Financial institutions are legally obliged under Anti-Money Laundering (AML) legislation to carry out Politically Exposed Persons (PEP) screening where there is a 'reasonable risk' of money laundering and terrorist financing.

Any processing of personal data (AML), including enhanced due diligence screening (of PEPs), shall be processed in a manner in line with ALL of the principles of data protection under Article 5 of the General Data Protection Regulation (GDPR) for the collection and processing of personal data, in particular, Article 5(1) (c), which requires that the processing of any personal data is ”adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')”.

Therefore, it is essential, that all entities, when conducting AML procedures involving processing for Customer Due Diligence or Enhanced Due Diligence and other AML measures, have a balanced approach when fulfilling their regulatory AML requirements, together with the data protection requirements, all of which must be undertaken in a reasonable and proportionate manner.

Organisations should have appropriate policies and procedures in place to determine if a customer or beneficial owner is a PEP at on boarding or if a customer becomes a PEP during the course of the business relationship with the organisation and so warrants Enhanced Due Diligence measures. Any such policy must be compliant with all of the principles of data protection as is noted in Article 45 (1) AMLD 4, complemented by Recital 43, which states:

“The collection and subsequent processing of personal data by obliged entities should be limited to what is necessary for the purpose of complying with the requirements of this Directive and personal data should not be further processed in a way that is incompatible with that purpose. In particular, further processing of personal data for commercial purposes should be strictly prohibited”.

A Data Protection Impact Assessment (DPIA) shall be undertaken for any policies likely to result in a high risk to the rights and freedoms of natural persons.

If organisations are relying on third parties to perform any due diligence measures on their behalf, they, as data controllers, must be satisfied that the third party can provide sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the data protection requirements of the GDPR, including for the security of processing.