· In the case of correspondent banking relations, there should be clear and detailed provisions between the correspondent and the respondent bank regulating the sharing by the respondent of personal data concerning its customers, beneficial owners and transactions. The provision should detail the type of data that the respondent bank will have to provide upon the request of the correspondent bank. Guidance in this regard should be provided by data protection authorities.

· It seems to be necessary to implement the purpose limitation principle also in the context of data sharing/transfers by FIUs to other national law enforcement agencies but also to foreign FIUs. In this case, internal standard operating procedures should be developed to ensure that data is shared for a specified and limited purpose documented in the transfer trail and that the essentially equivalent protection is ensured during the transfer and by the receiving authorities.

3.4 The data minimisation principle

General principle

· According to Article 5 (4)(c), data processing must be limited to what is necessary to fulfil a legitimate and limited purpose. A controller should strictly limit collection of data to such information as is directly relevant for the specific purpose pursued by the processing. The same applies to the processor when it collects data on behalf of the controller.

AML/CFT contextualisation

· The AML/CFT laws may provide for different levels of processing of personal data (CDD data) by the OEs, including simplified, normal and enhanced customer due diligence. In principle, enhanced due diligence requires a larger amount of personal data to be processed, including verification of that data from various sources available for the OE. Enhanced due diligence may be required on the basis of risks for certain types of customers (e.g. politically exposed persons) or for certain types of services or transfers (e.g. money transfers to high-risk countries), or even for individual customers in situations where risks or suspicious transactions have been identified. The AML/CFT laws may provide for different data retention periods for different types of personal data.

· In practice, it appears that when it comes to data collection by private sector entities in many instances that the private sector needs clear and specific guidance as when it collects clients’ personal data as part of AML/CFT obligations, for instance as part of KYC standards, they need to observe at the same time data protection legal obligations which may provide for contradictory approaches, notably with regard to the application of the data minimisation principle.

· Data minimisation principle should also be applied in the context of automated data processing at data collection but also at data transfers’ level.

Recommendation

· Data processing by OEs should be limited to what is directly relevant for the specific purpose pursued in view of the risks inherent to the customer relationship.

· Data should be used for the sole purpose for which it was provided and cannot be transferred to other authorities of the data-receiving countries, unless the requirements laid down in the Convention are complied with.

· With regards to data processing by the private sector, the specific data sets to be collected as part of AML/CFT obligations are not always specified by the national law whereas the principle of data minimisation is clearly provided for in national data protection law. As a result, by fear of missing an element of threat or of a fine by financial supervisory authorities covering AML/CFT matters, private sector entities often end up sharing larger volume of data. It could therefore be recommended to facilitate collaboration between national data protection authorities and national financial/insurance supervisor authorities so that specific guidance could be developed to ensure a balance between applicable legal obligations.

· In the context of automated data processing (at data collection but also at data transfers level), a privacy by design approach should be implemented (by the private sector but LEAs, including FIUs) and embed data minimisation in the architecture of the system used (e.g. limited mandatory data fields, limited free text zones etc.) as per Article 10 Convention 108+

3.5 The data accuracy principle

General principle

· According to Article 5(4)(d), the principle of data accuracy must be implemented by the controller in all processing operations. Inaccurate data must be erased or rectified. Data may need to be checked regularly and kept up to date to secure accuracy.

AML/CFT contextualisation

· FATF Recommendation 10 requires the OEs to ensure that documents, data or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records, particularly for higher risk categories of customers.

· OEs use external providers of information for various purposes (e.g. sanction screening, identification of PEPs, family members and close associates), which can affect the accuracy of data that they process for CDD purposes, and use AI-based systems to monitor transactions in order to identify suspicious patterns and trends, and generate alerts, which, if not properly calibrated may result in an excessive number of alerts, that cannot be processed in an accurate manner. While the FATF recommendations do not explicitly refer to the requirement of accuracy, the aforementioned requirement to keep CDD data and information up to date applies even to data collected from external providers.

· The FATF allows OEs to rely on third parties for the performance of certain elements of the CDD process. The fact that CDD information will have been collected and processed by a third party over which the relying OE may not have forms of control could result in inaccuracies of the information collected for the CDD process. However, the FATF Standards are clear in that the responsibility of the fulfilment of the CDD obligation remains in the OE that is relying on the third party. This is consistent with the role of controller of OEs, as defined in Convention 108+. While the FATF recommendations do not explicitly refer to the requirement of accuracy, the aforementioned requirement to keep CDD data and information up to date applies even to situations where third parties are relied on.

· FATF Recommendation 24 requires that the companies and company registers maintain accurate and up-to-date information on beneficial owners. In practice, AML/CFT laws typically require the same for other legal entities entered in BO registers. Recommendation 24 further requires basic data (i.e. company name, proof of incorporation, legal form and status, the address of the registered office, basic regulating powers, and a list of directors) to be publicly available, and also envisages the possibility to require companies or company registries to obtain and hold BO information.

Recommendation

· OEs should be encouraged to implement procedures to ensure that they comply with the requirement of accuracy set out in Article 5(4)(d), in any CDD data processing operations, to avoid risks and harmful effects on the rights of the customer as data subject, which may result from the processing of data that is not up to date.

· When AI is used (e.g. for transaction monitoring for the purpose of detection of suspicious activity), the data subject should not be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration. This would entail that human intervention need to occur from a staff member to verify the accuracy of the results (for instance to avoid negative impact on data subjects in case of a decision based on a false positive obtained only through automated means) or of the data subject concerned so that he/she can present his/her views. In addition criterion should be calibrated in a way not to generate an excessive number of alerts, especially false positive ones, including the case of customer/BO/recipient of transaction name-searching and matching with sanction lists.

· If OEs are using programs or AIfor risk profiling of the customers or the BOs, appropriate measures should be taken to correct data inaccuracy factors and limit the risks of errors inherent to profiling. The periodic (or trigger-based) reassessment should also include a re-evaluation of the data and of the statistical inferences including for the elimination of potential biases used for the risk profiling, to determine whether they are still accurate and relevant.

· If OEs are using external database providers for implementing customer diligence requirements on BOs of the customers (e.g. identity verification of the customer and BO, identification of potential relations with PEPs, and family members and close associates to the PEP) they should strive to verify that the personal data used is accurate and up-to-date and to conduct a periodic evaluation of the accuracy of the data made available by the provider.

· The controllers responsible for company registries should verify the personal data held by those registries, or use other appropriate means, in order to ensure that the data is accurate and up to date.

· Countries should ensure that policies requiring the verification of data held by company registries, in order to ensure that the data is accurate and up to date are adopted.

· The OE receiving data on customers, BOs and transactions is considered to be the controller of the data and should be held responsible for the lawfulness of the processing of the data as well as for its accuracy, even in the case in which the OE uses third parties for the collection and processing of such data. Those third parties might be deemed processors according to Convention 108+.

· In accordance with Article 10 of the Convention 108+ OEs shall implement measures to prevent or minimise the risk of interference with the rights and fundamental freedoms of the customers.

3.6 The storage limitation principle

General principle

· Article 5 (4) (e) of Modernised Convention 108 requires personal data to be deleted or anonymised as soon as they are no longer needed for the purposes for which they were collected. However, there are exceptions to this principle on the condition that (i) they are provided by law, (ii) respect the essence of fundamental rights and freedoms and (iii) are necessary and proportionate for pursuing a limited number of legitimate aims (Art. 11). These include, inter alia, preserving national security, investigating, and prosecuting criminal offences, protecting the data subject and protecting the rights and fundamental freedoms of others.

AML/CFT contextualisation

· FATF Recommendation 11 sets clear requirements for record keeping of CDD information, account files, business correspondence and results of any analysis undertaken (5 years following the termination of the business relationship) and records on transactions (5 years following completion of the transaction).

Recommendation

· If there are no storage limitation requirements and/or those in place are not in line with FATF Recommendation 11, data should be stored for the minimum period necessary, and be deleted or anonymised as soon as are no longer needed for the purposes for which they were collected.

· With regard to the storage of personal data by public authorities for the purpose of combating crime, a distinction should be made depending on the nature or degree of seriousness of the offence or depending on whether the data subject is only a suspect.

· Cooperation between national data protection authorities and national financial/insurance supervisor authorities should be facilitated so that specific guidance could be developed to ensure a balance between applicable legal obligations, both from an AML/CFT and data protection perspective, including regarding the issue of data retention.

3.7 The data security principle

General principle

· According to Article 7, the security and confidentiality of personal data are key to preventing adverse effects for the data subject, such as unauthorized, unlawful, or accidental access, use, modification, disclosure, loss, destruction or damage. The controller and, where applicable the processor, should take specific security measures that consider the specificities of the operations and the state of the art of data security methods and techniques. The appropriateness of security measures must be determined on a case-by-case basis and reviewed regularly.

· Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymisation measures, which do not exempt from the application of relevant data protection principles, can reduce the risks to data subjects[8].

AML/CFT contextualisation

· There are several requirements in the FATF Recommendations addressed to public authorities that can ensure data security. The revised version of Recommendation 2 requires countries to have cooperation and coordination between competent authorities to ensure the compatibility of AML/CFT requirements with Data Protection requirements. This should also have (albeit only indirectly) an impact for OEs processing and exchanging data. On a more operational level, FATF Recommendation 29 has several requirements for FIUs to protect information and to ensure their operational independence as well as the continuity of operations. In addition to FATF, the Egmont Principles also set security measures for the exchange of information. Furthermore, Recommendation 40 includes requirements of using secure channels for information exchange, applicable to competent authorities such as investigative authorities.

· The data protection legislation applicable in the states Parties may provide for detailed requirements concerning data security, that may be as such applicable to OEs as controllers. At the same time, the AML/CFT or other specific legislation of countries may also provide for additional requirements to ensure data and information security that has become known to the public officials of the competent authorities. Public officials may face disciplinary, civil, administrative, and criminal liability for breach of ensuring safety of information, which related to their activities, constituting an official, banking, tax, commercial or communication secret.

Recommendation

· There should be specific requirements for OEs to implement state of the art, strict security measures for ensuring the protection of personal data, particularly in the case of special categories of data according to Article 6 of the Convention 108+ (e.g. on PEPs, which could reveal political affiliations or sexual orientation in the case, for example, of a same-sex partnership), unless the applicable data protection framework already provides for such requirements that are directly applicable and as such binding on the OEs as controllers

· The principle of data security requires technical and organisational measures such as (hard, end-to-end) encryption of the data and rules on the full traceability of the exchanges, especially through the implementation of access logs, also in compliance with the accountability principle of Article 10 of Convention 108+. Other safeguards should also be put in place such as pseudonymisation in order to prevent unlawful interference with individuals’ privacy and right to data protection. These technical and organisational measures should be based on a risk assessment regarding the impact on data subjects’ rights.

4. Types of data which are subject to the processing of personal data in the context of AML/CFT obligations

General principle

· Any type of information can be personal data if it relates to an identified or identifiable person, which could be information pertaining to the private life of a person, which also includes professional activities, as well as public information about one’s life (Article 2 (a) of the Convention 108+).

There are also special categories of personal data such as genetic data; personal data relating to offences, criminal proceedings and convictions, and related security measures; biometric data uniquely identifying a person; personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life, whose processing is, by nature, likely to pose a higher risk to the data subjects and therefore need enhanced protection. Such data is subject to additional safeguards complementing those already in place for “normal categories of data” and can only be lawfully processed under a limited number of conditions (Article 6 of the Convention108+).

AML/CFT contextualisation

· CDD data that should be obtained from a natural person is mainly personal data, such as: the full name, residential address, contact number and e-mail addresses, place of birth, date of birth, gender, nationality, government-issued identification number and tax identification number, signature. For a legal person, some personal data is required as well on directors, shareholders, senior management and beneficial owners, but this personal data is generally publicly available in trade registers or BO registers due to legal provisions based on the public interest.

· Collection of data regarding PEPs could reveal political affiliations or sexual orientation (in the case, for example, of a same-sex partnership). Therefore, processing of such categories of personal data could only be lawful if granted enhanced protection.

· As previously suggested in this context public authorities are to set the storage of data for the purpose of combating crime and for this a previous recommendation confirmed the need to draw a distinction according to the nature or degree of seriousness of the offence or depending on whether the data subject is only a suspect.

Recommendation

· Personal data relating to offences, criminal proceedings and convictions, as well as related security measures are a part of the aforementioned special categories of personal data which are also relevant to AML/CFT. Processing of such data may only be carried out when specifically allowed by law and when appropriate safeguards are in place (e.g. professional secrecy obligation; measures following a privacy impact assessment; a particular and qualified organisational or technical security measure such as data encryption and logging)[9].

· Registers holding information on criminal convictions may be restricted to the processing and use by competent authorities, or to processing under the control of those authorities. Any processing of such data is further subject to supervision by the competent data protection authorities.

· Internal guidelines should be developed to provide for a case-by-case assessment on whether the collection and/or transfer of sensitive data (notably regarding religion and sexual orientation) is necessary to achieve the purpose in consideration of the risks to the life and integrity of the data subjects may raise in case of a data security incident, including a data breach.

· All entities involved in AML/CFT, including private entities, FIUs and Law Enforcement Agencies should ensure training to their staff, especially in regard to dealing with special categories of data, to the extent to which processing of such data is allowed by law.

5. Rights of data subjects, exceptions and restrictions in the context of AML/CFT

General principle

· Data subjects have multiple rights detailed in Article 9 of the Convention: the right

o not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration;

o to obtain, on request, at reasonable intervals and without excessive delay or expense, confirmation of the processing of personal data relating to him or her, the communication in an intelligible form of the data processed, all available information on their origin, on the preservation period as well as any other information that the controller is required to provide in order to ensure the transparency of processing in accordance with Article 8, paragraph 1;

o to obtain, on request, knowledge of the reasoning underlying data processing where the results of such processing are applied to him or her;

o to object at any time, on grounds relating to his or her situation, to the processing of personal data concerning him or her unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms;

o to obtain, on request, free of charge and without excessive delay, rectification or erasure, as the case may be, of such data if these are being, or have been, processed contrary to the provisions of this Convention;

o to have a remedy under Article 12 where his or her rights under this Convention have been violated; and

o to benefit, whatever his or her nationality or residence, from the assistance of a supervisory authority within the meaning of Article 15, in exercising his or her rights under this Convention.

· Conditions for possible restrictions of these rights are set out in Article 11 of the Convention, they must be provided by law, respect the essence of the fundamental rights and freedoms and constitute a necessary and proportionate measure in a democratic society. Restrictions to the right of access should no longer be in place once access no longer jeopardise investigations.

· Exceptions should only be established for purposes listed in Article 11, which include inter alia the protection of national security, defence, public safety and important economic and financial interests of the state and only in relation to specific rights or obligations laid down in the article.

AML/CFT contextualisation

· Some of the rights expressed in the Convention can be restricted for AML/CFT purposes and usually the restrictions based on AML/CFT laws rely on general public interest (i.e. the important economic and financial interests of the State; the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties). The rights of the data subject are restricted e.g. in a situation where the OE reports a suspicious transaction to the FIU. The AML/CFT laws require that the STR is not disclosed to the person concerned, in which case the access of the data subject to personal data relating to STRs may be restricted. Further restrictions may be imposed with regard to the processing of STRs by the FIU. At the same time, there is usually no reason to restrict access to CDD data – instead, the OEs are invited to inform customers that their personal data may be used for AML/CFT purposes.

Recommendation

· Measures should be put in place by controllers to facilitate the exercise of these rights by the data subject, in principle free of charge. In case of automated decision making, the information on the decision should be available upon request of the data subject.

· Where the data subject rights are restricted for AML/CFT purposes, those restrictions should be based on the AML/CFT legislation, they should respect the essence of fundamental rights and freedoms and be strictly limited to what is necessary and proportionate in a democratic society. They should in any case be too broad or serve as a blanket authorisation and could only apply to areas covered by Article 11.1 of the modernised Convention 108.

· In the case of the right to object, the Explanatory report (para. 80) indicates that even when this right is limited for the purpose of the investigation or prosecution of criminal offences, the data subject can challenge the lawfulness of the processing. Restrictions to the exercise of rights justified by the risk to jeopardise investigation activities should be waived once such risk no longer exists.

· The effective implementation of data subjects’ rights may also require additional actions, to reflect those rights in a privacy by design architecture in accordance with Article 10 Convention 108+. For instance, the right of access may require that the architecture enables the user to seamlessly identify and select across the system all sets of data concerning the data subjects and this without disclosing data of other data subjects (data segregation or structed data embedded in the architecture).

6. Exceptions and restrictions (Article 11)

· Processing personal data is one of the most important operations in an AML/CFT context, therefore anyone concerned should take into account that only a limited number of expiations can be used provided they comply with the general conditions (i.e. they are provided for by law, respect the essence of human rights and fundamental freedoms and are necessary in a democratic society) of their lawful use:

o The obligation to process data fairly and in a transparent manner;

o The need to ensure that data is collected for explicit, specified and legitimate purposes and not processed in a way incompatible with those purposes;

o The obligation to limit the processing to adequate, relevant and not excessive data in relation to the purposes for which they are processed;

o The obligation to ensure that data undergoing processing is accurate and, where necessary, kept up to date; and

o The need to ensure that data is preserved in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed.

· ~~Second~~Based on such exception the AML/CFT framework could provides for situations where the customer (data subject) is not informed of the processing, particularly in relation to so-called enhanced diligence and suspicion transaction report by the OE. That would imply prior information to the customer, which would contravene to AML/CFT prohibitions, in particular to tipping-off. Further, the right of access of customers to the data processed by competent authorities, including FIUs, is typically restricteduntil the reason for the restriction exists. Data subjects’ rights should be fully guaranteed outside of time and scope of a lawful use of exception. .

Recommendation

· Where the data subject rights are restricted for AML/CFT purposes, those restrictions should be based on the AML/CFT legislation, they should respect the essence of fundamental rights and freedoms and be strictly limited to what is necessary and proportionate in a democratic society. They should not in any case be too broad or serve as a blanket authorisation and should only apply to areas covered by Article 11.1 of the modernised Convention 108. Restrictions to the exercise of rights justified by the risk to jeopardise investigation activities should be waived once such risk no longer exists.

7. The role of Data Protection Authorities (DPAs) and their relationship with authorities monitoring AML/CFT

General principle

· According to Article 15 Supervisory Authorities -in the terms of the Convention- shall have powers of investigation and intervention, perform functions relating to transfers of data, have powers to issue decisions with respect to violation of the provisions of the Convention and impose sanctions, amongst others.

· Articles 16 and 17 of the Convention provide for means of cooperation and mutual assistance between data protection supervisory authorities.

· Data Protection Authorities (DPAs) are usually cooperating with authorities monitoring AML/CFT as well when issues related to the processing of personal data so require. In addition, DPAs ~~should~~ are the public administration bodies that arebe tasked and empowered to ensure compliance with applicable data protection regulations.

AML/CFT contextualisation

· The activities necessary to comply with AML/CFT regulations involve the activity of multiple actors in multiple jurisdictions, and the processing of large volumes of personal data. The Convention articles concerning the powers of the supervisory authorities apply to any processing of personal data, including AML/CFT purposes, while only specific restrictions are possible under Article 11(1) for law enforcement (and other general public interest purposes) and Article 11(3) with reference to processing activities for national security and defence purposes. Even in ~~those~~ the latter cases where more exceptions are foreseen for those specific purposes, the Convention requires that processing activities for national security and defence purposes are subject to independent and effective review and supervision under the domestic legislation of the respective Party.

Recommendation

· Processing operations for AML/CFT purposes should be subject to effective and independent ex-ante authorisation and/or ex-post review based on the domestic legal framework. In addition, national legal frameworks should provide for a specific level of security clearance for DPA’ staff to access the data processed by FIUs falling under the category of intelligence service (“first ring”).

· As a general recommendation the necessity of dialogue and cooperation between DPAs and finance/insurance supervisory authorities (at national and international levels possibly) should be emphasised in order to develop effective guidance tools for the private sector and to develop specific training modules. In the AML/CFT field, DPAs shall have coordinated activities with the OEs in order to ~~supervise the processing of data and~~ to suggest effective tools and modus operandi for compliance (which could, if correctly implemented, contribute also to a more ~~for~~ effective supervision).

· ~~And i~~In regard to the above, the DPA shall reinforce the OEs with internal training.

· DPAs should engage with other national authorities that oversee AML/CFT issues for joint activities to ensure compliance with data protection standards in the AML/CFT enforcement area”~~in the enforcement area~~.

8. International data transfers in the AML/CFT field

General principle

· Article 14 of the Convention 108+ only allows data transfers to states or international organisations when they provide an appropriate level of protection for personal data, according to the rules of the Convention.

AML/CFT contextualisation

· Given the multilateral nature of mechanisms for international data transfers for AML/CFT purposes, the question of appropriate level of protection arises particularly in all cases where the exchange of personal data involves a country that does not have an (essentially) equivalent level of protection for personal data.

· There are several requirements in the FATF Recommendations addressed to public authorities regarding data security which applies when data crosses borders. The revised version of Recommendation 2 requires countries to have cooperation and coordination between competent authorities.

· The aforementioned case of OEs belonging to the same group, which may need to share information on a client (e.g. CDD data on the client, or the fact that a client has been subjected to the reporting of a suspicious transaction) is also relevant here. While this scenario presents less critical aspects if there are clear requirements and policies detailing what information can be shared and for what specific purpose, and if the exchange of information occurs within OE located in the same country (subject, therefore, to the same requirements), there could be cases in which OEs belonging to the same group are operating from different countries, which may have different requirements (see considerations on Transborder Flows).

Recommendation

· It would be worthwhile considering the inclusion of Data Protection rules and considerations directly into FATF recommendations in order to facilitate their coherent implementations.

· Supervisory authorities shall play an important role in line with art 15 (2) (b) of the modernised Convention 108 to ensure lawfulness of processing even in a transborder data flow context including and if relevant by referring individual cases on transborder transfers of data to national courts.

· Free data transfers shall only be allowed within the geographical limits of countries which offer an appropriate level of protection or appropriate safeguards (Art. 14 (4) of the Convention, and para. 109 to 112 of the Explanatory Report), and assuming that the other requirements of the Convention for the processing of such data are met. This is applicable to pooling of data amongst financial institutions, particularly across national borders and with non-parties.

· Instruments that ensure an appropriate level of protection should be available in line with Article 14 (2) before sending personal data to data controllers located in countries or jurisdictions not bound by the rules of the Convention.

· States shall ensure that when exchanges take place towards a country that does not ensure an appropriate level of protection, safeguards established in applicable international data protection legislation shall be respected, including when the data transfer takes place on the basis of a bilateral/CRS agreements.

· Supervisory authorities shall have the power, resources and national, international institutional agreements in place to treat these issues in line with article 15 (2) (b) of the Convention 108+ and if relevant refer individual cases on transborder transfers of data to national courts.

· In the case of an OE belonging to a group where branches/subsidiaries are located in different countries, and domestic legislation does not prohibit the cross-border exchange of data, including on data protection grounds, such exchange of data should occur only when proper safeguards in the processing of such data are met and where the rule of law is respected.

· FIUs from state Parties should exchange information with other competent authorities and with their foreign counterparts in compliance with the applicable requirements and limit the personal data processed to what is directly relevant to provide or obtain the requested information. In respect of personal data transfers to states not parties to the Convention, the requirements foreseen in Article 14 of the Convention should be taken into account. There could be other standards applicable to the exchange of information, specifying requirements of data protection or data security, such as Egmont Group principles[10].It should be noted that the second additional Protocol to the Budapest Convention could give further guidance on applicable safeguards when it comes to international transfers between authorities and to some extent between authorities and private parties.

· State Parties should ensure that derogations from the requirement of an appropriate level of data protection are only allowed where the conditions set out in Article 14(4) are met.

[Section [A2]II. Blind spots in AML/CFT related issues requiring enhanced data protection

I. DATA PROCESSING BY FINANCIAL INSTITUTIONS (FIs) AND FINANCIAL INTELLIGENCE UNITS (FIUs)

This section covers KYC, due diligence and enhanced due diligence requirements, as well as the identification of suspicious financial transactions

1. Specificities of the role and mandate of public authorities and private sector entities

- Processing of personal data by government authorities: they are entrusted with the mandate to combat AML/CFT and are granted sovereign powers in this specific area. Checks and balances as well as oversight are also implemented.

- Nevertheless, the same does not extend to private sector institutions which are obliged entities and do not benefit from the same legal status and mandate. As such, they are commercial entities subject to AML/CFT obligations and can be held accountable for non-compliance with these legal obligations.

- As a result, private sector entities may not be entrusted with powers equivalent to sovereign powers and public interest should be considered with caution when used as a legal basis by the private sector to process personal data

2. Impact on the processing of personal data

- Specificities of legal regimes applicable to public authorities (LEAs)

3. Implementation of data protection principles

A. Accountability

- Data subjects’ rights

- Data protection and privacy by design approach

- Data protection impact assessments