Financial Crime World

Irish Businesses Urged to Cease KYC Collection from Third-Party Purchasers

The Data Protection Commission (DPC) has issued an instruction to investment firms, stating that they cannot collect Anti-Money Laundering (AML) and “Know Your Customer” (KYC) data from third-party purchasers of properties. This move aims to ensure compliance with the General Data Protection Regulation (GDPR) and the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended.

Background

The instruction was issued in response to a query received by the DPC regarding an investment firm seeking to obtain AML KYC documentation from third-party buyers. According to the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, only designated persons such as solicitors or lending institutions are obligated to collect AML KYC data.

DPC’s Stance

The DPC has emphasized that unless there is a proper legal justification for collecting this information, it may contravene the principles of Article 5 of the GDPR. The commission advises that solicitors should not be asked to collect or certify AML KYC data on behalf of clients and should cease requesting this information from third-party purchasers and their representatives.

Irish Law Society’s Committee

The Irish Law Society’s Committee has also weighed in on the matter, advising solicitors to:

  • Cease collecting or certifying AML KYC data: Solicitors should not collect or certify AML KYC data on behalf of clients.
  • Retain personal data only as necessary: Practitioners are advised to confirm client instructions and obtain appropriate consents before complying with requests for personal data retention beyond what is required by law.
  • Comply with GDPR regulations: Solicitors should only retain client data as necessary and in accordance with GDPR regulations.

Key Takeaways

  • Only designated persons, such as solicitors or lending institutions, are obligated to collect AML KYC data.
  • Solicitors have their own separate KYC and AML requirements in relation to their clients.
  • Solicitors should not be asked to:
    • Confirm whether they are subject to disciplinary proceedings
    • Certify that sale proceeds are not the proceeds of crime
    • Confirm adherence to AML legislation

Conclusion

Irish businesses and practitioners are advised to take note of these developments and ensure compliance with GDPR regulations. The committee will continue to receive queries on this matter and provide guidance to practitioners as needed.