Historically, data protection supervising authority’s enforcement powers paled into insignificance when compared to the penalties for breaches of money laundering laws and regulations, the latter has always flexed its muscles and won the day.
This all changed with the implementation of GDPR and its new enforcement powers being made available to the data protection supervising authorities.
There has always been, and remains post-GDPR, a fine line to be tread in relation to data retention, with differing and competing pieces of legislation generating different requirements of the financial sector.
UK data retention legislation includes:
- Money Laundering Regulations – 5 years after the transaction has been executed or 5 years after the relationship has ended. This does not include internal and external Suspicious Activity Reports, Court Orders and the like, which should be held indefinitely for a firm’s own protection, as well as the personal protection of the Money Laundering Reporting Officer.
- Statute of Limitations – a claim can made up to 6 years after an event.
- Data Protection – data should only be retained for as long as is necessary for the purpose for which it was intended.
Data retention & GDPR
However, the conflict here can be simple, yet the consequences of getting it wrong are quite serious.
For example, a request is received to change a customer’s address, once that request has been verified and actioned, the notification is technically no longer required, as the purpose for which it was intended no longer exists. A statement or other correspondence is subsequently issued with the customer’s name and new address on it, which eventually forms part of a pack of ID&V documents used to fraudulently open a bank account, into which the proceeds of crime are deposited, before being moved onto to another account.
In time, the customer contacts the firm to advise that they did not at any time notify them of an address change, and thus the firm is left not being able to prove that it acted in good faith, and on the wrong end of a money laundering and fraud investigation, yet alone any other issues regarding its customer’s identity being stolen and the implications of that for the customer.
If this situation occurred pre-GDPR then firms tended to retain data for as long as possible, as there was no real stick for the supervising authorities to beat them with. Now, under GDPR applicable fines range from €10 million or 2% of global annual turnover to €20million or 4% of global annual turnover. Should firms now take a very different approach to compliance? Are they risk retaining data for longer than can be argued as necessary?
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library?.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!