GDPR and FinCEN: an explosive combination

A lock on a computer keyboard

New US Anti-Money Laundering rules will cause a data deluge while the EU General Data Protection Regulation turns data combustible.

May 2018 is not a long way off, and it’s going to be an explosive month for compliance. Two earth-shattering changes are coming. Firstly, on 11 May, new client due diligence (CDD) rules for beneficial owners come into effect. Secondly, on 25 May, GDPR goes live. The first change requires mass amounts of data to be collected, while the second change greatly restricts how that data can be used and introduces eye-watering fines for getting it wrong.

What’s changing for CDD in the US?

The United States Financial Crimes Enforcement Network (FinCEN) is requiring financial institutions operating in the US to process and vet sanctions data, negative-news data, corporate associations, individual associations and more on ultimate beneficial owners (UBO). Essentially, institutions will need to be able to track the entire relationship from customer to UBO, and all the corporate vehicles in between them.

Mass amounts of data will need to be processed and researched for tens of millions of companies worldwide.

This has been going on in European AML circles for a long time, but for the US it is a fresh requirement, and although the change will bring the United States in line with the EU, American financial institutions have a lot more distance to catch up.

Covered institutions, including federally regulated banks, credit institutions, mutual funds, brokers, dealers and commodities traders, are all required to comply. They must establish and maintain written procedures to identify and verify beneficial owners of legal entities. This includes banks having to implement procedures to identify the natural persons who are the owners of bank accounts, and anyone who, directly or indirectly, owns or controls 25% or more interests in an entity.

What’s changing for data protection in the EU under GDPR?

From 25 May onwards, a new European Regulation known as the General Data Protection Regulation (GDPR) will change the landscape of handling data for EU citizens. This matters even to companies without offices in the EU, as the new law means that anyone offering goods or services in the EU, or dealing with the data for EU customers, will need to comply. If not, a company could face fines of 4% of annual global turnover or €20m, whichever is higher.

GDPR will require organisations to make a number of changes to how they collect and use data. This includes updated privacy notices, stronger processes for getting consent, privacy by design and default implemented into data systems, a requirement to identify the legal basis for processing data, and giving customers the right to have their data sent to them, moved somewhere else, or deleted entirely, free of charge.

Furthermore, data that is sent across borders must have stronger protections, and third parties who process data on someone else’s behalf must be bound by certain contractual clauses. Data that references a person’s race, political opinion, health information or genetic data, to name just a few ‘special categories’, must be treated with much more care. Plus, any breach of data, from a lost laptop to a hack, must be reported to the authorities, and the customers, in as little as 72 hours.

What will be the impact of these changes?

Like oil mixed with water, these two changes could be a highly combustible combination. International institutions, in particular those who already operate on both sides of the Atlantic, are likely to be preparing for both changes, and will simply have to make sure those are mutually compatible.

However, American institutions, or those without much of a presence in the EU but who are preparing for FinCEN, will now need to pay attention to GDPR. Trawling the internet for data on UBOs and seeking out the natural owners of accounts will doubtless net a number of EU citizens, whose data must be treated with GDPR compliant procedures come May. Even storing that information must be done in accordance with EU laws.

Subject Access Requests under GDPR

It gets more complicated the further the data travels. If it is sent on to third parties, sent to third countries, or combined with other information about an EU citizen, there must be strict processes in place to keep it safe.

If a customer requests their data, they must have it provided for them free of charge and within one month of the request. It’s not as simple as it sounds though, as various exemptions can apply, not to mention disclosure rules and the potential pitfalls of prejudicing investigations.

What should we do to prepare?

Not panic. Your organisation is not alone in having to prepare for these changes, and there is a lot of guidance out there to help. Staff training, raising awareness, and working through a detailed compliance plan for both FinCEN and GDPR will help ensure your processes for capturing data and keeping it safe are fully compliant.

Key questions to ask:

  • Are we ready for new FinCEN rules?
  • What are we doing to prepare for it?
  • How will GDPR impact us?
  • Are our FinCEN procedures compliant with GDPR?
  • What do we need to do to make sure they will be?

Vinciworks’ tools to help you prepare for FinCEN rules and GDPR

In addition to VinciWorks’ training on GDPR and anti-money laundering, VinciWorks has created several useful tools to help organisations monitor their level of compliance and ensure they are ready come the month of May. Our GDPR resources page contains several courses, policies, guides and assessments that can be passed around the whole organisation. We have also created an anti-money laundering and counter-terrorism policy template that can easily be edited to suit your organisation, industry and staff. To learn more about our training, complete the short form below.