<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Login
    Get started

    data retention

    It has long been accepted that data protection, has by and large been a poor relation in the world of compliance, and in particular never been a good bed fellow of the money laundering regulations, with the two of them often conflicting with one another.

    However, up until now, with the data protection supervising authority’s enforcement powers paling into insignificance when compared to the penalties for breaches of money laundering laws and regulations, the latter has always flexed its muscles and won the day.

    Is that all about to change however, with the implementation of GDPR and its new enforcement powers being made available to the data protection supervising authorities?

    There has always been, and there will remain post GDPR, a fine line to be tread in relation to data retention, with differing and competing pieces of legislation generating different requirements of the financial sector.

    In the UK for example, we have:

    • Money Laundering Regulations – 5 years after the transaction has been executed or 5 years after the relationship has ended. This does not include internal and external Suspicious Activity Reports, Court Orders and the like, which should be held indefinitely for a firm’s own protection, as well as the personal protection of the Money Laundering Reporting Officer.
    • Statute of Limitations – a claim can made up to 6 years after an event.
    • Data Protection – data should only be retained for as long as is necessary for the purpose for which it was intended.

    Data retention and GDPR

    However, the conflict here can be simple, yet the consequences of getting it wrong are quite serious.

    For example, a request is received to change a customer’s address, once that request has been verified and actioned, the notification is technically no longer required, as the purpose for which it was intended no longer exists. A statement or other correspondence is subsequently issued with the customer’s name and new address on it, which eventually forms part of a pack of ID&V documents used to fraudulently open a bank account, into which the proceeds of crime are deposited, before being moved onto to another account.

    In time, the customer contacts the firm to advise that they did not at any time notify them of an address change, and thus the firm is left not being able to prove that it acted in good faith, and on the wrong end of a money laundering and fraud investigation, yet alone any other issues regarding its customer’s identity being stolen and the implications of that for the customer.

    In view of this type of scenario, firms have thus far, always retained data for as long as possible, as there was no real stick for the supervising authorities to beat them with for doing so, but now, under GDPR with applicable fines ranging between €10 million or 2% of global annual turnover and €20million or 4% of global annual turnover, will firms now start to take a very different approach to compliance? Will they risk retaining data for longer than can be argued as necessary?

    Time will tell.

    Leave a comment

    Tick

    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    How to use storytelling in compliance training for maximum impact

    Stories help us to connect with people and the world around us. They have the power to  engage us in a way simple narratives just can't. And we remember stories. I'll bet you still remember your ...

    Read More
    5 ways to fire up a culture of compliance

    Any company's biggest risk to attaining and maintaining full compliance with laws and regulations is the conduct of its people - we call this the people dimension of compliance. And against this ...

    Read More
    6 traits of effective compliance officers

    Protecting the ethical integrity of a company is the heart of the compliance officer’s role. And as regulators continue to clamp down on misconduct with higher fines, compliance officers are under ...

    Read More
    New infographic reveals a lack of transparency about political engagements

    Nearly three quarters of companies are failing to disclose how they engage with politicians, according to a new report by Transparency International UK. The 2018 Corporate Political Engagement Index ...

    Read More