AML and data protection—law firms
AML and data protection—law firms

The following Practice Compliance guidance note provides comprehensive and up to date legal information covering:

  • AML and data protection—law firms
  • The data protection regime
  • Lawful ground for processing
  • Restriction on processing personal data for non-AML/CTF purposes
  • Information requirements
  • Protecting and retaining CDD data
  • Data sharing
  • Subject access requests and tipping-off

The provisions of General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) create some challenges under the anti-money laundering (AML) and counter-terrorist financing (CTF) regime, including:

  1. complying with information requirements

  2. the requirement not to use personal data collected for AML/CTF reasons for other purposes

  3. protecting the client data you collect during the client due diligence (CDD) process

  4. sharing client data with law enforcement agencies, eg by making suspicious activity reports (SARs) or responding to enquiries, and

  5. data subject access requests (DSARs) and tipping-off offences

This Practice Note begins with a brief overview of the data protection regime and its principles and then explains these challenges, providing practical guidance on how to approach them. It reflects the requirements of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), SI 2017/692, which came into force on 26 June 2017.

The data protection regime

To comply with the data protection requirements in the MLR 2017, it is necessary to have a basic understanding of the data protection regime.

How is data protection regulated?

You cannot simply use (process) the personal data of clients and other individuals in whatever way you please or whenever you wish.

You can only process personal data as permitted by the data protection regime, ie the GDPR supplemented, where required, by