In meeting my obligations under the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), do I have to take account of the GDPR?
The GDPR requires that any processing of personal data must occur on a valid basis, such as a legal basis. The Wwft is a valid legal basis of this kind. As an entity with an obligation to report, you process the personal data of customers, representatives, and ultimate beneficiaries, among others. This means that, within the framework of the Wwft, you are required to process personal data for the purpose of carrying out checks on your customers.
’Know Your Customer’ checks as required by the Wwft must be carried out in accordance with the provisions of Chapter 2 of the Wwft. Among other things, this means that the identity of the customer (e.g., a buyer) and, if applicable, of the ultimate beneficiary, must be established and recorded. On the basis of the Wwft, this data must be retained for five years after the transaction or the termination of the business relationship. The same holds for data relating to unusual transactions.
-
If your organization is registered with FIU-the Netherlands, it has a unique identity number for submitting reports: the Reporting ID. You can find the Reporting ID in the reporting portal under ‘My Reporting Details’.
-
FIU-the Netherlands stores reports of unusual transactions in a highly secure and protected database, where they are classified as “State secret – secret”. This database can only be accessed by employees of FIU-the Netherlands whose position requires such access. Nobody else has access to the database. If analysis of a given unusual transaction reveals sufficient grounds to designate it suspicious, the suspicious transaction becomes police data, which can be accessed by the investigative, intelligence, and security services. This suspicious transaction is no longer classified as “State secret – secret”, but now falls under the Police Data Act (Wet Politiegegevens).
The investigative services can use a suspicious transaction in various ways, and depending on these uses, it may end up in a prosecution file. If the suspicious transaction is included in a prosecution file, safeguards are in place to protect the safety of the reporting entity. These safeguards were further strengthened by a motion (NL) adopted by the Dutch House of Representatives in 2020.
-
On the basis of Articles 19 and 20 of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), if entities with an obligation to report do so in good faith, correctly, in full, and in a timely manner, they have criminal indemnity and are not liable under civil law. This means that as a reporting party you cannot be held liable for any damage your customer may incur as a result of your report, for instance. In addition, data that you report to us in accordance with the standards may not be used against you in a criminal investigation.