GDPR and Section 11 of the Criminal Finances Act 2017

Judge sitting at his desk

Section 11 of the Criminal Finances Act 2017 amends the Proceeds of Crime Act (POCA) and affects the regulated sector. The new data sharing regime enables regulated persons to request and share information with their regulated peers, free in most respects from contravening the EU’s General Data Protection Regulations (GDPR). Any disclosure “made in good faith” that does not breach any duties of confidence or “any other restriction on the disclosure of information”.

The purpose is to encourage the sharing of information from different entities in the regulated sector and better enable the collation of multiple reports of potential money laundering into a single Suspicious Activity Report (SAR).

Regulated entities required to submit SARs

Under POCA, regulated entities are required to submit a SAR through their Money Laundering Reporting Officer (MLRO) whenever there is a suspicion of money laundering. The National Crime Agency (NCA) which deals with SARs has found itself somewhat overloaded. In the 18 months from October 2015 to March 2017, over 600,000 individual SARs were submitted to the NCA.

How long does it take to process a SAR?

Money laundering rules state that if a SAR goes unresponded to by the authorities for more than 7 days, the transaction can proceed. When it comes to the vast workload the authorities have just to process the paperwork, then it’s obvious things could get overlooked and instances of money laundering could slip through the cracks.

Enabling the regulated sector to have a formal channel for sharing and disclosing their suspicions is therefore vital to supporting the work of the criminal investigatory services. Further, it allows the regulation to help firms evaluate and identify potential money launderers. Access to greater intelligence means a better ability to manage risk.

The four conditions for disclosing money laundering suspicions

To share this information, however, a regulated person must satisfy four key conditions:

  1. All parties must be in the regulated sector and the information must have been obtained in the course of running a regulated business
  2. A disclosure request has been made either by the NCA or the would-be recipient of the information
  3. The NCA is notified that a disclosure will be made
  4. The would-be disclosure must be satisfied that the disclosure of the information will or may assist in determining any matter in connection with a suspicion that a person is engaged in money laundering

The paperwork itself is not less cumbersome than just making a SAR, as all the information that would have to be inserted into a SAR must be disclosed anyway. This is to ensure that the NCA is kept informed every step of the way. The ideal scenario from the NCA’s point of view is that following a disclosure, a joint SAR would be submitted by both regulated parties.

Easing the data protection restrictions on information sharing is designed both to ease the burden on the NCA and to allow the regulated sector more avenues and opportunities to work together and stop potential money launderers in their tracks.

VinciWorks’ online financial crime training

Screenshot from the course Tax Evasion: Failure to Prevent
Tax Evasion: Failure to Prevent presents quiz questions during the course to test users’ knowledge on the topic being discussed

The issues related to financial crime and section 11 of the Criminal Finances Act are targetted in our suite of financial crime courses. Our anti-money laundering training takes the risk-based approach required by the Fourth Directive while our tax evasion course begins with a course builder to make sure all staff are getting the training most relevant to their role, location and industry.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.