Today marks a pivotal moment in our journey. NewBanking, a name you've known and trusted, is evolving. We're thrilled to announce our rebranding to Meo – a name that resonates with our core mission and vision. Meo, meaning ‘My’ or ‘Mine’ in Latin, is more than just a name. It's a declaration of our unwavering commitment to individual data ownership and privacy.

‍

Why Meo?

In an era where digital footprints are expanding rapidly, the importance of data privacy can't be overstated. Meo is our answer to the growing need for control over digital identities and personal data. This new name embodies our belief that everyone should have the power to manage their digital presence securely and effortlessly. "Meo is uniquely built with Privacy by Design at its core, placing individuals firmly in control of their data, simplifying GDPR and CCPA compliance and acting as a responsible custodian of identities," states Christian Visti, our CEO. Meo is not just a service; it's a promise to uphold the highest standards of data privacy and give back control where it belongs – in the hands of individuals, accessible by you with their consent.

‍

Simplicity in complexity

The digital world, with all its opportunities, brings a complexity that can be daunting. Our role at Meo is to cut through this complexity, offering a platform that simplifies and streamlines everything related to compliance and data management. Whether it's onboarding and managing digital identities or ensuring regulatory compliance, we're here to make these tasks as seamless as possible. Our goal is to take the burden off your shoulders, letting you focus on what you do best, while we handle the intricacies of data privacy and compliance.

‍

Meo: Empowering compliance professionals

To our dedicated compliance professionals, we understand the challenges you face daily. With Meo, we're not just offering a tool; we're providing a partnership. Our platform is designed to enhance your capabilities, making you more efficient and effective in your role. "Our renewed product vision focus on supporting the complex nature of business verification, case management, custom risk modelling and automated scoring, rule-based AML checks, and superior UBO clarification - all while elevating the user experience to unprecedented heights," says Steffen Bilde, our Chief Product and Technology Officer. The transition to Meo means access to more advanced features, more robust support, and a community committed to excellence in AML compliance. In short, Meo is your superpower in the complex world of data privacy and regulatory compliance.

‍

What stays the same?

While our name changes, our foundational principles remain steadfast. We continue to offer top-notch tools to onboard and manage digital identities (businesses and individuals), reduce risk, and ensure regulatory compliance. What changes is our enhanced focus on trust, transparency, and security – without any compromises.

‍

What's next?

As we step into this new chapter as Meo, we're excited about the possibilities ahead. For our existing customers, this transition is a step up in the services and value you will receive. For those considering joining us, welcome to a new era of onboarding and managing digital identities and personal data with unmatched ease and security.

Keep an eye out for more exciting updates as we continue to evolve and enhance our offerings. Together, let's embrace the future with Meo – where your digital identity and data privacy are in safe hands.

“Meo integrated perfectly with our existing systems”

KommuneKredit’s goal is to offer leasing and loans to Danish municipalities, regions and joint municipal companies. Previously, only the leasing part required identification from the owners, but it has also become a requirement for the loans. Therefore, KommuneKredit had to find a system to handle the safe-keeping of personal information.

“It is a significant task to store and manage personal data in the correct manner. Our goal was to outsource the safe-keeping of data because we believe in “best-of-breed”, meaning that we all do what we are best at. Therefore, we have not for one second considered developing a solution on our own”, says Christian Jeppesen, customer director and AML manager, who was responsible for finding the best, suitable platform for KommuneKredit.

When you deal with companies, it is simple to identify who the CEO is and who owns the company. But it is different in a municipality - because who is the ultimate beneficial owner, whose identity needs to be verified?

Today, the definition states that the mayor and the municipality director must be considered the municipality’s ultimate beneficial owners. Therefore KommuneKredit keeps the sensitive data of all Danish mayors and municipality directors under lock and key on the Newbanking Identity platform. Only a few designated employees of KommuneKredit have access to this information.

Difficult to develop on our own

“If we had to develop a platform, we would need a lot of governance to determine who should gain access and under which conditions. Aside from the fact that the actual development of the platform would be very complex, it would also involve far too much administrative work with too many unknown factors”, says Christian Jeppesen and continues:

“Today, everything is automated in Meo, where we carry out spot checks on all identity documentation in the system. The platform is easy to work with, and every time we are in dialogue with the Meo founders, they have proved to have an extensive knowledge regarding KYC and GDPR procedures, which gives us a high sense of security.”

Integration with our customer management system

For KommuneKredit, however, a few other factors came into play in choosing a platform to manage their KYC and GDPR compliance. They needed to integrate the KYC system directly with their current customer management system. By integrating Meo with KommuneKredit’s customer management system, it becomes easy for the employees to email their customers, for example, when they must update their identification documents.

Moreover, KommuneKredit was facing a replacement of their current CSR system with a new one, and thus, it was essential to find an easy integrative platform.

“The entire process of implementing Meo in the daily routines has been very agile, and Meo has been very responsive to help to integrate with our customer management system. They are super skilled at integrating the platform with the other systems we use, which is pivotal. The platform works impeccably and has high operational stability. By all means, we have acquired a great solution that meets the full range of our needs”, says Christian Jeppesen.

Learn what a Politically Exposed Person list is.

PEPs, or Politically Exposed Persons, are individuals who are involved in politics or hold high office in governments, just to mention a few examples.

If your business is subject to Anti-Money Laundering (AML) laws and regulations, it’s important that you can determine whether you’re involved with PEPs as they are often come with a higher risk of money laundering and financing of terrorism.

On this page we try to answer ‘what is a PEP’, and all other questions regarding the Politically Exposed Person list:

• What is a PEP (Politically Exposed Person meaning)?
• How does a PEP list work?
• What do you need to do as a business if you have a client who is a PEP?
• How the Meo platform can help you check your clients identity and do PEP screenings.
• Fight financial crime with thorough PEP screenings
• Recent changes in PEP legislation
• Identification of PEPs

What is a PEP?

What is the meaning of PEP? A PEP (Politically Exposed Person) is an individual who has a high-ranking job in a government or some other type of political position. In other words, it’s a person who possesses a certain form of political and institutional power.

Because of that power they’re considered high risk in relation to money laundering, blackmail, bribery and other types of corruption – both voluntary and involuntary. Spouses, family and close business partners are also considered PEP, as their relationship can be exploited by criminals to pressure the person in the position of power.

Examples of PEP typically include:

• Politicians
• Leaders of government or state
• Judges and members of the court
• High-ranking members of the Central Bank
• Ambassadors
• High-ranking officers in the Defense Forces
• Spouses and children of the people above
• Close business partners and connections of the people above

The Anti-Money Laundering Directive requires all businesses subjected to the directive to be extra careful when they have clients or customers who are PEPs – and therefore constitutes an elevated risk.

Because of this, it can be difficult for businesses to evaluate, by themselves, whether a current or potential client is a PEP. For that reason EU governments have established lists of present and former PEPs, the so-called PEP lists.

What is a PEP list?

A PEP list is an overview of people who are presently or have formerly been classified by the EU as a Politically Exposed Person. But, what does a Politically Exposed Person mean?

The purpose of the Politically Exposed Person list is to make it easier for businesses to assess whether their clients are subject to aggravated circumstances. Every European government has its own PEP list that they maintain.

It’s important to note that the lists are not seen as sufficient evidence of PEP status. It’s possible that a person is considered a PEP despite not appearing on the list, or if they have not yet been added.

The fact that the Politically Exposed Person lists are incomplete – as well as the fact that spouses, close business partners, amongst other examples, are also considered PEPs – makes it difficult for businesses to live up to the PEP requirement without accessing external data sources that have specialized in maintaining updated lists with all people defined as PEPs.

In these cases, a platform like Meo can help. With our AML solution you can quickly and easily perform PEP checks of clients and customers by screening a number of PEP lists all over Europe.

What do you need to do as a business if your client is a PEP?

If you get involved with a PEP client, you need to conduct an enhanced KYC check (meaning Know Your Customer) and implement greater supervision and more audits of their business venture.

How you conduct an enhanced KYC check, you can read more about in our article about KYC (Know Your Customer).

The audit itself can, among other things, consist of your company investigating their financial transactions more carefully as well as evaluating your client relationship in relation to their current risk assessment.

Meo makes it easy to perform a security check and cross-reference with PEP lists
With Meo’s platform you can easily verify your clients’ identity and cross-reference with a number of well-established Politically Exposed Person lists.
Furthermore, our platform ensures that your clients’ personal data is handled responsibly and in accordance with GDPR.
See all features

Fight financial crime with thorough PEP screenings

If you want to fight financial crime, you need to be aware of PEP lists. It is necessary to be aware of PEPs as it is essential for employees and management to be able to identify these people and handle them correctly and safely in order to avoid financial crime.

On a global scale, bribery and corruption are major problems and there are many examples of attempts to do exactly this to PEPs, therefore common international standards have been established to combat them. The definition of PEPs as well as the requirements for handling PEP transactions are determined based on international standards and on experience gathered over a number of years from authorities around the world.

Recent changes in PEP legislations

An important element of the new anti-money laundering rules is that companies must adopt a risk-based approach and conduct risk assessments of each individual customer relationship. This also applies to the rules on PEPs.

In addition, the knowledge and monitoring must be based on a risk assessment, meaning that companies must strengthen their efforts and monitoring of PEPs that are known to have a greater risk of exposure to money laundering, including bribery, etc.

Additional customer due diligence procedures and additional monitoring must be carried out as deemed necessary by the individual firm to ensure full compliance with the legislations.

Identification of PEPs

Rules on identification of PEPs are put in place as a preventive procedure and should therefore not be interpreted as stigmatizing PEPs as people engaging in criminal activities. Thus, companies have no grounds for refusing to proceed with a customer relationship or closing existing customer relationships solely on the fact that a person is a PEP or a close associate or business partner of a PEP.

PEPs should always be aware that they and their close associates and business partners may at any time be asked to explain or document their finances or other transactions.

Related parties and close collaborators

Related parties and close partners are not considered PEPs solely on the basis of their relationship with a PEP. However, they need to be identified because they may benefit from or be taken advantage of in relation to money laundering, corruption or bribery.

Related parties

The definition of a close relative of a PEP includes:

• Parents
• Spouse, cohabitant or registered partner
• Children and their spouses, cohabitants and/or registered partners

This means that the term does not affect siblings or stepchildren and stepparents e.g.

Close partners

The definition of close business partners of a PEP includes:

• A person who is the owner of a business or other legal entity together with one or more PEPs.
• A person who has a close business relationship with one or more PEPs. For example, a trading partner.
• A person who is the owner of a company or other legal entity established solely for the benefit of a PEP. This means that the person controls all the ownership interests or voting rights, etc. directly or indirectly.

This means that positions that would not be considered as PEPs are, for example, a person participating in board work together with a PEP.

Introduction to CDD

CDD, or Customer Due Diligence, is an important concept to know – especially for businesses that are subject to anti-money laundering laws, regulations, and directives. What is CDD in banking for example?

Following the EU’s latest money laundering directive (AML 5) which was issued in 2020, there have been a number of changes to money laundering laws in Europe. The biggest change is that businesses were obliged to transition to an anti-money laundering (AML) risk assessment model that demands more of businesses and their ability to correctly assess their customers and client relationships – which is where CDD comes into the picture.

In this article we comprehensively explain what CDD is – and answer the most frequently asked questions about the subject.

What is CDD?

CDD is an acronym for ‘Customer Due Diligence’.

The term applies to all procedures that a business uses to verify the identity of their customers or clients, as well as assess their background information and risk level. A number of these activities need to be completed before the potential client actually signs a legal contract and becomes a client.

Both individuals and other businesses can be subject to a CDD investigation.

Why is Customer Due Diligence important?

There are quite a few good reasons for businesses to have proper Customer Due Diligence procedures and checklists in place when you need to assess potential clients:

• To protect your business against potential risks.
• To make the best possible decisions as a business.
• To comply with current laws and regulations.
• To guard the business against deception and malpractice, such as identity theft.
• To help the business identify unusual behavior with the business’ clients.

For these reasons, a procedure regarding Customer Due Diligence is a necessary tool for many businesses, in particular businesses subject to anti-money laundering laws and regulations.

Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven).

Customer Due Diligence checklist

What is CDD, and how do you handle this process? CDD data consists of information regarding a customer or client that makes it possible to assess to what extent the client might put the business at risk of being misused for money laundering or the financing of terrorism.

This data can – among other things – consist of:

1. The client’s identity

Names, photos, addresses, and birth certificates can all be used to identify a client.

2. Background check

A part of the initial CDD also pertains to PEP screenings that assess whether the client is a so-called PEP (Politically Exposed Person). This could, for example, be to investigate whether the client has or is involved in scandals or other troubling activities (information that is typically publicly available). This is called Adverse Media Screening.

3. Ownership

If your client is a company or organization, it’s important to ascertain ownership of the businesses: who owns the business? If ownership is shared, who owns how many shares of the business?

4. Customer relationship

It’s equally important to understand and get an overview of the professional relation between you and your potential client. How is this relation? What is the purpose of the partnership?

Enhanced Due Diligence (EDD) for high-risk clients

Certain clients – for example, PEPs – have a higher risk profile than others. In these cases, it’s important to implement procedures defined as Enhanced Due Diligence (EDD).

With Enhanced Due Diligence you investigate the potential client’s:

Legal matters

Has the person or business previously been convicted, or involved in a crime? Are there any contractual relations that need to be accounted for? Questions like these illustrate the importance of Customer Due Diligence and Enhanced Due Diligence.

Finances and taxes

How are their financial statements? Are there any obvious tell-tale signs of illegal activities?

Shares

Does everything add up when it comes to the person’s/business’ physical shares and commodities, including offices and production facilities?

On-going control and assessment

You can implement an enhanced, on-going control and surveillance of the client’s business.

Who can benefit from a Customer Due Diligence checklist?

There are different types of companies and organizations that can benefit from using Customer Due Diligence checklists as part of their KYC processes. These include, among others:

• Companies dealing with customers in general
• Such companies can benefit from having a CDD checklist to help them avoid legal or financial problems that may arise from not conducting thorough due diligence on customers. By following the steps in the above checklist, the company can ensure that the necessary precautions are taken to avoid potential risks and problems.

• Businesses obliged to comply with AML rules
• Anti-money laundering (AML) regulations require businesses to put in place additional measures to prevent the financing of criminal activities. Part of these regulatory requirements include the completion of the CCD. By using a checklist, businesses can make sure they are compliant with AML rules on an ongoing basis.

• Any organization or financial institution that wants to protect itself from the financial risks associated with customers

Documentation to help companies identify and assess potential threats from their customers can be quite beneficial. By putting in place and ensuring proper measures to mitigate these risks, businesses can protect themselves from any financial losses that may arise as a result.

What are the risks of not completing a Customer Due Diligence checklist?

First of all, your company could end up being liable for any losses incurred by the other party as a result of your company’s negligence

Secondly, your business may be subject to civil or criminal sanctions if it is discovered that you have participated in money laundering or other financial crime, even if unknowingly.

Thirdly, your company may miss important information about the other party that could be crucial to a decision-making process.

Finally, your company may be blacklisted for non-compliance with regulatory requirements or by financial institutions if it turns out that business has been conducted with individuals or entities in high-risk categories.

Customer Due Diligence in connection to money laundering

CDD procedures are invaluable for businesses that are subject to Anti-Money Laundering (AML) laws and regulations, as they’re necessary to conduct the individual clients’ risk assessments.

In many cases there is a need for both CDD (Customer Due Diligence) and KYC (Know Your Customer) information in order to get a proper overview of the client’s risk profile and simultaneously verify their identity". The business’ KYC procedure describes what tasks are necessary to perform before the business can credibly say that they know their client.

For example, CDD and KYC procedures are necessary for:

1. New clients

Before a potential new client becomes an actual client, their identity needs to be verified and undergo a risk assessment.

2. Single transactions

Businesses in the financial sector as well as banks are required to investigate and evaluate whether clients are demonstrating suspicious behavior. This could for example be when making a substantial transaction or when dealing with high-risk countries.

3. Suspicion of money laundering

A through background check of the client is also necessary if you have a suspicion that they might be involved in criminal activities, such as money laundering.

4. Faulty or lacking documentation

If a client is unable to provide valid or approved identity documents then the business needs to perform a CDD check.

Streamline your Customer Due Diligence procedure with Meo

Meo is a software platform developed to handle information and data about your clients in a secure and centralized fashion.

With Meo you get:

A safe and automated onboarding

You can define and obtain the required information from your clients – directly in the platform.

A comprehensive overview

All relevant information about your clients are stored in one easy-to-use platform. It gives you a grand overview and ensures that you’re compliant with GDPR. You can also tag clients for easy organization.

Automated processes

With Meo it’s possible to integrate processes that automatically screens your clients against PEP lists.

What are some of the warning flags when it comes to CDD?

Warning flags that appear during a Know Your Customer (KYC) check should be carefully examined before making a decision on whether to initiate or continue the business relationship. These warning flags can vary from company to company and industry to industry, but common warning flags to look out for during a CDD check include, for example

• Customer information provided does not match the documentation available in the audit
• If the ownership picture is unclear or includes foreign companies and/or persons
• There is a lack of registration of a beneficial owner
• One or more of the company’s representatives are on PEP or sanctions lists
• If the company’s representatives are involved in other companies that are assessed as high risk
• If the industry in which the business operates is particularly prone to money laundering, such as cryptocurrency trading or bookmaking and betting
• If the company’s activities include cash handling

And the list goes on and on. However, the most important thing is to be aware of and responsive to customer information and behavior to avoid unnecessary risk.

Who is Meo?

Who are we at Meo and why do we help with CDD in banking and other organisations and fields?

At Meo we work with KYC procedures and Customer Due Diligence in several different institutions and organisations. Our previously mentioned software-as-a-service helps to streamline these processes and handle data and exchanges correctly and securely in compliance with GDPR.

We have for many years worked with several types of organisations with everything from AML, data security, compliance checks, PEP lists and general knowledge sharing within RegTech. Our digital solution assists with efficient CDD by checking PEP-lists and thorough background checks.

You are very welcome to contact us to learn more about our software and digital solutions, as well as our onboarding. Sign up to receive our newsletter, where we regularly send information and knowledge sharing on everything from ’what is CDD and how to be aware of money laundering’.

KYC (Know Your Customer)

KYC is about knowing your customers and clients so your business can avoid getting involved with organizations that commit crimes, launder money or fund terrorism.

In this article we explain:

• What is KYC (Know Your Customer)?
• What type of businesses are subject to Anti-Money Laundering (AML) laws and regulations, as well as KYC?
• What requirements does international law – including the EU Anti-Money Laundering directive – have regarding KYC?
• How can your business make sure you know your customers & clients?

With Meo you get a thorough and easy-to-use Know Your Customer platform that – from first contact with your client till the customer relation expires – can verify and document your clients’ identity and perform a KYC-check in real time.

Read more about the platform here or contact us to hear more about how we can help your company with KYC compliance.

What is KYC?

KYC is an abbreviation for “Know Your Customer.”

The term is especially used in finance because banks, accounting firms, lawyers, and private equity funds all have to document their clients’ identity so that governments. Basically, it must be documented where money is coming from and going to.

This is meant to prohibit or stand in the way of money laundering and black money that has been obtained by criminal means. If they are unable to supervise or audit the flow of money, it can undermine confidence and trust in financial organizations and companies whose business is dependent on stocks, investments and the greater financial market.

If you do not fulfill the demands of KYC, it can result in fines, penalties, sanctions, and even prison sentences. The exact amount or extent depends on local laws and regulations. A 2020 Financial Times article found that: “[...] AML fines in the initial six months of 2020 reached a total of $706m, compared with last year’s aggregate of $444m.”

What businesses and organizations are subject to the Anti-Money Laundering (AML) directive and KYC?

Many different types of businesses, including all companies and organizations involved in finance and the financial sector, are subject to anti-money laundering laws and regulations – and therefore KYC.

This applies, but is not limited, to:

• Banks, financial institutes and merchant banking
• Credit-, currency- and securities businesses
• Foundations and stock brokers
• Lending firms
• Providers of financial leasing
• Insurance companies
• Accountants and accountancy firms
• Founders of businesses
• Lawyers and attorneys
• Realtors
• Businesses that deal in valuables whose worth exceeds €15.000

What requirements does the law and regulations have in regards to KYC?

The overall directives and regulations regarding knowing your customer are best exemplified in European law by the Anti-Money Laundering (AML) Directive. Among other things, it states that businesses need to perform risk assessments, verify the identity of their clients or customers, and report if they have suspicion of money laundering or other types of fraud.

Risk assessments are structured procedures, wherein you evaluate the risk as objectively as possible and approach each client individually, instead of treating them uniformly.

That means that you are required to have clear guidelines and policies in place regarding the risk of being involuntarily involved in money laundering and financial crimes, as well as supporting your employees with counseling and well-established procedures for when and how you are obliged to report money laundering, if you are not able to refute your suspicions.

In addition, you need to be able to document your vetting and verifications of, among other things, your clients’ identity. It’s futile to perform an audit if you are unable to document your findings afterwards. A typical error often made in this approach is when you manually assess copies of passports and driver’s licenses. Here it is necessary to not only vet the documents to ascert their legitimacy, but also document that you’ve performed the verification.

With a KYC Platform such as Meo you can automate much of the process, while simultaneously documenting that you are complying with GDPR and other data protection laws while handling personal data.

How do you perform an audit or check of your client’s identity?

Your vetting and verification check of your clients’ identity is built upon your risk assessment and the identified risk. Afterwards, you can conduct an audit under strict or relaxed procedure.

Strict procedures for physical persons can, among other things, be a request for a copy of their passport, a physical meeting or further demands regarding the terms of your expected shared business.

If it’s regarding a legal entity, you can request founding documents, articles of association and make more comprehensive requirements for the description of the business scope.

A KYC check requires the retrieval of personal data documenting the client’s identity. As a starting point this includes name and social security number or legal entity identifier (LEI), depending on whether you’re assessing a person or a legal entity. With this method you can verify and check your client’s identity – and thereby comply with KYC standards.

This identifying information needs to be vetted via an independent and credible source. That means the documents need to be verified and compared with other registries or sources that can validate addresses, passports or names.

For both persons and legal entities you need to – if relevant – obtain information about the goal of the business venture and the extent of your relation.

How often do you need to check your client’s identity?

You need to vet your client’s identity at the start of every business venture – and if there are changes in your client’s circumstances, as well as at appropriate times.

With high-risk clients the procedure can be repeated once a year, whereas with Low-Risk Clients a check every five years can suffice.

The extent of the KYC check depends on the risk assessment of the client. In cases where you assess that there is a low risk of money laundering, you can perform a more lax KYC check. You could, for example, choose not to obtain updated documentation, provided that the identification papers (ID), you received originally, still are legally valid.

Remember to check for PEP (Politically Exposed Person)

As a consequence of the latest Anti-Money Laundering Directive from the EU, you are now also required to determine whether the person is a PEP (Politically Exposed Person).

Politically exposed people are individuals whose political position or relation makes them a high risk target for money laundering. That’s because they’re more likely to be exposed to blackmail, bribery or in some other way (voluntary and coerced) be involved in financial crimes.

This can be done by cross-referencing with publicly available information and databases, also known as PEP-lists.

It’s important to be aware that these lists are not sufficient in order to indicate whether a person is considered a PEP – they’re only lists of the people that local governments have reported as explicitly politically exposed.

Spouses, business partners etc. of people on the PEP-lists are also considered PEPs. That makes it especially difficult for businesses to comply with the PEP-requirements without using external data sources that specialize in maintaining updated lists of all persons, that can be defined as PEP.

Meo works together with a number of external data vendors that have specialized in having updated PEP-lists that cover a wide variety of nationalities and sectors

Data Processing & Compliance

GDPR (General Data Protection Regulation) sets a high standard for data processing of personal data, and how you document your actions. For that reason it’s important that you know what personal data is and how they’re processed correctly.

In this article we dive deep into data processing and explain:

• What is data processing and what is considered sensitive data?
• What requirements does GDPR set for your data processing?
• How do you process personal data correctly?
• What’s in a data processing agreement?
• What’s the difference between a data processor and a data manager?

What is data processing and what is sensitive data?

Data processing is any activity in which personal data is collected, registered, stored, analyzed, transmitted, deleted, sold etc. The term is defined so broadly that any contact with personal information is basically considered as data processing.

Data, in this case, is defined as formalized information that is typically handled by a machine or a computer.

Most businesses and organizations will, in one form or another, handle or process some type of data, most often personal data. The GDPR defines personal data as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Typically, personal data is divided into two categories. Some countries also have a third category while others consider the category “Confidential personal data” to be of the same category as sensitive data.

• General or common personal data: names, e-mail addresses, place of residence, place of employment, and other factual information that is publicly available.
• Sensitive personal data (‘Special category of personal data’): Health records, information about a subject’s ethnicity, religion, or sexual identity. This data is more personal, and should therefore be handled with greater care.
• Confidential personal data: social security numbers, criminal records and other classified information that needs to be regulated separately.

What requirements does GDPR set for your data processing?

According to the GDPR all personal data needs to be handled and processed particularly and sensitively. The more personal or private the information, the more rules and regulations you have to uphold during the processing of the data.

If you want to know more about how you should protect your clients’ personal data, you can read our article about data security.

Here is a concrete example on what the GDPR demands of you when you process data: A business needs to verify whether a given name actually belongs to the client. This is a requirement under KYC as defined in the Anti-Money Laundering Directive. Here you are required to use authoritative data sources that verify the credibility of the information. You could for example do this by seeing a copy of their passport or driver’s license. You are then required to document that you’ve verified their identity. All of this data processing needs to happen in accordance with the GDPR.

Is there a difference between data handling and data processing?

Data handling and data processing is often used interchangeably.

However, you could say that data processing is the overall term for both data handling and data utilization.

Data handling can be seen as an almost passive or non-transformative processing of data, whereas with data utilization, you do something with that data, such analyzing, deleting, or changing it.

How do you process personal data correctly?

In order to process personal data correctly, you need:

• The legal right and a legitimate purpose
• Consent from the person whose personal data you’re processing
• A data processing agreement

A legal right and a legitimate purpose are prerequisites whenever you process personal data. Your rights are limited by whether you’re processing general or sensitive personal data.

You need consent from the person whose personal data you’re processing. This needs to fulfill a number of requirements: it needs to be voluntary, limited or specific, informed, and unambiguous. Furthermore, you need to document and verify that you’ve obtained the consent correctly.

There are exceptions as to when a business can get consent. This could be if, for example, it’s necessary out of care and due diligence to the person, or if there is a legitimate reason for the data manager that isn’t superseded by the subject’s own interests.

You can read more about consent on GDPR.eu.

Thirdly, businesses need a data processing agreement. This is a contract which contains instructions for the data processor on how to process the information. This agreement is between the data manager and data processor.

What’s in a data processing agreement?

A data processing agreement needs to give clear instructions to the data processor concerning how the information should be handled and processed. It’s a legally binding document that needs to be in writing and kept electronically.

The purpose of the agreement is to ensure that the personal data is treated and processed responsibly and securely. It’s also important that it contains requirements for how and when to contact the data manager if there’s suspicion of a security breach or misuse. If your business is the data processor it’s your responsibility to inform the data manager about suspicions of misuse or data breaches.

As part of the instructions the data processor should also be required to perform yearly, or by agreement, audits to document that they’re following the instructions and current laws. This can be done through an audit report that needs to be certified by an external auditor.

You can find a template for a data processing agreement on GDPR.eu.

What’s the difference between a data processor and a data manager?

The data processor and the data manager are not the same person.

The data manager is the party that determines which data to process, to what purpose, and using which tools. The data manager defines the ground rules for how the data ought to be processed.

On the other hand, the data processor is the party that performs the actual processing on behalf of the data manager.

It’s important to separate the two, because they have different requirements. One party, the data manager, ensures that the data processing is GDPR compliant, whereas the other party, the data processor, takes responsibility for acting in accordance with the given instructions.

Easier data processing with Meo

With Meo you can easily find the information you need about your clients using a simple search. And personal data is deleted or properly archived, whenever a business relation ends.

The platform makes sure that you comply with GDPR and makes it easy to handle data for:

Onboarding

Onboard your clients using secure channels.

Validation

Determine your requirements for validation of information.

Documentation

Full log and tracking of actions and access.

Compliant management of clients’ personal data has a high significance

DANDERS & MORE was the first Danish law firm to implement the Meo platform. Like many other companies, new legislation regarding the processing of personal data and anti-money laundering was the triggering factor. Since then, DANDERS & MORE has found the platform to be useful beyond their initial need.

“It is of utmost importance to us that we at all times are ready to undergo an audit without any remarks. Therefore, our primary motivation in searching for a platform has been to ensure compliance with personal data and money laundering legislation, which are continuously developing and becoming increasingly strict. Meo was the obvious choice for us as the only suitable platform to meet our different needs,” says Majken Korsgaars, lawyer, partner and co-owner of Danders & More.

Today, many companies receive emails with unsolicited applications containing sensitive personal data. In some cases, applicants even attach a copy of their passport or driver‘s license, unaware that the companies are at risk of breaking the law if they do not delete these emails. It is one of the issues with receiving emails containing sensitive or confidential personal information. Another issue is that the company can not ensure that the applicants and clients send sensitive information via a secure and encrypted email connection.

Uncovering the chain of ownership

All this was - and still is - of immense significance to DANDERS & MORE. For this reason, the choice of Meo’s platform helps the partners to sleep peacefully at night. With the implementation of Meo’s platform, DANDERS & MORE now has a straightforward KYC procedure. If a client should send sensitive or confidential information by email, it will be erased immediately. Instead, the Compliance Officer will send the client a link to the system, which will guide the new user to upload ID and other relevant documentation - all of this without involvement from the law firm. But once the client has completed uploading documents to Meo’s secure platform, the designated persons at DANDERS & MORE will receive a notification.

“The platform is also helpful to obtain and categorise all necessary documentation to uncover the ownership and control structure (chain of ownership) of corporate clients, which gives us the certainty that we are not inadvertently violating the AML and GDPR legislation. This certainty is crucial in our industry. We cannot underestimate the significance of sending a message to the customers that we are vigilantly guarding their sensitive personal data, and we are doing so with reliable procedures”, says Majken Korsgaard.

A better relationship with the clients

In DANDERS & MORE, the partners have appointed a compliance officer responsible for the customer contact when KYC documentation is to be collected. Albeit it is not necessary because the platform is simple to navigate, it has its advantages.

“The advantage of having a Compliance Officer and a system like Meo is that my colleagues and I can focus on counselling our clients. We do not have to spend time pushing and reminding clients to upload any missing documentation. Now that the Meo platform and my compliance colleague take care of this, I can build a good client relationship without interruptions due to KYC procedures”, says Majken Korsgaard.

Responsive to amendments

At the beginning of the partnership with Meo, DANDERS & MORE had a couple of wishes for the platform’s development to ease the lawyers’ daily operation.

“We have had the opportunity to leave our mark on the platform, and Meo has always been very accommodating to our wishes. They are easy to work with, and they have proved highly skilled and tech-savvy when solving all our issues to meet our needs”, says Majken Korsgaard.

Some companies might question whether they want to collaborate with a new company in such an important area, but Majken Korsgaard was quickly convinced.

Deep insight at Meo

“I had a long meeting with Christian Visti Larsen, who explained about his background. It is compelling to work with people who are as knowledgeable about the GDPR framework as he is. He has been working with it for years, which convinced the partners and me about the platform. In Meo, we deal with very skilled people who know the demands for a platform and recognise the challenges it poses. They are 100% knowledgeable about all relevant issues, which make an excellent collaboration”, says Majken Korsgaard.

Since DANDERS & MORE has started using the platform, it has become a focal point for working with clients. As a result, the law firm has expanded its use to manage funding applications and to receive job applications.

“We were the first law firm to start using the platform, and we have not regretted it for a second”, says Majken Korsgaard.

‍

A Business Obligation

Businesses that process personal data and information are obligated to protect said data. Data security is a foundational premise if you work in the financial services or sector – but it’s also a necessity if you handle or process any form of data.

In this article we explain:

• What is data protection?
• Technical data protection
• Organizational data protection
• How to manage breach of data protection

With Meo you can simplify the process of protecting your clients’ personal data – from first contact till the end of your business relationship. Our solution ensures that you comply with GDPR and Anti-Money Laundering (AML) laws and regulations in all of the EU.

Read more on holistic profiles

What is data protection?

Data protection is a catch-all term for all security measures and safeguards that protect your own – and your clients’ – data.

All businesses in the EU are obligated under GDPR (General Data Protection Regulation) to protect their customers’, employees’ and other partners’ data – including their personal data. This applies to both internal (people in the organization) and external (for example, hackers) parties.

It’s up to the business itself to implement sufficient safety measures that protect data. These safeguards are usually categorized as either:

• Technical security measures or precautions
• Organizational security measures or precautions

The appropriate degree or extent of such measures for your business is up to you. This requires, among other things, that you make a Data Protection Impact Assessment (DPIA) and a consequence analysis of your data protection. You can find a template for a Data Protection Impact Assessment (DPIA) on GDPR.EU.

Furthermore, it’s important that you can document that you’ve installed or implemented the necessary measures, and that you subsequently and regularly evaluate whether they’re sufficient in order to protect the personal information you process.

There are a number of internationally recognized standards for data protection, such as:

• ISO 29151
• ISO 29134
• ISO 27001

They can be read in full on the International Organization for Standards’ website.

As a data manager and as a data processor it’s important that, even if you’re following the standards and guidelines, this is not synonymous with complying with GDPR. For that reason it’s important that you have a systematic, professional, and structured approach to the job. If you process sensitive personal data (‘special category of personal data’) it can be necessary to add-on or expand with subsequent protection measures.

Technical data protection

Technical data protection and safeguards are all forms of security measures that rely on digital tools and IT infrastructure. It exists predominantly on computers and servers.

This could, for example, be:

• Firewalls
• Passwords
• 2-factor authentication
• Encryption
• Logging of data handling
• Different administrative roles
• Storing data in levels (so a breach doesn’t give access to all data)
• Anti-virus
• Backup

Organizational data protection

Organizational data protection and safeguards are the type of data protection that involves people and processes. Data is secured by training employees and following guidelines that prohibit unplanned error or intentional breaches of personal data.

This term applies to:

• Procedures for data processing
• Clear distribution of roles and access
• Security courses
• Education of employees
• Risk- and consequence assessments
• Action plans for breaches of personal data

How to manage breaches of data protection

No data protection is fail-safe and fool-proof.

This is also acknowledged by the GDPR itself and by most of the regulatory agencies responsible for enforcing it in the EU.

In order to minimize the damage of a breach, it’s important that you have a clear action plan for when you might suspect that there’s been a breach of your security. This encompasses, but is not limited to, a clear division of responsibilities between data manager and data processor, how you report potential breaches to clients, and clear guidelines for how you report breaches to the relevant regulatory authorities.

With Meo you get AML and GDPR compliant data protection

With Meo, you get a software platform that protects your clients’ data and ensures you comply with Anti-Money Laundering (AML) laws and regulations.

Furthermore, the platform helps you verify your clients’ identity so you comply with KYC and CDD. Get more information about our security by reading our Security Whitepaper.

What is good GDPR handling?

Does your business have a good handle on GDPR and on how you process personal data?

Virtually all businesses that come into contact with personal data are subject to local laws and regulations. In the EU and EEA that means GDPR. For this reason it’s important that you know the requirements for how you correctly process personal data.

Below you can read about the EU directive and how it applies to personal data – as well as get a few tips on best practice for processing personal data:

• What is the General Data Protection Regulation (GDPR)?
• What businesses are subject to GDPR?
• What is a Data Manager and a Data Processor?
• What is a DPO (Data Protection Officer)?
• How to comply with GDPR
• Storing personal data – when and for how long?
• Rights of private individuals
• Ongoing audits and the principles of accuracy
  

What is the General Data Protection Regulation (GDPR)?

GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area.

The regulation applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.

Its official name is:

“Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”

As an EU regulation and directive it is, strictly speaking, not an actual law. Instead it’s a legally binding agreement between all EU and EEA countries, which they are required to then interpret and implement in their local law.

That means that, while GDPR is binding and sets out to give specific directions regarding personal data, there can be variations and minor differences from country to country. It often acts as a basic framework that is then expanded upon by the individual country.

Oversight: Different countries in the EU and EEA have different supervisory or regulatory agencies. These ensure that GDPR is upheld and guide local governments, businesses and organizations in how to be GDPR-compliant.

Which businesses are subject to GDPR?

GDPR applies to virtually all processing of personal data i.e. all information that can be connected with or identify a specific person.

Read more about personal data and the different categories.

As the regulation is geographically specific to the EU and EEA, it only applies:

• When the data manager or data processor is in the EU, regardless of whether the actual processing is conducted in or outside the EU.
• When the person whose personal data is processed is in the EU, regardless of the data manager’s or data processor’s location.
• When the processing of personal data pertains to a product or business in the EU, or involves surveilling behavior inside the EU.

To be concise: almost all businesses with an affiliate with the EU, whether this applies to them or their clients/customers, are subject to GDPR.

What is a Data Manager and Data Processor?

And what’s the difference?

According to the GDPR, it’s important to fundamentally separate the two specific roles that both process personal data.

You can either be a data manager or a data processor.

There are different requirements for the two roles. That’s why it’s important to know which is which and who is who, before you start to process personal data.

Data Manager

The data manager defines the purpose and procedure for how personal information is processed. As data manager you are obligated to ensure that:

• You have a legal right to process specific personal data
• You’re capable to provide insight to the registered parties, at their request
• You register violations of personal data security to the relevant oversight, supervisory or regulatory agency.

Data Processor

As a data processor you solely process the personal data on behalf of the data manager. You do not have any influence on the purpose or procedure you operate under.

A data processor can, for example, be a software provider for the services used to store data on the servers, or a different type of provider of an automated processing of personal data, wherein you do not directly have any access to the data.

Because the relation between data manager and data processor involves the exchange of personal data, it’s important that there is a data processing agreement in place that clearly defines the exact relation between the two. A template for this can be found on GDPR.eu.

What is a Data Protection Officer (DPO)?

There can also be a third role: DPO or Data Protection Officer. You might have come across this term before, but what does it mean? And should your business have a DPO?

The role of DPO is to advise on the requirements of GDPR and guide the data manager in how they can fulfill these requirements. It’s important to note that the DPO is not responsible for whether or not the business is compliant with GDPR or local law.

Governmental agencies are required to – regardless of whether they’re data managers or data processors – appoint a DPO. Private companies are only obligated if all of the following three conditions apply:

• Processing of personal data is a core work activity
• Personal information is processed in vast quantities
• Processing consists of regular and systematic surveillance or contains sensitive personal data (‘special categories of personal data’)

When is processing of personal data a ‘core work activity’?

Most organizations perform some type of processing of personal data but GDPR differentiates between non-core work activities and core work activities.

Non-core work activities can generally be said to be activities that support core work activities. For example, most businesses come in contact with a certain amount of personal data in regards to employee data and personal data related to sales and different types of support. These are considered to be non-core work activities.

According to GDPR, the processing of personal data is a core work activity, if what a business is looking to sell is irrefutably connected to personal data. This could, for example, be:

• Insurance companies whose product is tailored on the basis of personal data
• Providers of market research
• Search engines
• Businesses related to headhunting of new employees

These are all examples of business activities that are centered around processing personal data, and where the output depends on the information obtained and processed.

How to comply with GDPR

GDPR necessitates a risk-based approach similar to, for example, anti-money laundering initiatives.

A risk-based approach means that, whether or not the business is a data processor or a data manager, you are obligated to perform an assessment of the types of data that is stored or processed by the business. Then you need to make sure that there are organizational and technical security measures or safeguards in place that correspond to the assessed risks.

Technical security measures

Examples include strong firewalls, ongoing updates of codes and systems, encryption and a strong IT-infrastructure.‍

Organizational security measures

Examples include described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.

To comply with GDPR, businesses need to have:

• Risk assessments
• Policies and procedures
• Audits and documentation

How do you perform a risk assessment?

Risk assessments will typically evaluate, or assess:

• What types of data is stored by the business (there are for example differences in sensitivity between storing e-mail addresses and copies of passports)
• Consequences for data leaks (for example, phishing, hacking or accidental internal leaks of material pertaining to personal data)
• The security measures in place to minimize the above risks

On the basis of these factors you can assess whether the risk is acceptable, or if you need to implement new safeguards to minimize the risk of data being stolen or leaked.

There are also requirements for documentation of your considerations regarding the procedures.

Policies

Most businesses have set procedures and policies in place that streamline and systematize work activities. In the same way, it’s a good idea to define policies and procedures for the processing of personal data.

Typically you’ll divide personal data policies into whether they pertain to personal data about employees or clients/customers. A personal data policy for clients could, for example, contain the following:

• A clarification of whether you’re acting as data manager or data processor.
• Where the personal data is stored – on internal or external servers or storage units? If it’s stored outside of the EU/EEA then what did you do to ensure a sufficient level of security?
• Whether you have a DPO, and if so, what the DPO’s assignment is and how you’ve secured the DPO’s position in the organization.
• What the stated purpose is for storing data, specifically your legal rights and the legitimacy of the purpose.
• What your policy for deleting or erasing personal data is, and for how long you store data after the termination of a client/customer relationship.
• Optionally, which technical and organizational security measures you’ve implemented to protect against data leaks, and how you’re planning to react in the case of a leak.

Business procedures

The business procedures should be in an internally accessible document that has been written to support the work flow and procedures you’ve agreed upon. A business procedure is often a relatively detailed description about how you handle personal data with specific procedures for how your business – in its day-to-day activities – make unnecessary data is deleted, and how you share data with others whether that’s with colleagues or external data processors.

Audits and documentation

Simultaneously you need to be able to document that your processing of personal data is in accordance with GDPR and local law. You, for example, need to document how you delete personal data after the end of a business relationship.

A business can have multiple procedures regarding how and how often they delete data. But according to GDPR it’s essential that it’s written down or somehow documented, so that the proper regulatory agencies can audit your actions and thus ensure that you’re complying with GDPR.

The documentation requirement can be supported by IT solutions that can even automate some of the necessary processes.

Storing of personal data – when and for how long?

Businesses can store personal data as long as they:

• Have a legal right to it.
• Have a legitimate purpose for storing the data.

The legal right regarding storage of personal data is defined as:

• The business has obtained consent from the person whose personal data is being stored.
• It’s written in the law that the data must be stored.
• It’s necessary in order to uphold an agreement or contract.
• The business has a legitimate interest in storing the personal data. And this interest has a greater value for the person’s own interest, than if it was deleted.

Normally, the business or governmental agency has sufficient legal right if just one of the above criteria have been met.

A legitimate purpose is basically defined by common sense.

Ask yourself: What is the purpose of storing the given personal data?

If you don’t have a legitimate purpose then the data needs to be deleted.

Example

Six months ago the company had a job posting looking for a legal aid. They had many applicants but have since closed the entire department and do not plan to hire legal aids ever again.

Does the business still have a legitimate purpose for saving resumés and applications? Here, the answer is no.

As long as a business has the legal right and a legitimate purpose, then the business can continue to store data. As soon as this is no longer the case, the data should be deleted.

Rights of private individuals

With the implementation of GDPR, private individuals gain the right to access the data businesses store about them. This is often called access rights or subject right:

• In principle, you have the right to access all personal data about yourself that the data manager is responsible for.
• A data processor cannot grant access, because they are not responsible for the registered data.

The data and information you can request includes:

• How your personal data is processed
• What purpose there is for the processing
• Who the information is shared with
• For how long the data is stored
• Where the personal data originates from

This is to ensure that the data is verifiable, accurate and that the processing is performed on the basis of sound legal authority.

Ongoing audit and the principle of accuracy

As a business you are obligated to make sure that the stored personal data is accurate and that wrong or false information is deleted.

This is also called the principle of accuracy.

The principle does not only revolve around the duty of deleting or correcting information that you’ve been informed is wrong. You also have an obligation to actively seek out and verify the accuracy of your data.

This could for example be done by you continuously comparing the data you obtain with searches in registries and databases with publicly available information, or that you periodically request verification from the individual that the information is about.

The extent of how thoroughly you need to verify the information’s accuracy and authenticity, and how frequently you need to repeat this process, depends on the data you are processing. The more sensitive – and therefore the greater importance the information holds to its owner – the more procedures and fail-safes you need to implement to protect against this outcome.

Cases at Meo

Meo has also collaborated with a lot of different companies that have benefited greatly from the Danish software platform, Meo. Among them is the law firm Bech-Bruun, which recently commented on whether the platform has provided clarity on the secure handling of information and data from new clients in accordance with the GDPR law.

This focus is something that is reflected in the opinions of our various partners and customers, who all believe that our software platform has created security for them in connection with the exchange of data and information with clients or partners.

We at Meo therefore help to create clarity over administrative tasks as well as the security of your business and the exchange of data.

Meo – Processing personal data easily and securely

If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone.

Luckily, there are a number of good solutions for the business challenges of processing data.

Meo is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.

For businesses there are a number of benefits from using Meo:

Onboarding

Onboard your clients digitally on secure channels.

Validation

Setup your own requirements for validation of information.

Documentation

A full audit trail and overview of the performed actions and consent for processing.

Processing

With Meo you comply with all legal requirements, both GDPR and AML.

How DFDS orchestrated personal information from 4,000 employees — without meeting them first.

In the celebration of DFDS’ 150th birthday, the board of directors and the management decided they would give anniversary shares to all employees.

However, to set up deposits for the employees, they needed a solution to secure their AML and GDPR compliance. Luckily, DFDS found the solution they needed when they came across NewBanking Identity.

In 2016, more than 4,000 employees with 22 different nationalities were offered anniversary shares in DFDS - including Filipino, Russian, French and Dutch employees, and employees at all levels in the organisation, from the dock worker and the sailor to the middle manager and the CEO.

Before becoming a shareholder, employees had to be identified by their bank as part of a necessary anti-money laundering and KYC (Know Your Customer) compliance procedure.

For DFDS, this meant that each employee had to forward personal identification documentation.

“The employees had to upload various forms of documentation to confirm their identity. To succeed in offering anniversary shares to all DFDS employees, we had to do it in a completely secure way,” says Jens Jakob Hjorth-Hartmann, Legal Counsel HR at DFDS.

The information that the employees had to upload was typically a driver’s license and passport, but in some countries, a gas bill must be used as documentation.

Extremely high security

After scanning the market for opportunities, DFDS decided to use NewBanking Identity’s platform due to the high user-friendliness, which Jens Jakob Hjorth-Hartmann calls user intuitive. And then, of course, the platform’s security needed to be top-notch.

“We looked into different systems on the market, but their focus was primarily on flow and processes. None of the systems was created with a focus on secure processing of the employees’ confidential information. Additionally, no other system was designed with the security of the ‘Chinese walls’ characterising NewBanking Identity’s platform,” says Jens Jakob Hjorth-Hartmann.

Chinese walls - in this context, means that not even NewBanking’s employees have access to the confidential information on the platform. Only the person uploading the data and those who gain admission can see the information.

Great user-friendliness

NewBanking Identity set up more than 20 different flows - one for each country - all in English, enabling DFDS to request data from their employees.

A portal guided the employees step-by-step to upload the correct documents.

“The solution reached all DFDS’ employees in all corners of the world - it even reached the ships, where the employees used the platform while sailing. Everyone provided the information requested by Danske Bank. It is probably the first time in history that employees from so many places in the world have had to provide information according to Danish standards”, says Christian Visti Larsen, CEO and Co-founder of NewBanking Identity.

When DFDS’ employees had uploaded their personal information on the platform confirming their identity, Danske Bank could access their account to set up their bank deposits, which succeeded with all 4,000 employees.

Suitable for stock exchange listings

DFDS found a solution to what at first seemed an overwhelming task, and Jens Jakob Hjorth-Hartmann, therefore, will not dismiss the idea that they will use NewBanking’s platform again.

“The platform is brilliant because it is a forum for passing on personal information, securing that the person providing the information is in full control over his data. For that reason, I can also easily envision us using the platform for other purposes”, says Jens Jakob Hjorth-Hartmann.

NewBanking Identity’s platform provides numerous applications for companies that need to handle highly confidential information to share with only a few individuals and often for a limited period - an example could be regarding stock exchange listings.

Everything you need to know about personal data

In this digital age, and with the enactment of General Data Protection Regulation (GDPR), there has been an intensified focus on personal data and the way businesses handle their clients’ information. Personal data is shared by citizens and clients all the time – with both businesses and governments. And organizations that don’t have a proper handle on personal data risk major fines and penalties.

Because this is such an important topic for businesses, we’ve written this extensive guide and FAQ so you can better come to understand what personal data is – and how you’re required to handle it under GDPR. We’ll be answer:

• What is personal data?
• What is the GDPR (General Data Protection Regulation)?
• Personal data in a business perspective
• When are businesses considered to be processing personal data?
• Who owns personal data?
• Secure processing of personal data
• How Meo helps companies collect, verify and store personal data in a secure and easy way that is also 100% GDPR compliant.

Read more about the platform here or book a demo to hear more about how we can help your company with KYC compliance.

What is personal data?

In order to understand what personal data is, let’s start with a definition. Personal data is defined by the EU in the General Data Protection Regulation as:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‍
- Regulation (Eu) 2016/679 Of The European Parliament And Of The Council Of 27 April 2016

In other words, personal data is all information that can be used to identify an individual. According to this definition personal data spans a variety of different informations, including:

• A name
• A photo
• E-mail address
• Information about a person’s ethnicity
• A sound file
• IP address
• Criminal record
• Social Security Number
• The list of personal data is therefore potentially inexhaustible.

Any information related to an identified or identifiable individual is personal data. Information such as data about congenital diseases of an individual’s grandparents is also personal data.

The GDPR does, however, differentiate between different types of personal data, that need to be processed or handled under less and more restrictive conditions:

General personal data

These include personal data such as names, e-mails, addresses, place of employment etc. They are factual information that are often publicly available.

Sensitive personal data (‘special categories of personal data’)

Such as health data, ethnicity and sexual identity. These types of data are very personal and need to be processed with extra care.

Social security numbers and criminal record (‘special categories of personal data’)

Governmental information such as social security numbers and criminal records are also a part of special categories of personal data. By some EU countries these are considered a separate category, as they involve classified or protected information that need to be more guarded than even traditional sensitive personal data.

What is the GDPR (General Data Protection Regulation)?

The GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area. It applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.

Its official name is:

Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Read more about the General Data Protection Regulation (GDPR).

What is personal data in a business perspective?

Personal data is ultimately the most valuable information that businesses collect and process. Without this data it’s not possible to run a business in such a digitalized world.

On a consumer level, people would not be able to use today’s digital options, i.e. setting up a bank account, getting a package delivered or in any way buying vital digital services without the release of some form of personal data. There are, of course, certain providers of services and products that don’t need personal data – for example, if you buy a hotdog at a vendor and pay in cash.

With the exception of examples as above, the majority of interactions between individuals and businesses are based on some sharing or exchange and processing of personal data. The increasing digitalization of society and the use of personalized data also gives rise to better and more targeted services. For that reason the exchange of personal data can be considered necessary, or even essential, for both consumers and businesses.

The rules for how businesses process personal information are quite extensive and cover, among other things, the secure storage of personal data.

Read more about the rules here.

What is processing of personal data?

The processing of personal data refers to activities such as the collection, storage, use, transfer, security and disclosure of personal data. Any activities relating to personal data, from the planning of the processing to the removal of personal data, constitute processing of personal data.

When a company processes data, there will always be a need for a data processor and a data controller. These two roles are not the same, but are both necessary to have. In the following you can find a definition of each role and what it entails.

A data controller is a person or an organization that determines the purposes and means of processing personal data. A data controller can be an association that collects information about its members, a hospital that processes patient records, an online shop or a social media service.

A data processor is a person or an organization that processes personal data on behalf of a controller. A data processor could be an agency that handles some processes of another company, or an IT service provider that has access to the personal data collected by the data controller.

When can businesses process personal data under GDPR?

The GDPR – and subsequent local laws – applies the moment businesses ‘process’ personal information. But, as mentioned earlier, the processing of personal data can take many forms. Because the definition is so broad, it in reality occurs the moment a business comes into contact with personal information.

According to the definition of GDPR, processing of personal data applies to all the ways in which you handle personal information. This includes collecting, recording, organizing, systematizing, storing, editing, altering, searching, using, sharing, transmitting, securing, disseminating, deleting – and much more.

Verification of information

A specific example could be when businesses need to verify that a given name actually belongs to a person. The business extracts the verification data from a network that the person uses – or from additional data sources that have the authority to verify the truthfulness of the information. This is especially relevant to businesses who are subject to the Anti-Money Laundering (AML) Directive.

If just one type of the above actions occurs, it’s considered processing under GDPR. In order to live up to EU law, all businesses should consider it data processing the moment they come into contact with personal data.

Read more about the General Data Protection Regulation (GDPR).

Who owns personal data?

Who owns personal data after collection?

GDPR marked a foundational shift in how broader society views data ownership. Before, it wasn’t necessarily clear who actually owned the data after it had been exchanged between two parties. User rights and the right to gain insight into what personal data is stored by businesses was often unclear.

GDPR helped to clarify these issues and principles. It was determined that the one who owns personal data is the person represented by the information. Businesses are allowed to process and use the given data but the ownership and rights will always belong to the registered party.

Data belongs to the person represented by the information.

The rights of private individuals

What rights do private individuals have in relation to their personal data?

The shift created by GDPR – which clarified the ownership rights of data – lead to that the registered persons gain the right of access, or subject access, to the data stored by businesses about them. A right that, of course, is also important for businesses to understand, as they are required to live up to the laws and regulations.

With the exception of certain outlier cases, private individuals have the right to contact businesses that they believe are processing or storing personal data and gain insight into what data they possess; for what purpose they consider valid for processing your personal data; and when consent for this type of processing was given.

Read more about the Right of Access (Subject Access).

This new understanding of data ownership leads us to the six principles for how businesses should process personal data. Find the definition of securing personal data, and read more below.

Secure processing of personal data

Fundamentally, GDPR requires businesses to protect both internal personal data (on e.g, employees) and external personal data (on e.g. other clients, business partners, criminals), using sufficient security measures.

It’s up to each business to assess which safeguards that apply to different situations.

Businesses typically divided these security measures into two categories:

Technical security measures: Among other things, strong firewalls, on-going updates of codes and systems, encryption and a strong IT-infrastructure.

Organizational security measures: Among the other described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.

If you’re handling sensitive personal data (as defined above), you need to implement more strict security measures. The chosen measures are based on the risk assessment, which is a part of the GDPR’s risk-based approach to data protection.

Read more about data protection here.

Here’s how to get started with personal data under GDPR (The 6 Principles)

Are you interested in the underlying principles of GDPR, you can read Chapter 2, Article 5 of the General Data Protection Regulation.

This outlines the six founding principles for how businesses need to approach personal data. We’re going to explain each one here:

1. ‘Lawfulness, fairness and transparency’

Your business needs to be transparent with clients and customers about how you process their personal data. For example, the language in written communication, such as e-mails, needs to be clear and easy to understand. The clients need to know what is happening – and why. Avoid obtuse language or extensive technical jargon and set time aside to develop good, legible templates to use in the future.

All processing of personal data needs to be fair, secure and based on best practice (for example, by using the best available technology).

And lastly, your processing of personal data needs to be lawful. You need to act in the spirit and letter of the law, when processing personal data. This includes obtaining consent from clients and customers, as these are the ones who own the personal data.

2. ‘Purpose limitation’

You can only collect personal data for specific purposes. And it’s important that you inform your clients, that you’re doing this. This also entails that you only use personal data in the context the client has consented to.

3. ‘Data minimisation’

‘Need to have’ is central to data minimisation. Fundamentally, you can only collect the exact personal data needed to complete your expressed goal or purpose.

4. ‘Accuracy’

Ensuring the accuracy of the personal information is an on-going process. For that reason you need to update the data, concurrently. Furthermore, you need to correct or delete data that is inaccurate or unusable for the specific purpose it’s needed for.

5. ‘Storage limitation’

You can only store personal data as long as necessary. Therefore you need to continuously ask yourself: do we still have a purpose for storing this data? It can be a good idea to have a half-yearly or yearly event where you evaluate your stored data.

6. ‘Integrity and confidentiality’

The integrity of the data needs to be maintained. That means ensuring the data’s accuracy and credibility over time.

Simultaneously, you need to process and handle the data with great care and confidence. You can’t allow anyone to gain access to the data. That applies to people outside your organization (for example, hackers), but also people from within (for example, colleagues).

To ensure this, you need sufficient and adequate security measures. The level of security can vary from business to business. As mentioned previously, both technical and organizational security are two methods for protecting the data.

If you have a handle on the six principles, you’ve come a long way towards processing personal data correctly. And it pays off to work within the rules. Violations of the GDPR can result in fines and penalties.

Enforcement Tracker can give you an overview of fines and penalties for violating GDPR in the EU and EEA.

What can be done in the process of securing personal data?

Data can be protected in different ways and therefore, as such, there is no manual on how exactly to do it. However, some methods may be better than others.

You can achieve optimal protection of personal data through good design and good default settings.

A good data protection design allows your company to take data security into account early in the process when planning new ways of processing personal data. Here, the controller can and should take all the necessary technical and organizational decisions to implement data protection principles and protect the rights of individuals. This may include, for example, the use of pseudonymization.

Data protection with good default settings includes ensuring that the company always has the highest data protection setting as the default setting. For example, should there be two different privacy settings available and one of the settings ensures that the personal data cannot be accessed by others, this setting should be the default setting.

Who is Meo?

Meo is a Danish RegTech company that owns, develops and operates an identity management platform for handling customer data, Meo. Our goal is to get companies to share data securely and thus prevent inappropriate situations and risks such as money laundering, corruption, and ensuring compliance with the law.

Read more about Meo in our About section. Find out more about Meo below.

Meo – processing personal data easily and securely

If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone. Luckily, there are a number of good solutions for the business challenges of processing data.

Meo is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.

For businesses there are a number of benefits from using Meo:

Onboarding

Onboard your clients digitally – using secure channels.

Validation

Setup your own requirements for validation of information.

Documentation

A full trail and overview of the performed actions and consent for processing.

Processing

With Meo you comply with all legal requirements – both GDPR and AML.

Here is what you as a company need to know about money laundering

Is your business subject to the Anti-Money Laundering (AML) Directive? Then it’s important to know the fundamentals of money laundering, and why it’s necessary to have local and international anti-money laundering laws and regulations.

In this article you can learn more about money laundering, including:

• What is money laundering?
• How is money laundering committed?
• What does international and european law say about money laundering?
• 4 important terms when it comes to money laundering
• Guide to anti-money laundering checks
• How the Meo platform ensures that your company is 100% AML-compliant at all times.

What is money laundering?

Money laundering is predominantly about making illegal means – black money – legal. That means cloaking the financial gains from criminal activities and using it with legal vendors and in broader society. The origins of the black money can, for example, come from dealing illegal substances or weapons, tax evasion and much more.

White washing

All activities that help criminals obfuscate, conceal, or transform black money into legal tender (which can be documented and used legally) is called white washing or money laundering.

How is money laundering committed?

There are many ways to launder money. Below is an example of how it could transpire:

• A drug dealer has sold illegal substances for 25,000 EUR and now has a lot of black money in his possession.
• The drug dealer finds a used car that’s privately for sale for 75.000 EUR. He offers to buy the car for the full amount – in exchange for paying partially in cash.
• The drug dealer goes to the bank and gets a loan, where he explains he’s buying a car for the price of 50.000 EUR.
• The bank grants the loan and transfers 50.000 EUR directly to the seller, but the drug dealer pays him 25.000 EUR in cash.
• The drug dealer now sells the car to a third-party for 75.000 EUR that is transferred directly to his bank account. He can now document that the money originates from the sale of the car. He pays off his loan to the bank.
• Now the 25.000 EUR have been laundered as they seem to be payment for a simple car sale.
• In principle, money laundering can also be achieved through registered car dealers as a go-between. The drug dealer can have straw men buy and sell cars, boats, art, property, and other physical items to white wash the black money.

What does the law and regulations say about money laundering?

In the EU all financial businesses are subject to and regulated by the Anti-Money Laundering (AML) Directive.

Its full official title is: "Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing" (read it in full here). The directive exists to hinder criminals from being able to earn money from illegal activities which can then be used legally or to finance terrorism.

It’s important to combat money laundering because this type of crime makes it difficult for law enforcement to discover criminal acts. By stopping the laundering of illegal money you simultaneously prevent other forms of financial crime as the perpetrators will have a more difficult time spending or storing their ill-gotten gains. Furthermore, the Anti-Money Laundering Directive also exists to prevent opportunities for financing terror acts and organizations. Most European countries have local laws and regulations based on the EU-directive, which is continuously being formed and developed by the European Parliament. At the present time, the EU has developed six different directives (AML1-6) for the prevention of money laundering.

A number of different business fields and sectors are legally obliged to conduct themselves in accordance with anti-money laundering regulations. Here’s a brief overview:

• Lawyers
• Auditors and external accountants
• Real estate agents
• Landlords
• Financial companies
• Service providers

Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven).

4 important terms when it comes to money laundering

There are quite a few technical, legal and other terms or abbreviations regarding money laundering. The four most important ones to know are:

1. CDD - Customer Due Diligence

Customer Due Diligence (CDD) is a cornerstone of businesses’ anti-money laundering initiatives and procedures. The term covers all actions undertaken by companies to verify the identity of their clients or customers, as well as perform background checks and risk evaluations. Companies and organizations subject to anti-money laundering laws and regulations are required to perform risk assessments, wherein they – on a client-to-client basis – assess the risk of the client being used or using the business for money laundering or the financing of terrorism. Read more about CDD and risk assessment.

2. KYC - Know Your Customer

There are many reasons for why it’s important for businesses to “know their customers.” Among them is – in relation to CDD – evaluating whether or not they are a risk for the business. KYC-screening or verification is a process in which the business identifies or verifies the identity of their customers and clients. In other words, they get to know their customer. This can be achieved by gathering personal information and identification data about the customer or client, which needs to be verified.

3. PEP - Politically Exposed Person

A PEP, or Politically Exposed Person, is a strictly defined category of people, who – on the basis of their political position or power – are considered to be customers that are at greater risk of being subject to money laundering or other criminal activities. The concern is that they - because of their position - can be exposed to blackmail, bribes or otherwise (both willingly and coerced) can be embroiled in money laundering. Read more about PEP and PEP-lists.

4. AML - Anti-Money Laundering

AML is an abbreviation for “anti-money laundering”. The term refers to a broad swath of laws, regulations, directives and procedures that exist to prohibit or stop the laundering of illegal money.

Guide to anti-money laundering checks

Businesses in the affected sectors have to constantly adapt to a plethora of laws, directives and regulations. Most of these require or encourage specific forms of anti-money laundering checks.

With AML 5, which was implemented in January of 2020, a number of changes were introduced, including a transition to a risk-dependent approach to precautionary measures regarding anti-money laundering. The new approach demands more of the businesses’ ability to assess their customers or client relationships.

Roughly speaking, businesses need to assess the risk that they’re being misused for money laundering or the financing of terrorism. One of the central and foundational concepts is the creation of the risk assessments, policies and business procedures, as well as the underlying control and evaluation that ensures that overall compliance.

Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven - Download PDF).

Meo – steer clear of money laundering with our intelligent platform

We hope you now have a more clear understanding of money laundering – and have given you an insight into what your business needs to be aware of to be AML-compliant. Do you have a clear standard for your processes, data handling and the verification of new clients?

If not, Meo can help.

Meo is a Danish company and software platform that helps businesses with their data security, onboarding and overall compliance.

With Meo you can:

• Automatically screen clients via PEP-lists.
• Verify clients’ ID
• Collect data from official sources regarding businesses and individuals

With Meo you don’t need to worry when it comes to anti-money laundering measures.

Is your business subject to the Anti-Money Laundering (AML) Directive and the subsequent laws and regulations in all EU and EEA countries? Then it’s important that you know your obligations regarding the law, and why it’s even necessary to have a European standard for anti-money laundering initiatives and regulations.

On this page we answer the most frequently asked questions about AML and the Anti-Money Laundering Directive, such as:

• Why do we need Anti-Money Laundering (AML) laws and regulations?
• Which businesses are subject to the Anti-Money Laundering Directive?
• How do EU directives and national laws interact?
• The various regulatory agencies
• What happens if businesses don’t uphold the law?
• Guide to the Anti-Money Laundering Directive
• AML 5: the risk-based approach
• Risk assessment
• Policies
• Business procedures
• Audits and verification
• KYC procedure
• AML 6: New requirements coming

Why do we need Anti-Money Laundering (AML) laws and regulations?

Anti-money laundering laws and regulations exist to prevent money being made from criminal activities being used in the rest of society. Fundamentally, the law exists in order to make it more difficult to commit crimes, such as tax avoidance and financial fraud. The law is also intended to prevent the financing of terrorism.

All EU and EEA countries have their own anti-money laundering laws and regulations. However, they’re all formed by EU directives which are formed and approved by the European Parliament. The EU has, at the current moment, created six different directives regarding money laundering. In technical terminology they’re referred to as AML 1-6. AML is an abbreviation for ‘anti-money laundering.’

EU directive

A directive is a legal act decreed by the European Union. The directives are binding for member states and members of the European Economic Area (EEA). However, the countries themselves decide on how to implement the directive in national laws and regulations.

Which businesses are subject to the Anti-Money Laundering Directive?

Different businesses are subject to the Anti-Money Laundering Directive, among others:

• Law firms
• Accountants
• Real estate managers
• Landlords
• Financial companies
• Service providers

How do EU directive and national laws interact?

Whenever the European Parliament issues a directive, the individual member states have a period where they’re required to implement the directive in local legislation. This typically happens by making adjustments in pre-existing laws and/or issuing new executive orders.

The work involved in implementation typically stretches over a longer period, and not all countries implement the law concurrently or similarly. This creates some debate between countries, as it leads to situations arising where it might be more beneficial to set up a financial license in one place and then delivering your products to the remaining countries.

EU’s expert groups

The development of AML-directives involves a number of different professions, interest groups, legal experts as well as local regulatory agencies.

Meo has since 2015 been represented in one of the EU’s payment systems market expert groups (PSMEG) by our CEO, Christian Visti Larsen, who has assisted in developing AML 5.

Different regulatory agencies

The supervisory or regulatory agency that originally issued a business license will often be the party responsible for ensuring proper supervision and enforcement.

But from country to country, there can be a degree of difference between how regulations are enforced. This makes it more enticing for certain businesses to focus their activities in one country where the supervision is more lax – and thereafter selling their wares or services to the rest of the countries in the European inner market.

What happens if businesses don’t uphold the law?

There’s a difference between how the individual regulatory agencies communicate the activities and issues they might uncover when supervising businesses.

At times these can be in the form of regulatory AML reports that specify criticisms, injunctions and even reports to the police. These reports are typically publicly available on their websites, and it’s often required that the reports are displayed on the businesses’ own websites.

If a business is caught not living up to their obligations, it doesn’t necessarily result in a fine. However, the business will rarely be able to avoid penalties or a trip to the metaphorical pillory. For businesses that depend on their good name and reputation, this can be much worse than a fine.

Penalties

The regulatory agencies can rarely issue fines but they are able to report the company in violation of AML laws to the local police department for criminal financial activities. This then results in a police investigation that can lead to a public trial. However, it’s possible for the agency to issue administrative fines in simple cases where the business admits to wrongdoing.

AML 5: The risk-based approach

The latest directive, AML 5, was passed in 2017 and widely adopted by januar 2020. With this directive we transitioned to a risk-conditional approach to anti-money laundering (AML) precautions – an approach that requires more from businesses’ assessment of their client relations.

Businesses now need to assess the individual risk, from each client, of being used for money laundering or financing of terrorism. Some of the central and fundamental elements in the new AML directive is:

• Risk assessments
• Policies
• Business procedures

It’s all up to the business to develop and implement these requirements. Below, we explain what each element entails. Furthermore, you need to create a description of how you audit and supervise each activity, so you’re certain the law is being upheld.

The risk-based approach results in a much greater focus on verification of identity and ongoing KYC checks.

Risk assessment

Businesses subject to the Anti-Money Laundering Directive have to create risk assessments that identify and evaluate every perceived risk associated with individual clients, products, delivery channels and business activities.

To create a risk assessment, the business needs to:

• Consider the risk, from client to client, of being exploited for money laundering or the financing of terrorism. This is also called CDD (Customer Due Diligence).
• Be able to explain and justify the assessment and precautions to the relevant regulatory agency.
• Make a Risk Assessment that includes the business’ precautions and safeguards in relation to the prevention of money laundering.

You could, for example, end up concluding that there is an elevated risk connected with clients living abroad. This risk is dependent on which country the client resides. Based on this information you can evaluate whether you need further documentation from the client. For instance, you could demand to see a copy of their passport or birth certificate. If the businesses’ services allow for people or entities to become clients without physical meetings, you can also decide that this requires a need for further documentation.

Risk assessment

Risk assessments are structured approaches wherein you attempt to, objectively and fairly, assess clients individually. That requires differential treatment.

Policies

A business’ policies describe their overall appetite for risk. This policy will often include descriptions of:

• Which types of clients you want to do business with
• Which types of clients you don’t want to do business with

It will typically be management who outline and develop these policies which are then approved by the board of directors. One of the primary reasons for this is that it forces leaders to acknowledge and actively decide on the risks associated with running the business. In this way no one in the business can acquiesce their responsibilities or wash their hands of wrongdoing if problems arise.

Policies also define the area within which the employees operate without needing constant approval from upper management.

A business’ policies describe their overall approach and capacity for risk. Policies are created by upper management and approved by the board of directors.

Business procedures

Briefly, a business procedure is a written process for how you, as an employee or business, need to conduct yourself in specific, well-defined situations.

A business procedure:

• gives you an overview of the risks you consider to be present with different groups of clients or customers.
• describes the actions you have taken to mitigate this risk.

Example

If you have a client residing abroad, you can use the risk assessment to evaluate whether this constitutes an elevated risk that your business is being misused for money laundering or the financing of terrorism.

This is the perceived risk the business incurs if they take on the client. To be able to accept said risk the business procedure needs to demand a more thorough verification of the client. In addition to a standard KYC check, you can demand notarized copies of passports, or request additional information regarding the business venture.

Furthermore, a business procedure will also contain information regarding when and how you report misconduct to a regulatory agency, such as when you suspect financial malfeasance.

Audits and verification

Audits and verification always have to be documented. It’s useless to perform verification if you can’t subsequently prove it took place.

A typical mistake in this process involves manual verification of copies of passports or driver’s licenses. To counter this, a business procedure could prescribe that the employee has to go through the documents and ensure that the ID is valid and of such a quality that they can subsequently identify the client. But if there’s no documentation that this has happened, the audit is not considered to have transpired regardless of whether or not the employee actually looked through the documents.

KYC check

A KYC check is also performed on the basis of the risk assessment and the identified risks. This is also known as KYC or “Know Your Customer.”

Depending on the perceived risks, you can either perform an enhanced or regular check. KYC requires obtaining identifying personal data about the client. Typically, these will include:

• Name and Social Security Number or Legal Entity Identifier (LEI), depending on whether the client is an individual or another business/organization.

This identifying information needs to be verified via a reliable independent source. That means you need to verify documents and compare them to publicly available information and databases that can validate addresses, passports or names.

Read more about KYC

KYC Check

Describes how the business conducts itself in order to get to know their customers/clients. KYC is an abbreviation for “Know Your Customer.”

AML 6: New requirements coming

All the previous requirements have a common denominator: they require established procedures and verification processes on each individual client. A secure procedure and verification of client relations can only be ensured if there’s sufficient documentation that it took place.

If you don’t follow the rules it can have grave repercussions for your business. Aside from the already comprehensive demands, you can be subject to increased supervision and thus further requirements. This is a field with a massive political and societal interest and scrutiny, which is why it’s just good business to know the rules and be at the forefront.

The latest edition, AML 6, is scheduled to be implemented in all member states by December 3rd 2020 and go into effect for business by June 3rd 2021. With AML 6 multiple elements will be expanded upon with an emphasis on fines and sanctions.

Meo – steer clear of money laundering with our easy and safe AML solution

As you’ve probably noticed, there are a lot of requirements for businesses when it comes to AML and anti-money laundering laws and regulations. Are you on top of your AML procedures and approaches?

If not, Meo can help.

Meo is a software platform that can help you with AML compliance in addition to a number of other services.

With Meo you can:

• Automatically screen clients via PEP-lists
• Verify clients’ ID
• Collect data from official sources regarding businesses and individuals

Importance of Information Security and GDPR Compliance

In general, information security is about properly protecting a company's data, including customer data, personal data and finance. It is important to handle personal data correctly in accordance with the GDPR. Breaches of this can result in severe penalties.

It is essential to secure sensitive data from misuse or other leakage of information. At NewBanking, we have developed a software and digital data management platform that automates and complies with guidelines, rules and legislation to help you avoid money laundering or GDPR breaches.

We can contribute with risk assessments, examine your KYC status and identify critical points as well as possible optimisation opportunities for this. Our admin tool, NewBanking Identity, helps to digitally verify, monitor and check customers as well as make reports to regulators and risk assessments.

Learn more about what GDPR is on our page and more about information security on GDPR.dk.

Minimize resources spent in your business

With the help of a platform like NewBanking Identity, you can free up resources, as you avoid spending time and staff on handling information security in your company, and can spend your time on more efficient and rewarding areas for your particular industry.

We can also help you with a digital onboarding flow that allows you to easily and securely exchange data across the organisation - safely and securely. This reduces the manual errors that often occur in information security.

In this context, we can tailor exactly the platform and data sources that are necessary and essential for your customer type. This platform can be integrated directly into your website, improving and optimising the user experience for your customers.

Much more than an information security check

At NewBanking, we value being able to offer a complete solution that assists you in everything from the information security mentioned above, but you can also get help with compliance checks, as well as insights into money laundering and handling in these types of cases.

We are a sparring partner on everything that involves the handling of personal data, customer data and the protected exchange of the same.

We work with everything from small companies without KYC management to large companies with greater needs for sparring and additional system integrations. Contact us for a no-obligation conversation about your needs and options.

Here is what you as a company need to know about money laundering

Is your business subject to the Anti-Money Laundering (AML) Directive? Then it’s important to know the fundamentals of money laundering, and why it’s necessary to have local and international anti-money laundering laws and regulations.

In this article you can learn more about money laundering, including:

• What is money laundering?
• How is money laundering committed?
• What does international and european law say about money laundering?
• 4 important terms when it comes to money laundering
• Guide to anti-money laundering checks
• How the NewBanking platform ensures that your company is 100% AML-compliant at all times.

Read more about the platform here or contact us to hear more about how we can help your company with KYC compliance.

What is money laundering?

Money laundering is predominantly about making illegal means – black money – legal. That means cloaking the financial gains from criminal activities and using it with legal vendors and in broader society. The origins of the black money can, for example, come from dealing illegal substances or weapons, tax evasion and much more.

White washing

All activities that help criminals obfuscate, conceal, or transform black money into legal tender (which can be documented and used legally) is called white washing or money laundering.

How is money laundering committed?

There are many ways to launder money. Below is an example of how it could transpire:

• A drug dealer has sold illegal substances for 25,000 EUR and now has a lot of black money in his possession.

• The drug dealer finds a used car that’s privately for sale for 75.000 EUR. He offers to buy the car for the full amount – in exchange for paying partially in cash.
• The drug dealer goes to the bank and gets a loan, where he explains he’s buying a car for the price of 50.000 EUR.
• The bank grants the loan and transfers 50.000 EUR directly to the seller, but the drug dealer pays him 25.000 EUR in cash.
• The drug dealer now sells the car to a third-party for 75.000 EUR that is transferred directly to his bank account. He can now document that the money originates from the sale of the car. He pays off his loan to the bank.
• Now the 25.000 EUR have been laundered as they seem to be payment for a simple car sale.

In principle, money laundering can also be achieved through registered car dealers as a go-between. The drug dealer can have straw men buy and sell cars, boats, art, property, and other physical items to white wash the black money.

What does the law and regulations say about money laundering?

In the EU all financial businesses are subject to and regulated by the Anti-Money Laundering (AML) Directive.

Its full official title is: "Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing" (read it in full here). The directive exists to hinder criminals from being able to earn money from illegal activities which can then be used legally or to finance terrorism.

It’s important to combat money laundering because this type of crime makes it difficult for law enforcement to discover criminal acts. By stopping the laundering of illegal money you simultaneously prevent other forms of financial crime as the perpetrators will have a more difficult time spending or storing their ill-gotten gains. Furthermore, the Anti-Money Laundering Directive also exists to prevent opportunities for financing terror acts and organizations. Most European countries have local laws and regulations based on the EU-directive, which is continuously being formed and developed by the European Parliament. At the present time, the EU has developed six different directives (AML1-6) for the prevention of money laundering.

A number of different business fields and sectors are legally obliged to conduct themselves in accordance with anti-money laundering regulations. Here’s a brief overview:

• Lawyers
• Auditors and external accountants
• Real estate agents
• Landlords
• Financial companies
• Service providers

Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven).

4 important terms when it comes to money laundering

There are quite a few technical, legal and other terms or abbreviations regarding money laundering. The four most important ones to know are:

1. CDD - Customer Due Diligence

Customer Due Diligence (CDD) is a cornerstone of businesses’ anti-money laundering initiatives and procedures. The term covers all actions undertaken by companies to verify the identity of their clients or customers, as well as perform background checks and risk evaluations. Companies and organizations subject to anti-money laundering laws and regulations are required to perform risk assessments, wherein they – on a client-to-client basis – assess the risk of the client being used or using the business for money laundering or the financing of terrorism. Read more about CDD and risk assessment.

2. KYC - Know Your Customer

There are many reasons for why it’s important for businesses to “know their customers.” Among them is – in relation to CDD – evaluating whether or not they are a risk for the business. KYC-screening or verification is a process in which the business identifies or verifies the identity of their customers and clients. In other words, they get to know their customer. This can be achieved by gathering personal information and identification data about the customer or client, which needs to be verified. Read more about KYC (Know Your Customer).

3. PEP - Politically Exposed Person

A PEP, or Politically Exposed Person, is a strictly defined category of people, who – on the basis of their political position or power – are considered to be customers that are at greater risk of being subject to money laundering or other criminal activities. The concern is that they - because of their position - can be exposed to blackmail, bribes or otherwise (both willingly and coerced) can be embroiled in money laundering. Read more about PEP and PEP-lists.

4. AML - Anti-Money Laundering

AML is an abbreviation for “anti-money laundering”. The term refers to a broad swath of laws, regulations, directives and procedures that exist to prohibit or stop the laundering of illegal money.

Guide to anti-money laundering checks

Businesses in the affected sectors have to constantly adapt to a plethora of laws, directives and regulations. Most of these require or encourage specific forms of anti-money laundering checks.

With AML 5, which was implemented in January of 2020, a number of changes were introduced, including a transition to a risk-dependent approach to precautionary measures regarding anti-money laundering. The new approach demands more of the businesses’ ability to assess their customers or client relationships.

Roughly speaking, businesses need to assess the risk that they’re being misused for money laundering or the financing of terrorism. One of the central and foundational concepts is the creation of the risk assessments, policies and business procedures, as well as the underlying control and evaluation that ensures that overall compliance.

Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven - Download PDF).

Meo – steer clear of money laundering with our intelligent platform

We hope you now have a more clear understanding of money laundering – and have given you an insight into what your business needs to be aware of to be AML-compliant. Do you have a clear standard for your processes, data handling and the verification of new clients?

If not, Meo can help.

Meo is a Danish company and software platform that helps businesses with their data security, onboarding and overall compliance.

With Meo you can:

• Automatically screen clients via PEP-lists.
• Verify clients’ ID
• Collect data from official sources regarding businesses and individuals

Understanding Sensitive Personal Information and its Pitfalls

What is sensitive personal information and how do you become aware of pitfalls in this area? When dealing with this type of information and the handling of the same, it is first important to know the difference between general personal data and personal sensitive information.

The former is information that can be traced back to a specific person, which can be any information that can identify him or her in context. This can be anything from a picture, name, address, medical records, social security number, fingerprints, age, education, etc.

In contrast, personal data or information is data that a company, according to data protection law, must be extremely careful about handling. This information includes the following:

• Political beliefs
• Ethnicity and race
• Religious beliefs
• Trade union membership
• Genetic data
• Data of a biometric nature for identification purposes
• Health information
• Sexual orientation or relationship

If you would like further information and clarification, you can read more about this on Datatilsynet.dk. Here you can also find information on legislation and paragraphs related to the subject.

Get help for correct handling from Meo

At Meo, we help with efficient handling of sensitive personal information. Our primary task is to ensure that your company and associated customers can exchange and work with sensitive personal information confidential and legal.

We help ensure control over this information and store it in a protected and central location so that there is full control over its handling. We can help with risk assessments, ongoing monitoring, follow-ups, reports and much more.

Meo is a Danish company operating in RegTech and including customer data management using an identity platform and software - Meo, which is our software system.

You are always welcome to contact us regarding questions on what is personal data or our platform and services in relation to compliance and KYC processes. We are available to have a no-obligation chat about how you can streamline processes and thus free up time and resources in your daily KYC work.

Too long, too personal

According to recent research, 68% of consumers abandoned an application for a financial service in 2021. A 3% rise since 2020 and a huge missed business opportunity. Not surprisingly, the two key reasons were the longer-than-expected application process and the amount of personal information requested.

Bad UX in onboarding is still a major pain

While a bit of friction is necessary in industries providing services where consumers have personal finances or delicate information at stake, too much friction is detrimental to successful onboarding.‍

Meo partners with e-Boks

Our new partnership with e-Boks results in a more safe and seamless user experience than ever seen before within KYC.

A solution that meets companies’ growing need for access to data, now requested through the most trusted digital postbox, allowing the customers to share data through a platform that they are familiar with and comfortable using.

Frontrunners in the KYC space are dedicating resources to improve onboarding flows and make them more similar to UX leaders like Apple, Amazon etc., while adding just the right amount of friction to induce trust.

Increased scepticism towards data requests

Consumers can be fickle. While increased public attention to GDPR has raised consumers expectations towards regulatory compliance, they still want to share as little personal information as possible.

Research shows that consumers have become increasingly sceptical due to fear of data breaches. Thus, to cater to the digitally enlightened consumer, factors such as data privacy, data transparency and data control are powerful generators of trust in a company or brand.

Where to begin?

As indicated by the data above, speed, UX, data volume and trust are major arenas for battle when it comes to improving onboarding and winning customers. While regulation may prohibit you from reducing the amount of personal information you request, there is a lot to be done in how and where you ask for information. Tuning in on those factors can potentially be a game changer to ensure your customers complete onboarding.

To mend the trust gap and make onboarding and KYC simpler for consumers, we are partnering with e-Boks, the most trusted digital postbox in Denmark. Our customers can now deliver data requests to a provider that consumers know, use and trust with their data already. With conversion rates up to 98% on data requests in e-Boks, completing onboarding feels both more familiar and more safe.

Its Purpose, Process, and Necessity

Are you questioning: what is a declaration of consent? In this article, we can answer the questions of what it is, how it is filled in and why it may be necessary. This is a written document that is created when having to give consent or permission for a specific action.

More specifically, it is used in the context of travel with children, professional consent in regards to private collaboration, which is both within and outside the legal framework. It can, therefore, also be a written agreement on how an external company manages data security in another company, and so on.

What does such a statement entail?

A declaration of consent is a written agreement that covers a wide range of issues and situations. But generally speaking, there is always one party giving permission to another party to perform a particular action.

Among other things, the consent form involves:

• Identifiable descriptions of all parties
• The time period of the consent
• What is consented to - the object in question
• How the consent itself is to be used
• What a possible cancellation or revocation looks like

Which parties are involved in this document?

When filling in a declaration of consent, there are always several parties present. This involves the "giving" party and the opposite party to whom the consent is given. The descriptions and information in such a statement must be referable, which means that they must be able to identify the parties.

The essence of this whole covenant and permission is that the giving party must give consent voluntarily. This is regardless of the context. There are some points and areas which must also always be complied with and completed.

Understand what is a declaration of consent and what the points are

It can be beneficial to have a declaration of consent template that a company or individual uses in situations where consent is required.

• Descriptions of the parties should include the full names of all parties and contact details provided, together with any social security or company registration numbers.
• The time period must be clearly defined. This gives an indication of when and for how long it may be used.
• What is consented to is the most essential, as it implies the object. It can be the given data used in the collaboration, the certificate used, the person, the company or whatever this may be.
• How the consent and this declaration of consent are to be used is in several places a more optional point. However, if a company wants this point included, the purpose of the act can be described.
• How to withdraw consent may be a beneficial area to cover in the event that parties disagree or rules are broken for the consent form in place.

Reduce risks with digital data management platform

At Meo, we work with data security through a digital platform. Therefore, in addition to being able to introduce you to what is a declaration of consent, we can also assist with digital help to handle everything from verification, monitoring, checking of customers - current as well as new.

We automate time-consuming KYC procedures, creating more time for your work and reducing the possibility of errors.

What does due diligence mean?

Due diligence means, in short, a thorough investigation. This process involves a careful review of various elements related to drawing up or designing a contract regarding a change of ownership of a company.

It is necessary in this context to closely examine the assets that the company has and generally their financial status. Therefore, the following elements are often investigated:

• The financial statements
• Management
• Marketing
• Tax situation
• Contracts and rights of an intellectual nature
  

However, the investigation varies depending on the purpose of the change of ownership and the specific industry. Which information is crucial can vary depending on the purpose of the investigation. It can be advantageous to use professional tools such as relevant platforms for this due diligence process.

This is how it works in practice

How this process works in practice can vary, but what is often done in practice is to divide the company's assets and areas into groups and phases, and then each area and phase is investigated step-by-step.

First and foremost, a preliminary investigation of the company can provide insight into whether there are any parameters that generally prevent the agreement and the change of ownership from being completed. This preliminary investigation can, therefore, also put a natural hold on the upcoming investigation, due diligence if some areas are inadequate.

The next step in a due diligence process is to collect data on the company. This data can cover the aforementioned areas, which are analyzed and interpreted thoroughly and with care.

Finally, a report is prepared that outlines areas where there may be issues. This is done with a view to the further negotiation of the contract or potential termination of the negotiation.

Who are we at Meo?

At Meo, we work on streamlining KYC procedures and digital data management systems, which includes our software solution: Meo Identity. We specialize in streamlining processes with clients, as well as ensuring the best possible handling of data.

We automate verifications, check and monitor current and future customers, as well as perform risk assessments.

We make it possible for your company to share data internally and with customers, quickly and efficiently, without worrying about sensitive personal data or other security measures.

In addition to knowledge about due diligence, you can read much more on our site about areas such as money laundering and AML, as well as PEP lists and data security. We help companies with a compliance check to investigate where you can optimize and need updates.

What is compliance - Get answers and take a non-binding check up

Let us help you understand "what is compliance" and why regular compliance check ups are important. We conduct non-binding surveys and check ups of your KYC processes, where we provide an overview of the efforts and procedures you can optimise and how.

At Meo, we treat your data and responses confidentially and securely, in order for you to receive a compliance check up with peace of mind. But allow us to introduce Meo and our identity, as well as put you in the picture of what compliance is.

What is meant by a compliance check up?

When talking about a compliance check up, we mean an examination of whether rules, legislation and guidelines are being adhered to in the respective processes. This applies to processes in connection to customers as well as internally.

In the same process, the term KYC compliance is used. KYC is primarily an abbreviation of Know Your Customer, and this term, therefore, covers knowing your customers legislation and guidelines and what you need to be aware of. The term is used in financial contexts.

These concepts and efforts have been created to safeguard customers against corruption, money laundering, fraud and other types of financial abuses.

The purpose of conducting these check ups, and gaining knowledge on what constitutes compliance, is to avoid pitfalls that can, in the worst case, lead to sanctions if you violate laws, guidelines or other regulations.

Who is Meo?

We are a RegTech company located in Denmark, working on platforms for the benefit of secure customer data handling.

At Meo, we offer complete solutions through software to automate customer verification, checks, monitoring as well as risk assessments and onboarding flows allowing you to save resources.

We help save you time on cumbersome processes that are essential to avoid breaches of legislation, regulations or guidelines. By automating or streamlining processes and gaining a deep understanding of "what is compliance", we can ensure that everyday life is easier and more manageable for both you and your clients.

So spend time wisely on other processes and streamline your efforts while ensuring your data exchange is secure and confidential.

Other law firms should follow suit

In April 2019, the law firm, Bech-Bruun, was searching for a platform to assist them in complying with the growing legislation and documentation requirements concerning KYC and GDPR. Bech-Bruun also needed to find a proper way to handle the personal information of their clients and employees. The choice fell on the Meo platform gaining traction with a growing number of law firms.

“We needed to carry out a systematic collection of KYC documentation while meeting all our obligations with GDPR. Therefore, we searched for a system to handle these procedures. The alternative was to develop a system ourselves, but Meo platform checked off the vast majority of our boxes. Furthermore, they were very accommodating to our specific wishes and needs. This is why we chose them.” says Martin Riber Povlsen, CFO and Head of Compliance at Bech-Bruun.

At Bech-Bruun, a total of 11 employees are currently working to ensure that the law firm is compliant with the legislation within KYC (Know Your Customer) and GDPR (General Data Protection Regulation).

Commonly, correct data handling is a responsibility allocated across multiple units within the organisation, but Bech-Bruun has insourced everything to be handled by a designated Compliance Department. However, this does not change their preference for the platform. The Meo platform has become a natural part of the working day ranking alongside Word and Excel.

“We use the platform for all our obligations within KYC, and we are already active with thousands of identities on the platform. As a result, we provide all our customers with a uniform process for obtaining and storing documentation in a legally correct manner. Additionally, the processes of verifying the validity of passports and driver licenses are now automated.” says Martin Riber Povlsen and continues:

“If we did not have these compliance processes governed by a suitable platform, we would either struggle to deliver our service, or we would have to spend many hours solving the tasks manually. As a law firm, it is important to ensure our clients’ correct onboarding and advise clients according to the current KYC and GDPR procedures.”

Legaltech shoots ahead

The requirements are the same for all law firms regarding KYC compliant client onboarding and GDPR compliant storing of personal data. Therefore, Bech-Bruun believes it will be beneficial for law firms and their clients to use the same platform.

“It will be easier for everyone if the clients get accustomed to a shared platform for uploading documentation of different kinds - also when sharing data between the law firms”, ​​says Martin Riber Povlsen.

According to Christian Visti Larsen, CEO and co-founder of Meo, the entire LegalTech industry is in rapid development, and with good reason:

“The law industry has seen how new technology has meant major changes in other industries, and now, due to strict KYC and GDPR legislation, changes to how law firms operate are inevitable. Moreover, many have realised that smart IT platforms can do more than only ensure cost savings in their administrative work. The technology can also be a source of income when used to service their clients. There is a huge market for law firms with access to systems and know-how that makes a difference for the clients.” says Christian Visti Larsen, who has already seen several examples of this in the law industry.

Christian Visti Larsen frames Meo as a platform that complements the law firms’ existing systems when handling client cases. “Usually, there is a law firm represented on both sides of a lawsuit, and therefore, it is a great advantage for all parties if they can use a shared platform”, he explains.

Keeps track of criminal records

In addition to using the platform to handle client information, Bech-Bruun also uses it to support other administrative tasks, such as responsibly reviewing employees‘ criminal records.

Martin Riber Povlsen credits Meo for being very adhering to the needs of Bech-Bruun in the continued development of the platform. Consequently, Bech-Bruun now has a platform that matches the needs of their business and the needs of many other law firms.

“The platform automates and systematises processes, which are easy to document in case of an audit. Instead of developing a system of our own, we now have a platform that automatically evolves with our needs. This makes us very satisfied,” says Martin Riber Povlsen.

What is a DPO?

What is a DPO? This term is an abbreviation of the word, Data Protection Officer. This person or company carries out tasks, such as data security checks, in a company. This includes compliance with the GDPR.

Public authorities and bodies must have a DPO, Data Protection Officer, who carries out these tasks. This DPO must also advise the data controller of the specific body. It is a legal obligation for these authorities and bodies to have a data protection officer appointed, which may also be the case for several companies.

You can read much more about GDPR,, the Personal Data Act, the Data Protection Act and the difference between them in our articles on this page. Where and for how long can a company keep personal data? Who is covered by the GDPR? These are questions that a DPO, Data Protection Officer can help answer.

A Data Protection Officer will often act as a liaison between the Data Protection Authority and the data controller in the company. In addition, a company's DPO must be independent and external, and must not receive instructions on the selection of tasks.

How does Meo work with data security?

At Meo we can help you with the secure transfer of information to and from customers, as well as a software system that can act as an administration tool for both: verification, checking and monitoring of current and prospective customers, as well as a tailored risk assessment.

This system, Meo Identity, helps you and your DPO to check and manage data correctly, and this system and automation of data management ensures your compliance with GDPR, avoiding penalties, in the form of fines or similar.

We are ISO 27001 certified, as GDPR and AML compliant, which means we are internationally approved and certified in information security and data handling.

Manage your data securely with a DPO, Data Protection Officer

It is essential to work correctly with data, as there may be major penalties for violations of, among others, GDPR, the General Data Protection Regulation. With an automated system, not only can you free up resources from semi-manual processes, but you also ensure control and reduce risk.

A Data Protection Officer will, by advising on a company's data security, look into the handling and guide employees to the extent that potential knowledge about data security, GDPR and the exchange of data with customers or clients is lacking.

This advisor may therefore also provide guidance or recommend useful applications or IT systems that may be relevant for maintaining data security.

Let us help make your client management transparent and secure, so that all processes take place under legal conditions.