When Regulations Collide: GDPR and AML Compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is designed to protect the data privacy of EU citizens. Every company that processes the data of EU citizens, regardless of where that company is located, must comply with GDPR policies. The fines for non-compliance are huge: up to €20 million (~$22 million) or up to 4% of the company’s annual sales, whichever is greater.

How does it affect AML compliance?

One of the keystones of GDPR is the right of EU citizens to have their data erased. For example, a French citizen who does business with your company can instruct you to erase all digital traces of her. If she has been your customer for five years, you must be able to go back through five years’ worth of data backups and delete her from your databases, marketing lists—everything.

But here’s the catch: AML regulations require that when you investigate suspicious activity, you must save each person’s data and transactions for five years or face huge fines for non-compliance. So if you investigate the transactions of that same French citizen for suspicious activity, and she then requests that you erase her data, what are you supposed to do?

Articles 6 and 17 to the rescue

GDPR includes language that protects data controllers like your company as well as data processors like Beam Solutions.

First of all, Article 6 provides the legal basis for data controllers to collect the data of EU citizens: to comply with AML regulations. Second, it provides the legal basis for data processors to process the data to support “legitimate interests”, namely, to detect suspicious activity so you can be compliant with those AML regulations.

What about the right to have their data erased? Article 17 has a provision that says that legal requirements take precedence over the right to erasure. So if a regulation requires you to save the data, as AML regulations do, the right to erasure does not take effect until after that legal period ends.

Data security is paramount

Even though you don’t have to worry about these key parts of GDPR, you should never let your guard down when it comes to data security. Beam is 100% aligned with GDPR’s main purpose: to keep data safe. That’s why we adhere to the absolute highest standards of data security, including:

  • SOC 2
  • ISO27001
  • Privacy Shield
  • OWAS

Our security page provides more details on the safeguards we employ, including best-in-class security technologies to ensure everything from our APIs to your customer’s account numbers are secure.

In summary, Beam meets the requirements of GDPR and treats data security as its top priority, so our customers and their customers—in the U.S. and beyond—can rest assured that their data is secure.