Walking the KYC and data protection tightrope

For years, financial institutions have had to walk a regulatory tightrope, striking the right balance between compliance with regulations governing anti-money laundering with that of conflicting global data protection laws. But the far-reaching impact of the EU’s General Data Protection Regulation creates further tension between these two compliance priorities.

On the one side, AML regulations require financial institutions to collect and process a vast array of personal data on entities and individuals during the onboarding process, or before engaging in certain business transactions with them, to defend against money laundering and terrorist financing practices. Know-your-customer (KYC) due-diligence procedures are a critical component of a robust AML compliance program.

Even as regulators around the world continue to expand the scope of financial institutions’ obligations to identify and verify their customers’ identities, the GDPR significantly restricts how they acquire and manage that customer data, creating numerous sticking points in a firm’s overall AML compliance framework.

“It might seem like those two things are in conflict when, in reality, they’re not,” says Stephen Ritter, chief technology officer at Mitek Systems, a firm that specializes in digital identity verification and mobile capture. GDPR doesn’t prevent firms from satisfying their KYC obligations, but rather establishes requirements on how to do so in a secure fashion, he says.

Satisfying AML and GDPR obligations is possible—and, in fact, necessary—but it requires both a change in mindset and in the way that financial institutions operate. Start by understanding where AML regulations overlap with the GDPR, and then adjust AML and KYC policies and procedures accordingly, by considering the following compliance practices:

Document the legal basis for processing personal data for KYC purposes. Traditionally, financial institutions have taken a principles-based approach to KYC due diligence, which fail to satisfy the GDPR’s prescriptive, risk-based requirements. To process personal data legally under the GDPR for KYC purposes now requires that consent, as described by the GDPR, be “freely given, specific, informed, and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” Without such consent, firms must have a “legal basis” for doing so.

“What we’re seeing is … information-security teams working alongside compliance and client onboarding teams to ensure that security is in place at a granular level to ensure compliance with data privacy laws.”

Edward Sander, President, Arachnys

The strongest legal basis for processing personal data may vary by jurisdiction, says Aoife Harney, a regulatory consultant at Fenergo, a client-lifecycle management software solutions provider. For European companies, for example, your strongest legal basis may be your legal obligations, because under the GDPR, where processing is carried out in accordance with a legal obligation, the processing should have a basis in EU or member-state law. On the other hand, if you’re carrying out KYC obligations in the United States, your strongest legal basis under the GDPR may be a “legitimate interest” pursued by a controller or third party.

Send privacy notices to customers and the beneficial owners of corporate customers. Privacy notices should include an explanation of the data being collected, and by whom; how and why it’s being collected; how it’s being used; and with whom it’s being shared. Relative to KYC obligations, banks should explain their identification and verification processes, as well as their background-screening procedures for identifying Political Exposed Persons and those on a sanctions list. “Companies need to be open and transparent about why they are collecting that data for KYC purposes,” Harney says.

Keep customer files accurate and up-to-date. GDPR effectively demands that banks take a much more selective approach to processing data for KYC purposes. Be realistic and honest about how much data or what documents are necessary for KYC purposes. Firms should not collect or keep personal data that isn’t required or needed, Harney says. “Nor should they be holding onto inaccurate data,” she says.

Secure personal data. Data security is an integral part of GDPR compliance, and firms are responding accordingly. “What we’re seeing is … information-security teams working alongside compliance and client onboarding teams to ensure that security is in place at a granular level to ensure compliance with data privacy laws,” says Edward Sander, president of Arachnys, a customer risk-intelligence solutions provider.

Financial institutions should process only the personal data necessary to satisfy AML requirements and limit access to customer data only to those users entrusted to collect and process such data as part of KYC activities and transaction monitoring alerts.

AML regulations may require firms to retain personal data long after a business relationship ends, while the GDPR mandates that personal data not be retained “longer than necessary for the purpose for which the personal data is processed.” Satisfying these conflicting requirements means that firms must identify ways to secure personal data that is no longer connected to an existing business relationship but that must be retained for at least five years for AML compliance purposes.

Monitor third-party compliance with both AML and GDPR requirements. If you’re relying on a third party to perform KYC procedures, or if you’re engaging in any other information-sharing activities with third parties, it’s important to ensure they’re performing appropriate due diligence and have measures in place to ensure that any personal data they are receiving is secured. It’s best to incorporate these compliance expectations—and the right to audit them—directly into third-party contracts.

At a  high level, firms should have in place data-driven policies and procedures that comply with the GDPR’s enhanced data-subject rights; make changes in the way they manage and interact with customers on a consent-based level; and implement data security controls and monitoring and auditing procedures, all of which can—and should—be automated with the newest privacy technologies that enable compliance with both GDPR and KYC obligations.