Article
Data protection: How to protect your clients personal data and comply with GDPR
A Business Obligation
Businesses that process personal data and information are obligated to protect said data. Data security is a foundational premise if you work in the financial services or sector – but it’s also a necessity if you handle or process any form of data.
In this article we explain:
- What is data protection?
- Technical data protection
- Organizational data protection
- How to manage breach of data protection
With Meo you can simplify the process of protecting your clients’ personal data – from first contact till the end of your business relationship. Our solution ensures that you comply with GDPR and Anti-Money Laundering (AML) laws and regulations in all of the EU.
Read more on holistic profiles
What is data protection?
Data protection is a catch-all term for all security measures and safeguards that protect your own – and your clients’ – data.
All businesses in the EU are obligated under GDPR (General Data Protection Regulation) to protect their customers’, employees’ and other partners’ data – including their personal data. This applies to both internal (people in the organization) and external (for example, hackers) parties.
It’s up to the business itself to implement sufficient safety measures that protect data. These safeguards are usually categorized as either:
- Technical security measures or precautions
- Organizational security measures or precautions
The appropriate degree or extent of such measures for your business is up to you. This requires, among other things, that you make a Data Protection Impact Assessment (DPIA) and a consequence analysis of your data protection. You can find a template for a Data Protection Impact Assessment (DPIA) on GDPR.EU.
Furthermore, it’s important that you can document that you’ve installed or implemented the necessary measures, and that you subsequently and regularly evaluate whether they’re sufficient in order to protect the personal information you process.
There are a number of internationally recognized standards for data protection, such as:
- ISO 29151
- ISO 29134
- ISO 27001
They can be read in full on the International Organization for Standards’ website.
As a data manager and as a data processor it’s important that, even if you’re following the standards and guidelines, this is not synonymous with complying with GDPR. For that reason it’s important that you have a systematic, professional, and structured approach to the job. If you process sensitive personal data (‘special category of personal data’) it can be necessary to add-on or expand with subsequent protection measures.
Technical data protection
Technical data protection and safeguards are all forms of security measures that rely on digital tools and IT infrastructure. It exists predominantly on computers and servers.
This could, for example, be:
- Firewalls
- Passwords
- 2-factor authentication
- Encryption
- Logging of data handling
- Different administrative roles
- Storing data in levels (so a breach doesn’t give access to all data)
- Anti-virus
- Backup
Organizational data protection
Organizational data protection and safeguards are the type of data protection that involves people and processes. Data is secured by training employees and following guidelines that prohibit unplanned error or intentional breaches of personal data.
This term applies to:
- Procedures for data processing
- Clear distribution of roles and access
- Security courses
- Education of employees
- Risk- and consequence assessments
- Action plans for breaches of personal data
How to manage breaches of data protection
No data protection is fail-safe and fool-proof.
This is also acknowledged by the GDPR itself and by most of the regulatory agencies responsible for enforcing it in the EU.
In order to minimize the damage of a breach, it’s important that you have a clear action plan for when you might suspect that there’s been a breach of your security. This encompasses, but is not limited to, a clear division of responsibilities between data manager and data processor, how you report potential breaches to clients, and clear guidelines for how you report breaches to the relevant regulatory authorities.
With Meo you get AML and GDPR compliant data protection
With Meo, you get a software platform that protects your clients’ data and ensures you comply with Anti-Money Laundering (AML) laws and regulations.
Furthermore, the platform helps you verify your clients’ identity so you comply with KYC and CDD. Get more information about our security by reading our Security Whitepaper.
Overview: How to comply with GDPR
What is good GDPR handling?
Does your business have a good handle on GDPR and on how you process personal data?
Virtually all businesses that come into contact with personal data are subject to local laws and regulations. In the EU and EEA that means GDPR. For this reason it’s important that you know the requirements for how you correctly process personal data.
Below you can read about the EU directive and how it applies to personal data – as well as get a few tips on best practice for processing personal data:
- What is the General Data Protection Regulation (GDPR)?
- What businesses are subject to GDPR?
- What is a Data Manager and a Data Processor?
- What is a DPO (Data Protection Officer)?
- How to comply with GDPR
- Storing personal data – when and for how long?
- Rights of private individuals
- Ongoing audits and the principles of accuracy
What is the General Data Protection Regulation (GDPR)?
GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area.
The regulation applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.
Its official name is:
“Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”
As an EU regulation and directive it is, strictly speaking, not an actual law. Instead it’s a legally binding agreement between all EU and EEA countries, which they are required to then interpret and implement in their local law.
That means that, while GDPR is binding and sets out to give specific directions regarding personal data, there can be variations and minor differences from country to country. It often acts as a basic framework that is then expanded upon by the individual country.
Oversight: Different countries in the EU and EEA have different supervisory or regulatory agencies. These ensure that GDPR is upheld and guide local governments, businesses and organizations in how to be GDPR-compliant.
Which businesses are subject to GDPR?
GDPR applies to virtually all processing of personal data i.e. all information that can be connected with or identify a specific person.
Read more about personal data and the different categories.
As the regulation is geographically specific to the EU and EEA, it only applies:
- When the data manager or data processor is in the EU, regardless of whether the actual processing is conducted in or outside the EU.
- When the person whose personal data is processed is in the EU, regardless of the data manager’s or data processor’s location.
- When the processing of personal data pertains to a product or business in the EU, or involves surveilling behavior inside the EU.
To be concise: almost all businesses with an affiliate with the EU, whether this applies to them or their clients/customers, are subject to GDPR.
What is a Data Manager and Data Processor?
And what’s the difference?
According to the GDPR, it’s important to fundamentally separate the two specific roles that both process personal data.
You can either be a data manager or a data processor.
There are different requirements for the two roles. That’s why it’s important to know which is which and who is who, before you start to process personal data.
Data Manager
The data manager defines the purpose and procedure for how personal information is processed. As data manager you are obligated to ensure that:
- You have a legal right to process specific personal data
- You’re capable to provide insight to the registered parties, at their request
- You register violations of personal data security to the relevant oversight, supervisory or regulatory agency.
Data Processor
As a data processor you solely process the personal data on behalf of the data manager. You do not have any influence on the purpose or procedure you operate under.
A data processor can, for example, be a software provider for the services used to store data on the servers, or a different type of provider of an automated processing of personal data, wherein you do not directly have any access to the data.
Because the relation between data manager and data processor involves the exchange of personal data, it’s important that there is a data processing agreement in place that clearly defines the exact relation between the two. A template for this can be found on GDPR.eu.
What is a Data Protection Officer (DPO)?
There can also be a third role: DPO or Data Protection Officer. You might have come across this term before, but what does it mean? And should your business have a DPO?
The role of DPO is to advise on the requirements of GDPR and guide the data manager in how they can fulfill these requirements. It’s important to note that the DPO is not responsible for whether or not the business is compliant with GDPR or local law.
Governmental agencies are required to – regardless of whether they’re data managers or data processors – appoint a DPO. Private companies are only obligated if all of the following three conditions apply:
- Processing of personal data is a core work activity
- Personal information is processed in vast quantities
- Processing consists of regular and systematic surveillance or contains sensitive personal data (‘special categories of personal data’)
When is processing of personal data a ‘core work activity’?
Most organizations perform some type of processing of personal data but GDPR differentiates between non-core work activities and core work activities.
Non-core work activities can generally be said to be activities that support core work activities. For example, most businesses come in contact with a certain amount of personal data in regards to employee data and personal data related to sales and different types of support. These are considered to be non-core work activities.
According to GDPR, the processing of personal data is a core work activity, if what a business is looking to sell is irrefutably connected to personal data. This could, for example, be:
- Insurance companies whose product is tailored on the basis of personal data
- Providers of market research
- Search engines
- Businesses related to headhunting of new employees
These are all examples of business activities that are centered around processing personal data, and where the output depends on the information obtained and processed.
How to comply with GDPR
GDPR necessitates a risk-based approach similar to, for example, anti-money laundering initiatives.
A risk-based approach means that, whether or not the business is a data processor or a data manager, you are obligated to perform an assessment of the types of data that is stored or processed by the business. Then you need to make sure that there are organizational and technical security measures or safeguards in place that correspond to the assessed risks.
Technical security measures
Examples include strong firewalls, ongoing updates of codes and systems, encryption and a strong IT-infrastructure.
Organizational security measures
Examples include described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.
To comply with GDPR, businesses need to have:
- Risk assessments
- Policies and procedures
- Audits and documentation
How do you perform a risk assessment?
Risk assessments will typically evaluate, or assess:
- What types of data is stored by the business (there are for example differences in sensitivity between storing e-mail addresses and copies of passports)
- Consequences for data leaks (for example, phishing, hacking or accidental internal leaks of material pertaining to personal data)
- The security measures in place to minimize the above risks
On the basis of these factors you can assess whether the risk is acceptable, or if you need to implement new safeguards to minimize the risk of data being stolen or leaked.
There are also requirements for documentation of your considerations regarding the procedures.
Policies
Most businesses have set procedures and policies in place that streamline and systematize work activities. In the same way, it’s a good idea to define policies and procedures for the processing of personal data.
Typically you’ll divide personal data policies into whether they pertain to personal data about employees or clients/customers. A personal data policy for clients could, for example, contain the following:
- A clarification of whether you’re acting as data manager or data processor.
- Where the personal data is stored – on internal or external servers or storage units? If it’s stored outside of the EU/EEA then what did you do to ensure a sufficient level of security?
- Whether you have a DPO, and if so, what the DPO’s assignment is and how you’ve secured the DPO’s position in the organization.
- What the stated purpose is for storing data, specifically your legal rights and the legitimacy of the purpose.
- What your policy for deleting or erasing personal data is, and for how long you store data after the termination of a client/customer relationship.
- Optionally, which technical and organizational security measures you’ve implemented to protect against data leaks, and how you’re planning to react in the case of a leak.
Business procedures
The business procedures should be in an internally accessible document that has been written to support the work flow and procedures you’ve agreed upon. A business procedure is often a relatively detailed description about how you handle personal data with specific procedures for how your business – in its day-to-day activities – make unnecessary data is deleted, and how you share data with others whether that’s with colleagues or external data processors.
Audits and documentation
Simultaneously you need to be able to document that your processing of personal data is in accordance with GDPR and local law. You, for example, need to document how you delete personal data after the end of a business relationship.
A business can have multiple procedures regarding how and how often they delete data. But according to GDPR it’s essential that it’s written down or somehow documented, so that the proper regulatory agencies can audit your actions and thus ensure that you’re complying with GDPR.
The documentation requirement can be supported by IT solutions that can even automate some of the necessary processes.
Storing of personal data – when and for how long?
Businesses can store personal data as long as they:
- Have a legal right to it.
- Have a legitimate purpose for storing the data.
The legal right regarding storage of personal data is defined as:
- The business has obtained consent from the person whose personal data is being stored.
- It’s written in the law that the data must be stored.
- It’s necessary in order to uphold an agreement or contract.
- The business has a legitimate interest in storing the personal data. And this interest has a greater value for the person’s own interest, than if it was deleted.
Normally, the business or governmental agency has sufficient legal right if just one of the above criteria have been met.
A legitimate purpose is basically defined by common sense.
Ask yourself: What is the purpose of storing the given personal data?
If you don’t have a legitimate purpose then the data needs to be deleted.
Example
Six months ago the company had a job posting looking for a legal aid. They had many applicants but have since closed the entire department and do not plan to hire legal aids ever again.
Does the business still have a legitimate purpose for saving resumés and applications? Here, the answer is no.
As long as a business has the legal right and a legitimate purpose, then the business can continue to store data. As soon as this is no longer the case, the data should be deleted.
Rights of private individuals
With the implementation of GDPR, private individuals gain the right to access the data businesses store about them. This is often called access rights or subject right:
- In principle, you have the right to access all personal data about yourself that the data manager is responsible for.
- A data processor cannot grant access, because they are not responsible for the registered data.
The data and information you can request includes:
- How your personal data is processed
- What purpose there is for the processing
- Who the information is shared with
- For how long the data is stored
- Where the personal data originates from
This is to ensure that the data is verifiable, accurate and that the processing is performed on the basis of sound legal authority.
Ongoing audit and the principle of accuracy
As a business you are obligated to make sure that the stored personal data is accurate and that wrong or false information is deleted.
This is also called the principle of accuracy.
The principle does not only revolve around the duty of deleting or correcting information that you’ve been informed is wrong. You also have an obligation to actively seek out and verify the accuracy of your data.
This could for example be done by you continuously comparing the data you obtain with searches in registries and databases with publicly available information, or that you periodically request verification from the individual that the information is about.
The extent of how thoroughly you need to verify the information’s accuracy and authenticity, and how frequently you need to repeat this process, depends on the data you are processing. The more sensitive – and therefore the greater importance the information holds to its owner – the more procedures and fail-safes you need to implement to protect against this outcome.
Cases at Meo
Meo has also collaborated with a lot of different companies that have benefited greatly from the Danish software platform, Meo. Among them is the law firm Bech-Bruun, which recently commented on whether the platform has provided clarity on the secure handling of information and data from new clients in accordance with the GDPR law.
This focus is something that is reflected in the opinions of our various partners and customers, who all believe that our software platform has created security for them in connection with the exchange of data and information with clients or partners.
We at Meo therefore help to create clarity over administrative tasks as well as the security of your business and the exchange of data.
Meo – Processing personal data easily and securely
If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone.
Luckily, there are a number of good solutions for the business challenges of processing data.
Meo is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.
For businesses there are a number of benefits from using Meo:
Onboarding
Onboard your clients digitally on secure channels.
Validation
Setup your own requirements for validation of information.
Documentation
A full audit trail and overview of the performed actions and consent for processing.
Processing
With Meo you comply with all legal requirements, both GDPR and AML.
What is personal data? Ownership, processing and security
Everything you need to know about personal data
In this digital age, and with the enactment of General Data Protection Regulation (GDPR), there has been an intensified focus on personal data and the way businesses handle their clients’ information. Personal data is shared by citizens and clients all the time – with both businesses and governments. And organizations that don’t have a proper handle on personal data risk major fines and penalties.
Because this is such an important topic for businesses, we’ve written this extensive guide and FAQ so you can better come to understand what personal data is – and how you’re required to handle it under GDPR. We’ll be answer:
- What is personal data?
- What is the GDPR (General Data Protection Regulation)?
- Personal data in a business perspective
- When are businesses considered to be processing personal data?
- Who owns personal data?
- Secure processing of personal data
- How Meo helps companies collect, verify and store personal data in a secure and easy way that is also 100% GDPR compliant.
Read more about the platform here or book a demo to hear more about how we can help your company with KYC compliance.
What is personal data?
In order to understand what personal data is, let’s start with a definition. Personal data is defined by the EU in the General Data Protection Regulation as:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Regulation (Eu) 2016/679 Of The European Parliament And Of The Council Of 27 April 2016
In other words, personal data is all information that can be used to identify an individual. According to this definition personal data spans a variety of different informations, including:
- A name
- A photo
- E-mail address
- Information about a person’s ethnicity
- A sound file
- IP address
- Criminal record
- Social Security Number
- The list of personal data is therefore potentially inexhaustible.
Any information related to an identified or identifiable individual is personal data. Information such as data about congenital diseases of an individual’s grandparents is also personal data.
The GDPR does, however, differentiate between different types of personal data, that need to be processed or handled under less and more restrictive conditions:
General personal data
These include personal data such as names, e-mails, addresses, place of employment etc. They are factual information that are often publicly available.
Sensitive personal data (‘special categories of personal data’)
Such as health data, ethnicity and sexual identity. These types of data are very personal and need to be processed with extra care.
Social security numbers and criminal record (‘special categories of personal data’)
Governmental information such as social security numbers and criminal records are also a part of special categories of personal data. By some EU countries these are considered a separate category, as they involve classified or protected information that need to be more guarded than even traditional sensitive personal data.
What is the GDPR (General Data Protection Regulation)?
The GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area. It applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.
Its official name is:
Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Read more about the General Data Protection Regulation (GDPR).
What is personal data in a business perspective?
Personal data is ultimately the most valuable information that businesses collect and process. Without this data it’s not possible to run a business in such a digitalized world.
On a consumer level, people would not be able to use today’s digital options, i.e. setting up a bank account, getting a package delivered or in any way buying vital digital services without the release of some form of personal data. There are, of course, certain providers of services and products that don’t need personal data – for example, if you buy a hotdog at a vendor and pay in cash.
With the exception of examples as above, the majority of interactions between individuals and businesses are based on some sharing or exchange and processing of personal data. The increasing digitalization of society and the use of personalized data also gives rise to better and more targeted services. For that reason the exchange of personal data can be considered necessary, or even essential, for both consumers and businesses.
The rules for how businesses process personal information are quite extensive and cover, among other things, the secure storage of personal data.
Read more about the rules here.
What is processing of personal data?
The processing of personal data refers to activities such as the collection, storage, use, transfer, security and disclosure of personal data. Any activities relating to personal data, from the planning of the processing to the removal of personal data, constitute processing of personal data.
When a company processes data, there will always be a need for a data processor and a data controller. These two roles are not the same, but are both necessary to have. In the following you can find a definition of each role and what it entails.
A data controller is a person or an organization that determines the purposes and means of processing personal data. A data controller can be an association that collects information about its members, a hospital that processes patient records, an online shop or a social media service.
A data processor is a person or an organization that processes personal data on behalf of a controller. A data processor could be an agency that handles some processes of another company, or an IT service provider that has access to the personal data collected by the data controller.
When can businesses process personal data under GDPR?
The GDPR – and subsequent local laws – applies the moment businesses ‘process’ personal information. But, as mentioned earlier, the processing of personal data can take many forms. Because the definition is so broad, it in reality occurs the moment a business comes into contact with personal information.
According to the definition of GDPR, processing of personal data applies to all the ways in which you handle personal information. This includes collecting, recording, organizing, systematizing, storing, editing, altering, searching, using, sharing, transmitting, securing, disseminating, deleting – and much more.
Verification of information
A specific example could be when businesses need to verify that a given name actually belongs to a person. The business extracts the verification data from a network that the person uses – or from additional data sources that have the authority to verify the truthfulness of the information. This is especially relevant to businesses who are subject to the Anti-Money Laundering (AML) Directive.
If just one type of the above actions occurs, it’s considered processing under GDPR. In order to live up to EU law, all businesses should consider it data processing the moment they come into contact with personal data.
Read more about the General Data Protection Regulation (GDPR).
Who owns personal data?
Who owns personal data after collection?
GDPR marked a foundational shift in how broader society views data ownership. Before, it wasn’t necessarily clear who actually owned the data after it had been exchanged between two parties. User rights and the right to gain insight into what personal data is stored by businesses was often unclear.
GDPR helped to clarify these issues and principles. It was determined that the one who owns personal data is the person represented by the information. Businesses are allowed to process and use the given data but the ownership and rights will always belong to the registered party.
Data belongs to the person represented by the information.
The rights of private individuals
What rights do private individuals have in relation to their personal data?
The shift created by GDPR – which clarified the ownership rights of data – lead to that the registered persons gain the right of access, or subject access, to the data stored by businesses about them. A right that, of course, is also important for businesses to understand, as they are required to live up to the laws and regulations.
With the exception of certain outlier cases, private individuals have the right to contact businesses that they believe are processing or storing personal data and gain insight into what data they possess; for what purpose they consider valid for processing your personal data; and when consent for this type of processing was given.
Read more about the Right of Access (Subject Access).
This new understanding of data ownership leads us to the six principles for how businesses should process personal data. Find the definition of securing personal data, and read more below.
Secure processing of personal data
Fundamentally, GDPR requires businesses to protect both internal personal data (on e.g, employees) and external personal data (on e.g. other clients, business partners, criminals), using sufficient security measures.
It’s up to each business to assess which safeguards that apply to different situations.
Businesses typically divided these security measures into two categories:
Technical security measures: Among other things, strong firewalls, on-going updates of codes and systems, encryption and a strong IT-infrastructure.
Organizational security measures: Among the other described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.
If you’re handling sensitive personal data (as defined above), you need to implement more strict security measures. The chosen measures are based on the risk assessment, which is a part of the GDPR’s risk-based approach to data protection.
Read more about data protection here.
Here’s how to get started with personal data under GDPR (The 6 Principles)
Are you interested in the underlying principles of GDPR, you can read Chapter 2, Article 5 of the General Data Protection Regulation.
This outlines the six founding principles for how businesses need to approach personal data. We’re going to explain each one here:
1. ‘Lawfulness, fairness and transparency’
Your business needs to be transparent with clients and customers about how you process their personal data. For example, the language in written communication, such as e-mails, needs to be clear and easy to understand. The clients need to know what is happening – and why. Avoid obtuse language or extensive technical jargon and set time aside to develop good, legible templates to use in the future.
All processing of personal data needs to be fair, secure and based on best practice (for example, by using the best available technology).
And lastly, your processing of personal data needs to be lawful. You need to act in the spirit and letter of the law, when processing personal data. This includes obtaining consent from clients and customers, as these are the ones who own the personal data.
2. ‘Purpose limitation’
You can only collect personal data for specific purposes. And it’s important that you inform your clients, that you’re doing this. This also entails that you only use personal data in the context the client has consented to.
3. ‘Data minimisation’
‘Need to have’ is central to data minimisation. Fundamentally, you can only collect the exact personal data needed to complete your expressed goal or purpose.
4. ‘Accuracy’
Ensuring the accuracy of the personal information is an on-going process. For that reason you need to update the data, concurrently. Furthermore, you need to correct or delete data that is inaccurate or unusable for the specific purpose it’s needed for.
5. ‘Storage limitation’
You can only store personal data as long as necessary. Therefore you need to continuously ask yourself: do we still have a purpose for storing this data? It can be a good idea to have a half-yearly or yearly event where you evaluate your stored data.
6. ‘Integrity and confidentiality’
The integrity of the data needs to be maintained. That means ensuring the data’s accuracy and credibility over time.
Simultaneously, you need to process and handle the data with great care and confidence. You can’t allow anyone to gain access to the data. That applies to people outside your organization (for example, hackers), but also people from within (for example, colleagues).
To ensure this, you need sufficient and adequate security measures. The level of security can vary from business to business. As mentioned previously, both technical and organizational security are two methods for protecting the data.
If you have a handle on the six principles, you’ve come a long way towards processing personal data correctly. And it pays off to work within the rules. Violations of the GDPR can result in fines and penalties.
Enforcement Tracker can give you an overview of fines and penalties for violating GDPR in the EU and EEA.
What can be done in the process of securing personal data?
Data can be protected in different ways and therefore, as such, there is no manual on how exactly to do it. However, some methods may be better than others.
You can achieve optimal protection of personal data through good design and good default settings.
A good data protection design allows your company to take data security into account early in the process when planning new ways of processing personal data. Here, the controller can and should take all the necessary technical and organizational decisions to implement data protection principles and protect the rights of individuals. This may include, for example, the use of pseudonymization.
Data protection with good default settings includes ensuring that the company always has the highest data protection setting as the default setting. For example, should there be two different privacy settings available and one of the settings ensures that the personal data cannot be accessed by others, this setting should be the default setting.
Who is Meo?
Meo is a Danish RegTech company that owns, develops and operates an identity management platform for handling customer data, Meo. Our goal is to get companies to share data securely and thus prevent inappropriate situations and risks such as money laundering, corruption, and ensuring compliance with the law.
Read more about Meo in our About section. Find out more about Meo below.
Meo – processing personal data easily and securely
If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone. Luckily, there are a number of good solutions for the business challenges of processing data.
Meo is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.
For businesses there are a number of benefits from using Meo:
Onboarding
Onboard your clients digitally – using secure channels.
Validation
Setup your own requirements for validation of information.
Documentation
A full trail and overview of the performed actions and consent for processing.
Processing
With Meo you comply with all legal requirements – both GDPR and AML.
What Is Anti-Money Laundering?
Here is what you as a company need to know about money laundering
Is your business subject to the Anti-Money Laundering (AML) Directive? Then it’s important to know the fundamentals of money laundering, and why it’s necessary to have local and international anti-money laundering laws and regulations.
In this article you can learn more about money laundering, including:
- What is money laundering?
- How is money laundering committed?
- What does international and european law say about money laundering?
- 4 important terms when it comes to money laundering
- Guide to anti-money laundering checks
- How the Meo platform ensures that your company is 100% AML-compliant at all times.
What is money laundering?
Money laundering is predominantly about making illegal means – black money – legal. That means cloaking the financial gains from criminal activities and using it with legal vendors and in broader society. The origins of the black money can, for example, come from dealing illegal substances or weapons, tax evasion and much more.
White washing
All activities that help criminals obfuscate, conceal, or transform black money into legal tender (which can be documented and used legally) is called white washing or money laundering.
How is money laundering committed?
There are many ways to launder money. Below is an example of how it could transpire:
- A drug dealer has sold illegal substances for 25,000 EUR and now has a lot of black money in his possession.
- The drug dealer finds a used car that’s privately for sale for 75.000 EUR. He offers to buy the car for the full amount – in exchange for paying partially in cash.
- The drug dealer goes to the bank and gets a loan, where he explains he’s buying a car for the price of 50.000 EUR.
- The bank grants the loan and transfers 50.000 EUR directly to the seller, but the drug dealer pays him 25.000 EUR in cash.
- The drug dealer now sells the car to a third-party for 75.000 EUR that is transferred directly to his bank account. He can now document that the money originates from the sale of the car. He pays off his loan to the bank.
- Now the 25.000 EUR have been laundered as they seem to be payment for a simple car sale.
- In principle, money laundering can also be achieved through registered car dealers as a go-between. The drug dealer can have straw men buy and sell cars, boats, art, property, and other physical items to white wash the black money.
What does the law and regulations say about money laundering?
In the EU all financial businesses are subject to and regulated by the Anti-Money Laundering (AML) Directive.
Its full official title is: "Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing" (read it in full here). The directive exists to hinder criminals from being able to earn money from illegal activities which can then be used legally or to finance terrorism.
It’s important to combat money laundering because this type of crime makes it difficult for law enforcement to discover criminal acts. By stopping the laundering of illegal money you simultaneously prevent other forms of financial crime as the perpetrators will have a more difficult time spending or storing their ill-gotten gains. Furthermore, the Anti-Money Laundering Directive also exists to prevent opportunities for financing terror acts and organizations. Most European countries have local laws and regulations based on the EU-directive, which is continuously being formed and developed by the European Parliament. At the present time, the EU has developed six different directives (AML1-6) for the prevention of money laundering.
A number of different business fields and sectors are legally obliged to conduct themselves in accordance with anti-money laundering regulations. Here’s a brief overview:
- Lawyers
- Auditors and external accountants
- Real estate agents
- Landlords
- Financial companies
- Service providers
Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven).
4 important terms when it comes to money laundering
There are quite a few technical, legal and other terms or abbreviations regarding money laundering. The four most important ones to know are:
1. CDD - Customer Due Diligence
Customer Due Diligence (CDD) is a cornerstone of businesses’ anti-money laundering initiatives and procedures. The term covers all actions undertaken by companies to verify the identity of their clients or customers, as well as perform background checks and risk evaluations. Companies and organizations subject to anti-money laundering laws and regulations are required to perform risk assessments, wherein they – on a client-to-client basis – assess the risk of the client being used or using the business for money laundering or the financing of terrorism. Read more about CDD and risk assessment.
2. KYC - Know Your Customer
There are many reasons for why it’s important for businesses to “know their customers.” Among them is – in relation to CDD – evaluating whether or not they are a risk for the business. KYC-screening or verification is a process in which the business identifies or verifies the identity of their customers and clients. In other words, they get to know their customer. This can be achieved by gathering personal information and identification data about the customer or client, which needs to be verified.
3. PEP - Politically Exposed Person
A PEP, or Politically Exposed Person, is a strictly defined category of people, who – on the basis of their political position or power – are considered to be customers that are at greater risk of being subject to money laundering or other criminal activities. The concern is that they - because of their position - can be exposed to blackmail, bribes or otherwise (both willingly and coerced) can be embroiled in money laundering. Read more about PEP and PEP-lists.
4. AML - Anti-Money Laundering
AML is an abbreviation for “anti-money laundering”. The term refers to a broad swath of laws, regulations, directives and procedures that exist to prohibit or stop the laundering of illegal money.
Guide to anti-money laundering checks
Businesses in the affected sectors have to constantly adapt to a plethora of laws, directives and regulations. Most of these require or encourage specific forms of anti-money laundering checks.
With AML 5, which was implemented in January of 2020, a number of changes were introduced, including a transition to a risk-dependent approach to precautionary measures regarding anti-money laundering. The new approach demands more of the businesses’ ability to assess their customers or client relationships.
Roughly speaking, businesses need to assess the risk that they’re being misused for money laundering or the financing of terrorism. One of the central and foundational concepts is the creation of the risk assessments, policies and business procedures, as well as the underlying control and evaluation that ensures that overall compliance.
Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven - Download PDF).
Meo – steer clear of money laundering with our intelligent platform
We hope you now have a more clear understanding of money laundering – and have given you an insight into what your business needs to be aware of to be AML-compliant. Do you have a clear standard for your processes, data handling and the verification of new clients?
If not, Meo can help.
Meo is a Danish company and software platform that helps businesses with their data security, onboarding and overall compliance.
With Meo you can:
- Automatically screen clients via PEP-lists.
- Verify clients’ ID
- Collect data from official sources regarding businesses and individuals
With Meo you don’t need to worry when it comes to anti-money laundering measures.
The Anti-Money Laundering (AML) Directive - guide to businesses
Is your business subject to the Anti-Money Laundering (AML) Directive and the subsequent laws and regulations in all EU and EEA countries? Then it’s important that you know your obligations regarding the law, and why it’s even necessary to have a European standard for anti-money laundering initiatives and regulations.
On this page we answer the most frequently asked questions about AML and the Anti-Money Laundering Directive, such as:
- Why do we need Anti-Money Laundering (AML) laws and regulations?
- Which businesses are subject to the Anti-Money Laundering Directive?
- How do EU directives and national laws interact?
- The various regulatory agencies
- What happens if businesses don’t uphold the law?
- Guide to the Anti-Money Laundering Directive
- AML 5: the risk-based approach
- Risk assessment
- Policies
- Business procedures
- Audits and verification
- KYC procedure
- AML 6: New requirements coming
Why do we need Anti-Money Laundering (AML) laws and regulations?
Anti-money laundering laws and regulations exist to prevent money being made from criminal activities being used in the rest of society. Fundamentally, the law exists in order to make it more difficult to commit crimes, such as tax avoidance and financial fraud. The law is also intended to prevent the financing of terrorism.
All EU and EEA countries have their own anti-money laundering laws and regulations. However, they’re all formed by EU directives which are formed and approved by the European Parliament. The EU has, at the current moment, created six different directives regarding money laundering. In technical terminology they’re referred to as AML 1-6. AML is an abbreviation for ‘anti-money laundering.’
EU directive
A directive is a legal act decreed by the European Union. The directives are binding for member states and members of the European Economic Area (EEA). However, the countries themselves decide on how to implement the directive in national laws and regulations.
Which businesses are subject to the Anti-Money Laundering Directive?
Different businesses are subject to the Anti-Money Laundering Directive, among others:
- Law firms
- Accountants
- Real estate managers
- Landlords
- Financial companies
- Service providers
How do EU directive and national laws interact?
Whenever the European Parliament issues a directive, the individual member states have a period where they’re required to implement the directive in local legislation. This typically happens by making adjustments in pre-existing laws and/or issuing new executive orders.
The work involved in implementation typically stretches over a longer period, and not all countries implement the law concurrently or similarly. This creates some debate between countries, as it leads to situations arising where it might be more beneficial to set up a financial license in one place and then delivering your products to the remaining countries.
EU’s expert groups
The development of AML-directives involves a number of different professions, interest groups, legal experts as well as local regulatory agencies.
Meo has since 2015 been represented in one of the EU’s payment systems market expert groups (PSMEG) by our CEO, Christian Visti Larsen, who has assisted in developing AML 5.
Different regulatory agencies
The supervisory or regulatory agency that originally issued a business license will often be the party responsible for ensuring proper supervision and enforcement.
But from country to country, there can be a degree of difference between how regulations are enforced. This makes it more enticing for certain businesses to focus their activities in one country where the supervision is more lax – and thereafter selling their wares or services to the rest of the countries in the European inner market.
What happens if businesses don’t uphold the law?
There’s a difference between how the individual regulatory agencies communicate the activities and issues they might uncover when supervising businesses.
At times these can be in the form of regulatory AML reports that specify criticisms, injunctions and even reports to the police. These reports are typically publicly available on their websites, and it’s often required that the reports are displayed on the businesses’ own websites.
If a business is caught not living up to their obligations, it doesn’t necessarily result in a fine. However, the business will rarely be able to avoid penalties or a trip to the metaphorical pillory. For businesses that depend on their good name and reputation, this can be much worse than a fine.
Penalties
The regulatory agencies can rarely issue fines but they are able to report the company in violation of AML laws to the local police department for criminal financial activities. This then results in a police investigation that can lead to a public trial. However, it’s possible for the agency to issue administrative fines in simple cases where the business admits to wrongdoing.
AML 5: The risk-based approach
The latest directive, AML 5, was passed in 2017 and widely adopted by januar 2020. With this directive we transitioned to a risk-conditional approach to anti-money laundering (AML) precautions – an approach that requires more from businesses’ assessment of their client relations.
Businesses now need to assess the individual risk, from each client, of being used for money laundering or financing of terrorism. Some of the central and fundamental elements in the new AML directive is:
- Risk assessments
- Policies
- Business procedures
It’s all up to the business to develop and implement these requirements. Below, we explain what each element entails. Furthermore, you need to create a description of how you audit and supervise each activity, so you’re certain the law is being upheld.
The risk-based approach results in a much greater focus on verification of identity and ongoing KYC checks.
Risk assessment
Businesses subject to the Anti-Money Laundering Directive have to create risk assessments that identify and evaluate every perceived risk associated with individual clients, products, delivery channels and business activities.
To create a risk assessment, the business needs to:
- Consider the risk, from client to client, of being exploited for money laundering or the financing of terrorism. This is also called CDD (Customer Due Diligence).
- Be able to explain and justify the assessment and precautions to the relevant regulatory agency.
- Make a Risk Assessment that includes the business’ precautions and safeguards in relation to the prevention of money laundering.
You could, for example, end up concluding that there is an elevated risk connected with clients living abroad. This risk is dependent on which country the client resides. Based on this information you can evaluate whether you need further documentation from the client. For instance, you could demand to see a copy of their passport or birth certificate. If the businesses’ services allow for people or entities to become clients without physical meetings, you can also decide that this requires a need for further documentation.
Risk assessment
Risk assessments are structured approaches wherein you attempt to, objectively and fairly, assess clients individually. That requires differential treatment.
Policies
A business’ policies describe their overall appetite for risk. This policy will often include descriptions of:
- Which types of clients you want to do business with
- Which types of clients you don’t want to do business with
It will typically be management who outline and develop these policies which are then approved by the board of directors. One of the primary reasons for this is that it forces leaders to acknowledge and actively decide on the risks associated with running the business. In this way no one in the business can acquiesce their responsibilities or wash their hands of wrongdoing if problems arise.
Policies also define the area within which the employees operate without needing constant approval from upper management.
A business’ policies describe their overall approach and capacity for risk. Policies are created by upper management and approved by the board of directors.
Business procedures
Briefly, a business procedure is a written process for how you, as an employee or business, need to conduct yourself in specific, well-defined situations.
A business procedure:
- gives you an overview of the risks you consider to be present with different groups of clients or customers.
- describes the actions you have taken to mitigate this risk.
Example
If you have a client residing abroad, you can use the risk assessment to evaluate whether this constitutes an elevated risk that your business is being misused for money laundering or the financing of terrorism.
This is the perceived risk the business incurs if they take on the client. To be able to accept said risk the business procedure needs to demand a more thorough verification of the client. In addition to a standard KYC check, you can demand notarized copies of passports, or request additional information regarding the business venture.
Furthermore, a business procedure will also contain information regarding when and how you report misconduct to a regulatory agency, such as when you suspect financial malfeasance.
Audits and verification
Audits and verification always have to be documented. It’s useless to perform verification if you can’t subsequently prove it took place.
A typical mistake in this process involves manual verification of copies of passports or driver’s licenses. To counter this, a business procedure could prescribe that the employee has to go through the documents and ensure that the ID is valid and of such a quality that they can subsequently identify the client. But if there’s no documentation that this has happened, the audit is not considered to have transpired regardless of whether or not the employee actually looked through the documents.
KYC check
A KYC check is also performed on the basis of the risk assessment and the identified risks. This is also known as KYC or “Know Your Customer.”
Depending on the perceived risks, you can either perform an enhanced or regular check. KYC requires obtaining identifying personal data about the client. Typically, these will include:
- Name and Social Security Number or Legal Entity Identifier (LEI), depending on whether the client is an individual or another business/organization.
This identifying information needs to be verified via a reliable independent source. That means you need to verify documents and compare them to publicly available information and databases that can validate addresses, passports or names.
KYC Check
Describes how the business conducts itself in order to get to know their customers/clients. KYC is an abbreviation for “Know Your Customer.”
AML 6: New requirements coming
All the previous requirements have a common denominator: they require established procedures and verification processes on each individual client. A secure procedure and verification of client relations can only be ensured if there’s sufficient documentation that it took place.
If you don’t follow the rules it can have grave repercussions for your business. Aside from the already comprehensive demands, you can be subject to increased supervision and thus further requirements. This is a field with a massive political and societal interest and scrutiny, which is why it’s just good business to know the rules and be at the forefront.
The latest edition, AML 6, is scheduled to be implemented in all member states by December 3rd 2020 and go into effect for business by June 3rd 2021. With AML 6 multiple elements will be expanded upon with an emphasis on fines and sanctions.
Meo – steer clear of money laundering with our easy and safe AML solution
As you’ve probably noticed, there are a lot of requirements for businesses when it comes to AML and anti-money laundering laws and regulations. Are you on top of your AML procedures and approaches?
If not, Meo can help.
Meo is a software platform that can help you with AML compliance in addition to a number of other services.
With Meo you can:
- Automatically screen clients via PEP-lists
- Verify clients’ ID
- Collect data from official sources regarding businesses and individuals
Information security - Protect your company's data the right way
Importance of Information Security and GDPR Compliance
In general, information security is about properly protecting a company's data, including customer data, personal data and finance. It is important to handle personal data correctly in accordance with the GDPR. Breaches of this can result in severe penalties.
It is essential to secure sensitive data from misuse or other leakage of information. At NewBanking, we have developed a software and digital data management platform that automates and complies with guidelines, rules and legislation to help you avoid money laundering or GDPR breaches.
We can contribute with risk assessments, examine your KYC status and identify critical points as well as possible optimisation opportunities for this. Our admin tool, NewBanking Identity, helps to digitally verify, monitor and check customers as well as make reports to regulators and risk assessments.
Learn more about what GDPR is on our page and more about information security on GDPR.dk.
Minimize resources spent in your business
With the help of a platform like NewBanking Identity, you can free up resources, as you avoid spending time and staff on handling information security in your company, and can spend your time on more efficient and rewarding areas for your particular industry.
We can also help you with a digital onboarding flow that allows you to easily and securely exchange data across the organisation - safely and securely. This reduces the manual errors that often occur in information security.
In this context, we can tailor exactly the platform and data sources that are necessary and essential for your customer type. This platform can be integrated directly into your website, improving and optimising the user experience for your customers.
Much more than an information security check
At NewBanking, we value being able to offer a complete solution that assists you in everything from the information security mentioned above, but you can also get help with compliance checks, as well as insights into money laundering and handling in these types of cases.
We are a sparring partner on everything that involves the handling of personal data, customer data and the protected exchange of the same.
We work with everything from small companies without KYC management to large companies with greater needs for sparring and additional system integrations. Contact us for a no-obligation conversation about your needs and options.