In meeting my obligations under the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), do I have to take account of the GDPR?
The GDPR requires that any processing of personal data must occur on a valid basis, such as a legal basis. The Wwft is a valid legal basis of this kind. As an entity with an obligation to report, you process the personal data of customers, representatives, and ultimate beneficiaries, among others. This means that, within the framework of the Wwft, you are required to process personal data for the purpose of carrying out checks on your customers.
’Know Your Customer’ checks as required by the Wwft must be carried out in accordance with the provisions of Chapter 2 of the Wwft. Among other things, this means that the identity of the customer (e.g., a buyer) and, if applicable, of the ultimate beneficiary, must be established and recorded. On the basis of the Wwft, this data must be retained for five years after the transaction or the termination of the business relationship. The same holds for data relating to unusual transactions.
-
No, you must be registered as a separate reporting entity in each capacity.
If, for example, you are an estate agent and a valuer, then the capacity in which you make the report depends on the situation. In such cases, you need to have two registrations with FIU Netherlands: one as an estate agent and one as a valuer. If you come across an unusual transaction in your estate agency business, you report as an estate agent; if you encounter an unusual transaction when carrying out valuations, you report as a valuer.
-
The GDPR requires that any processing of personal data must occur on a valid basis, such as a legal basis. The Wwft is a valid legal basis of this kind. As an entity with an obligation to report, you process the personal data of customers, representatives, and ultimate beneficiaries, among others. This means that, within the framework of the Wwft, you are required to process personal data for the purpose of carrying out checks on your customers.
’Know Your Customer’ checks as required by the Wwft must be carried out in accordance with the provisions of Chapter 2 of the Wwft. Among other things, this means that the identity of the customer (e.g., a buyer) and, if applicable, of the ultimate beneficiary, must be established and recorded. On the basis of the Wwft, this data must be retained for five years after the transaction or the termination of the business relationship. The same holds for data relating to unusual transactions.
-
Indicators of unusual transactions are listed in the 2018 Implementation Decree for the Money Laundering and Terrorist Financing (Prevention) Act (Wwft) (Uitvoeringsbesluit Wwft 2018 [in Dutch]). These indicators differ per reporting entity. The page on reporting groups gives an overview of the various indicators per reporting group. If in your view a transaction meets one or more of the indicators that apply to your reporting group, you must report that transaction to FIU-the Netherlands.
If you have questions about how to interpret a given indicator, you can ask your Wwft supervisory authority. This page shows which supervisory authority is responsible for your reporting group. This division of roles is addressed in more detail in the FAQ “What is the role of the Wwft supervisory authorities in relation to FIU Netherlands?’’.