AML/CTF vs. GDPR: What Businesses And Individuals Need To Know

Protecting the financial sector and preventing money laundering and the financing of terrorism are key priorities for both the European Union and the international community. Obliged entities are businesses and organizations involved in financial transactions and are subject to the obligations of the Anti-Money Laundering (AML) legislation. These include, among others, credit institutions, financial institutions, law firms, accounting firms, and real estate agencies. To achieve the objectives of the AML that obliged entities collect and process personal information about their clients and their financial activities.

However, collecting and processing such personal information can sometimes conflict with the right to privacy, as protected by Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") and supplemented in Cyprus by the Law for the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Movement of such Data" (Law 125(I)/2018). The purpose of this article is to explain, in simple terms, what obligations these entities have, what kind of personal data they are allowed to collect, and how the effort to prevent money laundering and terrorist financing is balanced with the protection of personal data.

The Obligation to Collect Personal Data

Under the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007, as amended ("AML Law"), obliged entities are required to carry out Customer Due Diligence ("CDD"). This means that they must collect documents verifying the identity of their clients, obtain information about the purpose and intended nature of the business relationship, continuously monitor transactions to ensure they are consistent with what the obliged entity knows about the client and their risk profile and gather documents showing the source of the client's funds, as provided in Article 61 of the AML Law. This obligation serves as a crucial safeguard to protect the financial system from money laundering and terrorist financing.

This process is commonly known as Know Your Customer ("KYC"). The most common documents that obliged entities request from their clients include an identification document such as a passport and/or ID card, an official document showing the client's residential address, a Curriculum Vitae (CV) and documents or information related to the client's source of wealth and source of funds. It is worth noting that the documents required are not always the same, as this depends on the categorisation of the client and/or it's the envisaged transaction based on the risk-based approach that obliged entities follow. For higher-risk clients and/or transactions, the entity must perform enhanced due diligence and collect additional documents and information to ensure that the client is not involved in money laundering or terrorist financing activities.

Processing of Personal Data

According to Article 70B of the AML Law, obliged entities may process their clients' personal data solely for the purposes defined by the aforementioned legislation. Any other use or processing of this data is strictly prohibited. The collection and processing of personal data for the purpose of preventing money laundering and terrorist financing is considered a matter of

public interest and therefore does not violate data protection laws. Consequently, a client cannot refuse to provide the necessary documents and information on the grounds of personal data protection, as such disclosure constitutes a legal obligation both for the client and for the obliged entity under the AML framework. Refusing to provide the required information may result in the non-establishment or termination of the business relationship, since the obliged entity would be unable to fulfil its legal customer due diligence obligations.

However, before collecting any data and before entering into a business relationship, the client must be informed, in accordance with Article 13 of the GDPR, about their rights and how their personal data will be processed. It is also worth noting that, according to Article 70B(5)(a) and (b) of the AML Law and pursuant to Article 23 of the GDPR, a client's right to access their personal data and information regarding its processing may be restricted. This restriction applies when it is necessary (a) for the proper performance of the duties of obliged entities and supervisory authorities as provided by the Law, or (b) to avoid obstructing official or legal investigations, analyses, or proceedings carried out for the purposes of the AML Law and to ensure that the prevention, investigation and detection of money laundering and terrorist financing are not compromised. Lastly, under Article 68 of the AML Law, obliged entities must retain clients' data for five years after the end of the business relationship or the date of a single transaction. The data therefore cannot be deleted before this period expires, and clients must be informed accordingly.

Conclusion

Complying with both AML/CTF (Anti-Money Laundering and Counter-Terrorist Financing) requirements and GDPR obligations requires businesses to strike a delicate balance between preventing financial crime and protecting personal data. Obliged entities must apply effective due diligence (KYC) measures while ensuring that data collection and processing are strictly limited to what is necessary for AML/CTF purposes.

The 2023 Guidance issued by the Cyprus Bar Association reinforces the importance of the risk-based approach and outlines in detail the due diligence measures that law firms, as obliged entities, must implement. Transparency, client awareness, and adherence to GDPR principles are key pillars for lawful and responsible business conduct, enhancing both compliance and public trust in the financial system.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.