Voice of the Industry

Customer data protection and the impact on digital money and crypto: the 5th AML directive

Wednesday 18 March 2020 08:41 CET | Author Mirela Ciobanu | Voice of the industry

Marta Solarska and Kamil Kaleńczuk, lawyers at Wołoszański & Partners discuss about the impact of the 5th AML directive over customer onboarding, plus GDPR context of AML procedure

Changes in EU anti-money laundering legislation have been passed at break-neck speed. As demonstrated by the example of recent years, at a time when some Member States have not yet implemented 4th AML Directive, the 5th Anti-Money Laundering Directive (AMLD5) has already amended the previous one. Member States have brought into force the laws necessary to comply with this Directive on 10 January 2020. Therefore, an obvious question is whether such frequently occurring changes are in fact necessary?

New obliged entities and…

First of all, the scope of the so-called obliged entities has been extended in accordance with the financial market requirements and includes providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers. Actors engaged in the cryptocurrency business have finally been integrated into the European financial system as full-fledged members.

The anonymity of virtual currencies allows their potential misuse for criminal purposes and enormously increases the risk of money laundering. Lawmakers have stopped pretending that alternative payment methods (beyond fiat money system) do not exist.

As a curiosity, it is also worth mentioning the other new category of obliged entities, namely persons trading or acting as intermediaries in the trade of works of art, like art galleries and auction houses (transactions over EUR 10,000) have been added. Quite a specific business area, in which many people intend to remain anonymous, might be a challenge even though it opens numerous business opportunities for KYC service providers!

…virtual currency meaning…

Although that seems to be obvious to all those who deal with them professionally, it is worth noting that the definition is finally introduced by the AMLD5. So, what are virtual currencies?

  1. digital representation of value that is not issued or guaranteed by a central bank or a public authority;
  2. not necessarily attached to a legally established currency;
  3. does not possess a legal status of currency or money;
  4. accepted by natural or legal persons as a means of exchange and which can be transferred, stored, and traded electronically.

Yet another useful supplementary definition is ‘custodian wallet provider’ – an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store, and transfer virtual currencies.

Bearing in mind the need of implementation of the Directive in each Member State, the introduced definitions may vary insignificantly from country to country.

…and more onboarding requirements!

Furthermore, under the AMLD5 customer due diligence measures are adapted to technological developments. Identifying the customer and verifying the customer's identity requirements has significantly evolved and will be supported by possibility of use: electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities.

The real impact on the client onboarding process will also have the change in identifying the beneficial owner process, since with respect to the senior managing official: obliged entities shall take the necessary reasonable measures to verify the identity of the natural person who holds the position of senior managing official and shall keep records of the actions taken as well as any difficulties encountered during the verification process.

As if that wasn’t enough, there’s still GDPR

Although it has been over a year and a half since GDPR came into force, its impact on the market continues to grow. First of all, the AMLD5 has finally clarified a retention issue – data collected for AML purposes may now be stored for 5 years exactly (as before an obligation to store for at least 5 years could have caused some interpretational doubts) plus possible extension under special circumstances introduced by domestic law. Therefore, the retention policies definitely should be reviewed!

Other updates, unfortunately, did not change the vague character of the rules of data processing in AML context, to mention, among others regarding information obligation towards entities whose data has been collected in AML procedure, the specific character of entrustment of data to providers of underwriting solutions or profiling. 

Expectations vs. reality

Extension of the scope of obliged entities is primarily related to the need to implement comprehensive AML procedures for crypto exchange and wallet service providers. To realise how challenging it is, we should remember that the largest crypto exchanges have a daily turnover over a billion (!) dollars and thousands of active clients. Virtual currencies will cease to be a convenient tool for criminals and terrorists, and the industry itself will get rid of the 'patch' of suspicion that its economists and public institutions have attached to it. On the other hand, the introduction of official ‘virtual money’ and ‘custodian wallet provider’ definitions is not a breakthrough, however clarifies the matter and shall be noticed.

Increased demand for advisory services in the scope of creating and implementing procedures for these entities will be noticeable at the turn of 2020. Moreover, the context of GDPR policies in view of both new and already existing demands under AML is not yet an exhausted subject for obliged entities. It is still visible, that as long as AML procedures are quite well understood by the market, their collision with GDPR side of the coin is still a challenge.

Nevertheless, in the upcoming months inclusion of the custodian wallet providers within the national deposit insurance schemes should be discussed together with a project for a systemic regulation of the virtual currency industry, in all areas of its appliance. Whether the market finally gets an effective and clear legislation in all Member States, only time will tell. Notwithstanding which AML Directive is force, the motto is still the same – ‘Follow the money’.

The article was first published in the Digital Onboarding and KYC Report 2020, which offers insightful editorials on topics such as digital onboarding best practices and key challenges, financial crime and how to fight it, crypto, and more.

About Marta Solarska

Marta Solarska specialises in new technology law. In particular, she focuses on personal data protection law and she is appointed as Data Protection Officer at Hyundai Motor Poland. She manages numerous legal projects on a daily basis, with special regard to IT contracts and competition law issues.


About Kamil Kaleńczuk

Kamil Kaleńczuk is a lawyer from Wołoszański & Partners Law Firm specialising in providing services to entrepreneurs. Experienced in managing multi-threaded legal projects, he routinely works with clients in the field of new technology and regtech law, corporate governance, as well as labour law.

 

 

About WLAW

Wołoszański & Partners Law Firm specialises in rendering legal advisory services for entrepreneurs. Our Law Firm offers comprehensive legal services. In particular Wołoszański & Part specialise in commercial law and companies law, civil law, and legal aid in respect of new technologies law.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Marta Solarska, Kamil Kaleńczuk, WLAW, GDPR, virtual currency, cryptocurrency, merchants, data protection, AML, AMLD5, electronic identification
Categories: Securing Transactions | Digital Identity, Security & Online Fraud
Countries: Europe
This article is part of category

Securing Transactions