Client investigations under the Wwft involve a lot of processing of personal data. Identity documents are requested, third-party personal data are collected and contact details are stored. Financial institutions should pay close attention to the AVG when implementing their KYC/CDD policies.
In an previous article we focused on the legal requirement of a processing basis. There is more to this than just choosing a basis; something financial institutions often do not consider (or do not consider enough). In this article, we walk through some additional requirements using real-life examples.
Especially when requesting and storing customer information and documentation, personal data are quickly processed. In order to (demonstrably) comply with their obligations under (article 3 of) the Wwft, KYC departments of financial departments often prefer to request too much rather than too little information and documentation from customers. After all, this way the institution is more likely to get a complete(er) picture of the customer and his transactions.
Yet too much information and documentation can also be requested, namely if the personal data processing goes too far in that context. In client investigations, processing is usually (partly) based on sub c of Article 6(1) AVG: a legal obligation (complying with the Wwft, and sometimes at the same time the Wft/Bpr Wft). In order to validly invoke this ground for processing, the data processing must meet the necessity requirement. This means that the information and/or documentation requested must be necessary to comply with (article 3 of) the Wwft.
Data processing that does not meet the necessity requirement can lead to liability and a fine
A financial institution cannot simply request as much information and documentation as possible. It will have to ask itself per (personal) data/document whether it actually needs it. Can it be demonstrated that it is necessary to ask the customer about (business background of) all his family members? What is the demonstrable need for requesting documentation from a distant past? In many cases, financial institutions request the relevant information and documentation "just to be sure" anyway. However, this can have adverse consequences.
After all, a data processing based on sub c of Article 6 (1) AVG (the legal obligation) that does not meet the necessity requirement is unlawful. A fine from the supervisor and/or a liability claim by the data subject(s) is then not excluded.
The same also applies to the requirements of proportionality and subsidiarity. Pursuant to the AVG (and the Santander judgment of the Supreme Court), all personal data processing must comply with these requirements. Financial institutions would therefore be wise to always ask the question whether the processing of certain information/documentation is proportionate to the purpose to be served and whether that purpose could not simply be achieved in another way (less detrimental to the customer).
For example, if an institution is only investigating a few specific transactions, screening the entire customer relationship file will be excessive and disproportionate to the invasion of privacy of the relationship(s) in question. It may also be possible to simply limit the investigation to only the specific relationship(s) at issue.
Logically, the requirements of proportionality and subsidiarity are closely related to the necessity requirement. If a processing of personal data does not meet the requirements of proportionality and subsidiarity, then the necessity requirement is often not met either, and vice versa. These requirements are also related to an overarching AVG principle: that of minimum data processing.
All in all, the AVG therefore implies that financial institutions must (continue to) pay close attention to the privacy interests of their clients and (possibly) other data subjects. The Wwft does not give them carte blanche to request unlimited information and documentation, even if this is done for a client screening. The financial institution must carefully determine which information and documentation it requests (and which it does not): more is not always better in this case.
Would you like to gain more insight into the privacy law aspects that financial institutions need to pay attention to when conducting client investigations under the Wwft?
Then follow the course 'Relationship between Wwft and AVG: the limits of client investigations'. More information can be found here.
Want to learn more about this topic? Then follow the workshop Privacy in the financial sector during the Data&Privacyweb Knowledge Market. December 7, 2021.
