Newly formed companies, and companies that have been on the market for some time, are becoming increasingly aware of their obligations under AML/FT regulations. Firms in various sectors, such as the technological sector, do not always realise that these obligations are only applicable to the types of entities listed in AML laws. Some businesses employ know your customer (KYC) identification procedures equivalent to those provided for in AML laws even though they are not subject to these laws. The problem is that overzealousness of this kind might be a breach of laws in other areas, especially personal data laws, above all the GDPR.
Obligations under AML/FT regulations
Under both the law currently in effect and the new Anti-Money Laundering Act that came into force on 13 July 2018, know your customer obligations apply to obligated institutions described in that act. This means that before it starts to conduct activities of any kind to identify and authenticate customers’ identity, each entity needs to determine whether it is included on the list of obligated institutions. If it is not an obligated institution, it has no formal obligation under AML laws to follow KYC procedures.
To give an example, under the past AML laws, cryptocurrency trading markets were not obligated institutions. These entities only formally became subject to KYC requirements under the new act.
If the entity in question finds that it falls within the group of obligated institutions, it is required to conduct among other things customer identification to determine the first name, surname, and civil identification number (PESEL) of the individual being a customer of the obligated institution.
Restrictions under personal data protection laws
Entities that follow KYC procedures but are not AML obligated may find themselves in breach of data protection laws. This will be the case in particular if laws other than AML laws do not require them to follow KYC procedures.
The common practice of firms rightly or wrongly convinced that they are institutions obligated to apply KYC procedures under AML laws is to store scans or photographs of personal identity cards.
These firms may not be aware that a facial image, including those on personal identity cards, may be data subject to special protection under the GDPR. Incidentally, the Inspector General for Personal Data Protection has repeatedly criticised storage of scans of personal identity cards, for example by telecommunications operators.
To be able to process data, whether photographs and scans, or “ordinary” data, for example first names, surnames, and civil identification numbers (PESEL), there must be grounds for doing so under personal data regulations. It is illegal to process personal data without grounds of this kind.
In principle, AML laws are grounds for personal data processing even without the data subject’s consent. This rule only applies however to entities that have a formal obligation to apply AML laws. For entities that are not formally subject to AML laws but follow KYC procedures, collection of personal data may be more problematic. Overzealousness could cause a number of serious legal problems.