AML and data protection
The Money Laundering Regulations require law firms to carry out anti-money laundering checks on clients, both individuals and corporate clients which inevitably involves the processing of personal data and sometimes special category data.
Law firms have a legal obligation to carry out identification and verification checks on clients. Therefore the lawful basis for processing any personal data for this purpose is Article 6(1)(c). As stated earlier, consent is difficult to obtain and maintain and in the context of personal data that is processed for the purposes of AML checks, law firms are obliged by the regulations to retain this information for a period of time. If the individual withdraws their consent during that time then the law firm would have to delete it if requested, as it has no lawful basis under data protection law to retain this information. A data controller cannot change its lawful basis for processing and so the solution is not to rely on consent.
Increasingly law firms are using technology to carry out checks remotely. The technology supplier will be a data processor and it is important to remember that the law firm remains responsible for the processing carried out through the technology, as they remain the data controller.
Biometric data
Some of the suppliers are allowing the use of facial recognition technology which relies on the collection of biometric data. This is special category data and so must be thought about more carefully. This technology should only be used if necessary and the decision about necessity is for the law firm.
If the law firm is using biometric data, for AML purposes there is a lawful basis set out in schedule 1 part 2 of the Data Protection Act 2018 which sets out the list of substantial public interests in the UK for processing provided by Article 9(1)(g). Paragraph 12 allows processing that is necessary for the purposes of complying with a regulatory requirement.
The controller must also consider the retention of AML records and in particular the retention of biometric data. The Law Society of Scotland’s supervisory position is that law firms should be able to document they have undertaken the verification check, a summary of the information on which the check was based, the result and what decisions were made following the result. Therefore it may not be necessary for the biometric data to be retained by the technology company. As it is a processor, the law firm can instruct it to delete personal data held on its behalf
Case study
Our law firm has started using a technology company to assist it with AML checks. This allows facial recognition technology to be used and our law firm has decided that this is only necessary where the fee earner has not met the individual either face to face or through a video call. This decision was taken following the completion of a Data Protection Impact Assessment and took this approach to comply with the requirement for the processing to be necessary and the data minimisation principle.
They have also asked the technology company to delete the biometric data one month after it has been collected.
The law firm has also updated it’s privacy notice for clients to explain its use of technology, including the possibility that it will process biometric data.