Capital Markets

AML and GDPR compliance in the financial services industry

The Fourth Anti-Money Laundering Directive has been transposed into Maltese law by virtue of amendments to the Prevention of Money Laundering Act, the enactment of new regulations under said act, and through the publication of various regulations intended to set up beneficial ownership registers for companies, trusts, associations, foundations and other legal entities.

The General Data Protection Regulation was published in the Official Journal of the European Union on 4th May 2016 and will be applicable in its entirety as from 25th May 2018.

The GDPR will have direct legal effect throughout the EU, without requiring transposition into national legislation. Therefore, from 25th May 2018, any organisation established within the European Union that holds, stores or uses personal data will be required to comply with the new rules.

While the GDPR protects people and their human rights by defending privacy of personal information, the 4AMLD is in favour of transparency and disclosure of certain information. The introduction of a register of beneficial owners is one of the most controversial aspects of the relation between the two regulations.

The interaction between the AMLD and the GDPR will have a significant impact upon the financial services industry. Finding the balance between data protection and AML requirements while Incorporating Data Privacy into Anti-Money Laundering procedures is the main challenge that Financial Services will have to face in consideration of the heavy penalties attendant upon breaches of these laws.

In connection with the requirements imposed by the two regulations, concerned entities may want to consider the installation or upgrade of screening tools. In fact, the implementation of regulatory technology in CDD processes should not only be intended for AML compliance but should also take into consideration requirements under the GDPR.

The 4AMLD and the GDPR should be seen as a good opportunity to revisit the amount and extent of personal data collected and retained for AML purposes.

The old policies and modus operandi should be reviewed and amended to ensure that the data being processed is limited to that which is required at law.

This will not only entail a change in systems but will require, more importantly, a cultural change that will force operators to discard a perfunctory approach to AML compliance.

While the operators of the financial services industry are obliged to set out proper measures to ensure compliance both with GDPR and AML regulations, it is an undisputed fact that these regulations are opposed in intent and that therefore the process of compliance will not come without its challenges.