In meeting my obligations under the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), do I have to take account of the GDPR?
The GDPR requires that any processing of personal data must occur on a valid basis, such as a legal basis. The Wwft is a valid legal basis of this kind. As an entity with an obligation to report, you process the personal data of customers, representatives, and ultimate beneficiaries, among others. This means that, within the framework of the Wwft, you are required to process personal data for the purpose of carrying out checks on your customers.
’Know Your Customer’ checks as required by the Wwft must be carried out in accordance with the provisions of Chapter 2 of the Wwft. Among other things, this means that the identity of the customer (e.g., a buyer) and, if applicable, of the ultimate beneficiary, must be established and recorded. On the basis of the Wwft, this data must be retained for five years after the transaction or the termination of the business relationship. The same holds for data relating to unusual transactions.
-
If you receive notification that your report has been rejected, this means that there is something wrong with the content of the report, so the report has not been registered by FIU-the Netherlands. In the reporting portal, you can find the rejected report under ‘Reports submitted’. You can then open the report and modify it. Click here (NL) for more detailed instructions.
-
For security reasons, the content of your report is removed from the reporting portal after 24 hours. From then on, you will see a summary version of your report.
-
The procedure for reporting an unusual transaction is set out on the page Obligation to report.