AML and GDPR

Roles of the GDPR and the AML directive

Merchants should be careful to be compliant with both the GDPR / Personopplysningsloven and the AML directive / Hvitvaskingsloven. The AML directive places responsibility on some types of organizations to conduct a due diligence process on their customers, and are expected to retrieve information about they customers to make a risk based evaluation. This implies retrieving personal information, and also to be able to document that these processes. The GDPR on the other hand, has strict rules for retrieving, storing and using personal data, with great emphasis on data minimalism and data proportionality, demanding increased focus on the purpose for storing the data. Please note that these expectations can get into conflict. The data controlling Merchant should give careful attention to this.

Data minimalism

I in order to comply with the AML legal demands, the Merchant it is required to store data, both to conduct the due diligence itself, but also in order to document that the process has been conducted. This will usually include the information provided in BankID AML, but could also information from other sources. The Merchant is advised to only store data that is deemed necessary for conducting the due diligence process, and leave out information that is not relevant for concluding this process.

Then end-users right to have insight in and delete their own data

The privacy legislation specifies that the end-user has a right to have insight into the information stored about them and also to have it corrected or deleted.

According to the AML legislation, however, clearly states that if the due diligence process does give reasons for suspicion, the end-user should not get information about this, but it should be reported to the authorities. Therefore the Merchant should implement their compliance system in such a way that some personal data is left out (where the reasons for suspicion are mentioned), even if the user requests insight into it. 

Privacy and the BankID AML service

When using the BankID AML service, the Merchant is considered the data controller and has the main responsibility for complying with the privacy regulations and BankID is a data processor  in this context. Please note that the BankID AML product has been made with a privacy by design methodology and this could be of help to a Merchant that wants to comply with both legal obligation:

  • A minimalist approach to what personal data is treated and for how long.
  • A granular approach to the purpose for which each piece of personal data is treated. For example, certain data is required by law to be stored for a certain period, in order to document the basis of the invoices we send to the Merchant. This data is stored for exactly that period, then deleted. Other data is stored in order to support Merchants when experiencing technical issues. This data is stored for much shorter period, because these situations are most likely to be worked with soon after they arise.
  • Data used for insight purposes, or for product development, such as analyzing trends in usage, is anonymized and not connected to a user, therefore it is not considered personal data.
  • To avoid data redundancy, only what is absolutely needed is stored in the service itself. The information retrieved from the sanction and PEP lists is not stored in the service, but passed on directly to the Merchant.

Does BankID AML help the Merchant become GDPR compliant?

When designing the BankID AML solution we have given careful thought to balancing the legal obligations of the GDPR and the AML directive. The Merchant (data controller) can rely on BankID as a data processor, in that the data provided does have a legal treatment basis, and is designed with great care when it comes to treating personal data.

However, the Merchant will also have to store the personal data retrieved from the service in their own system, and will have to show the same care in order to be compliant with the legal obligations. The Merchant is advised to follow a privacy by design methodology, and also keep in mind the situations where the AML and GDPR legislations pulls in different directions.