Does the phrase “data related to their customers” under Article 6 of the Delegated Regulation refer to personal customer data (as defined by EU Regulation 2016/679) or general data for management purposes (e.g. descriptive statistics on the number of customers, customer risk distribution, etc.)?
According to Article 6 of the EU Delegated Regulation 2019/758, the branches and majority-owned subsidiaries (in third countries) of credit and financial institutions must allow for the transfer of data related to their customers to a Member State for the purpose of supervision for AML/CFT.
Clarity is requested on the reference to “data related to their customers” in Article 6 in order to assess this requirement against the obligations of EU Regulation 2016/679, regarding the protection of fundamental rights and freedoms of natural persons in respect of exchanging and processing information.
The reference to “data related to their customers” appears to reference general data for management purposes given that the potential mitigating actions under Article 6 do not include the incorporation of customer consent clauses in contracts (which would be expected if the intent was for personal customer data).
Further, Article 6 specifically references “data related to their customers” and not “customer data” as referenced in Article 4 (which clearly focuses on the processing and sharing of personal data).
Obliged entities are required to demonstrate to their home Anti Money Laundering (AML)/ Countering the Financing of Terrorism (CFT) supervisor that they comply with the requirements under the Directive (EU) 2015/849 (AMLD). These requirements include a legal duty, in Article 45 of the AMLD, to put in place and maintain group-wide AML/CFT policies and procedures where applicable. Group-wide AML/CFT policies and procedures include policies and procedures to share information within the group, to the extent that this is necessary to support effective, ongoing Money Laundering (ML)/Terrorist Financing (TF) risk identification and management at the level of the group, and enable competent authorities effectively to supervise the group's compliance with the AMLD’s requirements.
The Commission Delegated Regulation (EU) 2019/758 sets out the steps credit institutions and financial institutions have to take if they have branches or majority-owned subsidiaries in third countries whose laws do not permit the application of group-wide AML/CFT policies and procedures. Article 6 of the Delegated Regulation sets out the steps credit institutions and financial institutions must take if the third country’s law prohibits or restricts the transfer of data related to customers to an EU Member State for the purpose of AML/CFT supervision. These steps include obtaining aggregate information that is designed to support an understanding, by the credit institution or financial institution, of the ML/TF risk associated with the third country branch or majority-owned subsidiary’s customers and business and that can be shared with the home competent authority for AML/CFT supervision purposes upon request. They also include taking additional measures so that the credit institution or financial institution is satisfied that the branch or majority-owned subsidiary complies with group AML/CFT policies and procedures and effectively identified, assesses and mitigates ML/TF risk.
The term ‘data related to customers’ in Article 6 of the Delegated Regulation includes personal data as well as aggregate data on a third country branch’s or majority-owned subsidiary’s customers and business relationships. However, the minimum requirement in Article 6 (e) of the Delegated Regulation to make such data available to EU competent authorities upon request, extends only to information set out in Article 6(d) of that Regulation. This is because Article 6 covers the minimum information that competent authorities may need to access to assess how credit institutions and financial institutions that are part of a group comply with their obligations under Article 45 of the AMLD. Article 6 of the Regulation does not prevent the sharing of personal data for AML/CFT supervision purposes, beyond the minimum information required under Article 6, in situations where this is legally possible.