Skip to main content

GDPR v Money Laundering Regulations: How long should you retain client ID documents?

The GDPR says that personal data should be kept for no longer than is necessary for the purposes for which it was collected.  The Money Laundering Regulations say that CDD documents must be kept for at least 5 years.  So how long should you retain client ID documents for? 

On the face of it, there appears to be a conflict between two key pieces of legislation.  Which should you comply with in order to avoid a fine or other regulatory sanction?

Summary

  • Regulation 40 of the Money Laundering Regulations (“the MLRs”) says that CDD documents must be kept for 5 years from the date on which the transaction has completed or the business relationship has come to an end.
  • Article 5(1)(e) of the GDPR states that personal data should be kept for no longer than is necessary for the purposes for which it was collected.
  • This implies that personal data should be deleted once identification checks have been completed and directly conflicts with the MLRs.
  • However, further Articles within the GDPR suggest that where the processing is necessary for compliance with a legal obligation (i.e. the MLRs) or for the purposes of the legitimate interests of the controller (i.e. to detect suspicious activity pursuant to the MLRs) then the retention of data in line with the MLRs will be lawful.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“the MLRs”)

The MLRs contain legal obligations which apply to organisations in various sectors, including financial institutions, credit institutions, accountants and legal professionals.

Regulation 40 says that copies of documents and information obtained in order to satisfy client due diligence requirements (e.g. a copy of a passport, driving licence or utility bill) must be kept for 5 years from the date on which the transaction has completed or the business relationship has come to an end.

Once that period has expired, the personal data must be deleted unless it has to be retained by law; it is required for the purposes of actual or anticipated court proceedings; or unless the data subject has consented to the retention of that personal data.

The General Data Protection Regulation

  • The EU GDPR was incorporated into UK law on 1 January 2021 by the European Union (Withdrawal) Act 2018.
  • The UK GDPR (which applies to EU controllers doing business in the UK) and the EU GDPR (which applies to UK controllers with an establishment in the EU) are substantially similar and are therefore often both referred to as “the GDPR”.
  • The Data Protection Act 2018 supplements the UK GDPR by, for example, setting out the data processing regimes for law enforcement and intelligence agencies.

Article 5 contains the 7 key principles which must be observed in relation to all aspects of the processing of personal data unless an exemption applies. Failure to comply with these principles can result in substantial fines of up to £17.5m or 4% or global turnover (whichever is greater). For present purposes, we are only concerned with the following principles:

  • Article 5(1)(a) (“Lawfulness, fairness and transparency”) says:

“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”.

In order for the processing to be lawful, one of the conditions in Article 6 must be met. Often, the condition relied on will be the ‘consent’ of the data subject. For example, the consent to process ID documents in order to verify the client’s identity.

  • Article 5(1)(e) (“Storage Limitation”) says:

“Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…”

The implication here is that where personal data is collected for the purposes of confirming the client’s identity (with the client’s consent), that personal data should be deleted once those checks have been completed – i.e. because once the purpose has been fulfilled it is no longer necessary to retain the personal data. However, this apparently conflicts with the obligations under the MLRs which requires CDD documents to be kept for at least 5 years after the end of the transaction or business relationship.

 

Which takes priority?

There are two other conditions in Article 6 which would make the processing of ID documents lawful:

  • Article 6(1)(c) says:

“Processing [of personal data] shall be lawful…if…processing is necessary for compliance with a legal obligation to which the controller is subject”

In other words, if the processing of the ID documents is necessary for compliance with the MLRs as opposed to the narrower basis that the processing is necessary in order simply to confirm the client’s identity, then the processing will be lawful and the Storage Limitation principle will not prevent the controller from retaining those documents for the period specified in the MLRs.

  • Article 6(1)(f) says:

“Processing [of personal data] shall be lawful…if…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party…”

In addition/alternatively, if the processing of the ID documents is necessary in order to detect suspicious activity pursuant to the MLRs, then this is likely to amount to a ‘legitimate interest’, and so the processing will be similarly lawful and the Storage Limitation principle will have the same effect as above.

Article 17 says that although the data subject shall have the right to obtain from the controller the erasure of personal data in certain circumstances, this does not apply where the processing is necessary in order to comply with a legal obligation. This is a further example of the GDPR suggesting that compliance with legal obligations takes priority over the rights of the data subject.

Conclusion

Although the answer is not clear-cut, in our view, where an organisation is subject to the MLRs, they should not be in breach of the GDPR if they process ID documents in order to comply with the MLRs and retain those documents for at least 5 years from the end of the transaction or business relationship, rather than delete them once they have confirmed the client is who they say they are.

Author, Elaine Mitchell

Should you require advice regarding this or any other financial crime compliance matters, please do not hesitate to get in touch at hello@tenetlaw.co.uk

Published on December 6, 2022