India is witnessing regulatory reforms. In May 2023, the Indian Government made changes to the Prevention of Money Laundering Act to make it cover more things. Then, in August, they passed a new law called the Digital Personal Data Protection Act, of 2023. Although the tension between AML and privacy concerns isn’t new, the enactment of DPDPA brings it into fresh focus.
These two acts are necessary and have a significant impact on the businesses. One area where the financial services industry faces ongoing challenges due to DPDPA is the clash between the requirements of the regulation and those of anti-money laundering (AML) laws.
AML rules require financial institutions to gather, process, and study a lot of personal information. This helps stop bad elements from using banks and similar places to hide dirty money and do other bad financial things. But, on the other side, DPDPA makes rules about how we can gather, process, and use personal data.
Furthermore, DPDPA’s definition of personal data is broad, encompassing all information collected under AML regulations, thus bringing it under the jurisdiction of DPDPA.
As a result, these two sets of requirements – one aimed at limiting personal data use and the other at maximizing it – create tensions within firms’ compliance frameworks.
AML and Privacy
AML rules necessitate the collection, processing, and use of personal data for a range of tasks to meet regulatory obligations, including:
- Conducting customer due diligence (including enhanced and simplified due diligence)
- Monitoring transactions
- Tracking behavior
- Sharing internal and external data
- Managing outsourced arrangements
- Handling cross-border data processing, especially for international payments
- Covering new areas like virtual and digital currencies through the PMLA Amendments
DPDPA defines “personal data” broadly as information relating to a person that can identify them directly or indirectly. This includes identifiers like names, identification numbers, location data, and more.
DPDPA outlines seven data protection principles that must be followed when processing personal data. These principles emphasize lawful, fair, and transparent processing, collecting data for specific purposes, using relevant data, ensuring accuracy, limiting data retention, and maintaining data security.
The DPDP Act punishes rule-breaking, and the fines don’t care how big or small a company is. Depending on the wrongdoing, the penalties can be as low as INR 50 crores (about Euro 5m) or as high as INR 250 crores (around Euro 25m). Unlike the GDPR, where fines depend on a company’s size, this law treats everyone the same. Firms have to document why they’re using people’s personal information. They can choose from seven legal reasons allowed by DPDPA, like when people agree, when there’s a contract when the law says so, and more. However, the risk-based approach of AML compliance results in varying levels of data collection and usage, which may not always align with GDPR’s lawful-based approach.
Challenges to Explore
The tension between AML and Privacy Laws leads to several challenges for financial firms:
- Documenting lawful basis: Firms must document the legal basis for processing personal data under AML regulations. This is complicated as AML rules are principles-based and require a risk-based approach. Some key industry practices, like risk ratings and indicators, don’t strictly derive from legal obligations. Obtaining consent for data retention under certain circumstances might be necessary.
- Rectifying inaccurate data: DPDPA emphasizes data accuracy and firms need to keep customer files up-to-date. This is now not only an AML obligation but also a DPDPA requirement.
- Data security: DPDPA mandates data security. As a result, firms will have to monitor who accesses customer data. It can be used for AML compliance, especially for Know Your Customer (KYC) activities and transaction monitoring alerts.
- Privacy notice: People have the right to know how their personal data is used. Firms need to think about how to tell their regular customers and company owners about the company’s privacy. And also why it can use their personal information.
- Data retention: AML rules may require retaining data beyond business relationships, conflicting with DPDPA’s requirement to retain data only as necessary.
- Outsourcing and secure transmission: As firms outsource more activities, they must ensure vendors comply with both AML and privacy regulations.
In conclusion, firms should promptly review areas where DPDPA and AML regulations intersect. They must document legal bases for personal data collection and processing, establish privacy notices, and address the challenges highlighted.
As time goes on, conflicts between these rules might grow because as we use new kinds of data and technology for AML controls, they might not match DPDPA. It’s important to think about following DPDPA right from the start.
