At first glance, it might be thought that the Wwft and the AVG conflict, or at least have opposite goals. After all, the Wwft requires financial institutions to conduct client investigations, collect data, request documentation and store it permanently. At the same time, minimizing the processing of personal data is one of the main principles of the AVG. Nevertheless, in principle, the Wwft and the AVG dovetail legislatively. Moreover, the Wwft specifies some obligations from the AVG specifically for Anti-Money Laundering / Combating the Financing of Terrorism (AML/CFT). In the Netherlands, the European AML directives are primarily implemented in the Wwft.
The Money Laundering and Terrorist Financing Prevention Act (Wwft) imposes obligations on banks and other financial institutions in the Netherlands to prevent money laundering and terrorist financing as much as possible. Among other things, financial institutions are expected to know enough about their customers, UBOs(1) and financiers (the Know Your Customer or KYC principle)(2) and to monitor their cash flows. Financial institutions therefore send KYC/CDD letters to customers on a large scale, in which they ask the customer to provide further information about, for example, their UBOs and directors, the origin of (company) assets and specific (cash) flows.
In this process, many data and documentation are requested, including a large amount of personal data. Often this data does not even come from the client itself, but from third parties. The General Data Protection Regulation (AVG) requires a basis necessary for processing these personal data in client investigations. When conducting client investigations under the Wwft, financial institutions must therefore guard against violations of the AVG.
The AVG has an exhaustive list of six possible bases for processing personal data:
consent of the data subject;
or necessity for it:
the performance of a contract;
fulfilling a legal obligation;
the protection of vital interests of the data subject;
The performance of a public interest task; or
representing legitimate interests.
Without one of these bases, the personal data may not be processed. This means, among other things, that the financial institution may not receive, let alone store, the data in question for client research purposes.
In practice, financial institutions often conveniently lean on the consent of the data subject (basis a) to process personal data. Relying on this basis, however, especially in client investigations, is an unwise choice. Data subjects may withdraw their consent at any time. If consent is withdrawn, the financial institution may no longer process the data and the data must be deleted. As a result, a financial institution that thought it had met its Wwft obligations may suddenly find itself in breach of its Wwft obligation to retain data and documentation for five years.
In addition, the financial institution will have to obtain individual consent from all stakeholders, including third parties. This can be quite an exercise.
Finally, consent must be 'freely given' by the data subject. Often, the financial institution announces consequences, such as the "reconsideration" (or termination) of the business relationship, in case the data subject does not provide the requested data - thus giving (implicit) consent. In this case, the consent obtained is not freely given and thus the personal data may not be processed and stored.
Financial institutions generally do a wiser job of choosing a different basis. More logical and sensible choices are:
(c) the necessity to comply with a legal obligation (the client due diligence under the Wwft),
(e) necessity for the performance of a public interest task (the prevention of money laundering and terrorist financing); and
(f) the necessity for the protection of legitimate interests (the elimination of integrity risks at the financial institution).
Merely relying on a processing basis is not enough for the financial institution. For example, in order to rely on grounds b to f it is required that the data processing is really necessary, and in order to rely on a legitimate interest (ground f) a balancing of interests will have to be made. For all bases, moreover, the financial institution must comply with the (other) requirements and principles of the AVG (including the requirement of purpose limitation).
(1) rwv.co.uk/news/2020/09/who-qualifies-if-ubo
(2) rwv.co.uk/laws/financial-law/kyc-cdd
More articles by RWV Lawyers