Identity verification, security and GDPR for AML solutions

For financial institutions onboarding new clients, anti-money laundering (AML) checks are essential to meet strict regulations and protect themselves from legal difficulties and reputational damage.

As part of the Know Your Customer (KYC) standards, businesses and financial institutions are required to take steps to establish the identity of a new client or customer to ensure they’re not becoming involved in fraud or financial misconduct.

Clients are typically required to provide proof of address and proof of identity through a utility bill, passport or other official document. A Certificate of Incorporation may be required for corporate clients.

While these checks are necessary to prevent financial crime and fraud, we also understand that there’s a concern around GDPR compliance when business owners must hand over valuable personal data for AML checks. 

Increasingly many firms are relying on technology to acquire this important information. By using this technology to collect documents during the onboarding process there are no documents sent by email or downloaded onto local drives.

Only one copy exists, and it is encrypted at the point of capture and in transit to where it is stored securely. So how can firms improve their approach to AML and GDPR using the latest software?

Protecting yourself, protecting client data

AML regulations require a heavy focus on collecting personal data because it’s a core part of risk management to identify and verify individuals that you’re working with financially.

Within the industry, we all accept that this is necessary to stay safe on the financial frontline.

However, we’ve found the clear potential for AML checks to contravene GDPR regulations.

Financial institutions collecting client data need to comply with the GDPR, which state that data must be:

• Stored securely
• Collected only if necessary
• Processed only as needed
• Hidden from those who don’t need to access it
• Used only for its originally intended purpose
• Deleted upon request

The first thing any organisation needs to do is to establish legal justification for collecting and processing data.

For GDPR purposes data from individuals must be kept for five years after the relationship ceases to exist or a director / shareholder is no longer related to the business.

Technology can offer a solution by allowing you to track when clients or beneficial owners are offboarded so that you can manage GDPR obligations. Remember, data should only be kept if there is an additional legal reason to do so.

Most data collection activities for anti-fraud purposes are justified by Article 6(c) of the GDPR – permitting the collection of personal data “for compliance with a legal obligation to which the controller is subject”.

Under this Article, it is legitimate to collect whatever client data you need to complete AML checks, provided that you follow the other regulations.

The consequences of losing AML data

Failure to abide by these regulations can result in a significant fine – €20 million (£17.2 million) or four per cent of global turnover, whichever is greater.

Considering the potential costs of cutting corners – or of a serious data breach – we’ve seen a real concern over how an organisation might stay safe from missteps.

In our experience, financial institutions, particularly accountants, must understand how serious their responsibilities towards clients are, particularly if their data is used to identify an individual.

It’s also important to remember that reputational damage from loss of AML data can be significant – particularly if it results in fraud, the exact scenario these checks are designed to prevent.

For this reason, we advise organisations conducting AML checks and due diligence to seek specialist support.

A comprehensive solution

It can seem that there is no obvious solution to this problem, but innovations in cloud-based AML products hold many of the answers.

Under the GDPR, you’re allowed to appoint a data processor in the form of a specialist organisation that will conduct AML checks for you in a secure, professional manner.

Doing so will provide you with access to experts trained in GDPR for AML purposes, with data stored securely in the cloud and encrypted where necessary. 

At the same time, a fully compliant AML solution provider will be able to support you in building a bespoke identity verification system which allows you to securely request, store and process the data that you need.

This is a significant step towards avoiding data loss and keeping your organisation’s name in the clear.

By keeping AML in a separate, but integrated, system it is possible to more easily allow only users who need access the access they need.

By integrating the status of a client to other systems without sharing sensitive personal details users can interact with the AML process without compromising GDPR sensitive data.

You can also minimise how many times data is duplicated. Integrated electronic checks are run based on the details already recorded rather than being re-entered within a different AML portal.

IDs and other documents are saved in the same place meaning that everything is stored in only one place rather than dispersed across multiple systems. This helps protect data, but it also helps with the purging of data should it be needed.

We understand that individuals and organisations subject to AML checks and identity verification can be concerned when large volumes of their personal data are being stored by a third party.

For that reason, we’ve found that implementing a secure, cloud-based system can help alleviate those fears and transform the efficiency of your AML process.

To find out how Xama can support your firm with AML compliance, get started for free today.