On 26 May, 2020 the FIAU published for consultation with all credit and financial institutions a draft Legal Notice establishing a centralised automated mechanism for the collection and retrieval of data on bank and payment accounts and on safe custody services provided by credit institutions. The data in the register will allow for the identification, in a timely manner, of any natural or legal persons holding or controlling payment accounts and bank accounts identified by IBAN, or making use of safe custody services provided by credit institutions.
The mechanism being set up is one of the requirements introduced by the 5th anti-money laundering Directive (EU 2018/ 843). Act I of 2020 designated the FIAU as the authority responsible to establish, manage and administer Malta’s automated centralised mechanism. The subsidiary legislation under consultation will lay out details on the functioning of the mechanism. Specifically, the draft regulations published by the FIAU aim to:
i. identify the subject persons that will be obliged to report data through the mechanism, set out in general terms the data that they will have to report and the circumstances where the obligation will be triggered;
ii. outline the obligations and powers of the FIAU in establishing, managing and administering the mechanism; and
iii. identify the authorities that will be granted access to the data retrievable through this mechanism, the conditions which they will have to meet to be allowed access thereto, and the circumstances where they are allowed to make use of any such data.
Persons obliged to report data through the mechanism
Where credit[1] and or financial institutions[2] provide accounts identified by IBAN or provide safe custody services, they are to maintain an electronic record of data and information as may be prescribed by the FIAU in relation to:
(a) the customer and, where applicable any agent authorised to act on the customer’s behalf, and the beneficial owner of the customer;
(b) the IBAN associated with any such account, or the alphanumeric code that identifies safe deposit boxes or any items entrusted to a credit institution when providing any safe custody services;
(c) the length of time for which any account or safe custody services are provided; and
(d) any other data or information on bank or payment accounts or safe custody services provided by credit institutions as the FIAU may set out from time to time.
The FIAU shall establish, manage and administer a register that shall contain an electronic record of the data and information that credit and financial institutions are required to maintain as per above. Credit and financial institutions shall make available data and information to the registry in such format and with such frequency as may be prescribed by the FIAU. The FIAU shall have regard to the highest technological standards and shall ensure that any of its officers or employees responsible for the management and administration of the registry are of high integrity and receive proper and regular training as to the confidentiality and data protection obligations applicable to the register.
Data or information contained in the register shall be held for five years following the closure of the account or the termination of the safe custody service. After that, the data and information so held shall be deleted, unless the period may be further extended, up to a maximum retention period of ten years, where such extension would be considered necessary for the purposes of the prevention, detection, analysis, investigation or prosecution of money laundering, associated predicate offences, funding of terrorism or any other serious criminal offence.
The FIAU is empowered to issue binding procedures and guidance to credit and financial institutions to prescribe anything required under the regulations and to ensure the proper functioning of the register and the mechanism. The general right of data subjects to access data being held on them may be restricted even completely where the FIAU deems it necessary and proportionate to ensure the proper functioning of the register.
FIAU powers and sanctions vis-à-vis credit and financial institutions
The FIAU shall monitor credit and financial institutions to ensure that they meet their obligations under the regulations and any procedures and guidance it issues. In doing so, the FIAU may deploy its wide powers as already established in the Act and may carry out data quality checks as it may deem fit on the data and information provided by institutions for inclusion in the register. It may also give directions to redress any issues it identifies with respect to such data and information.
As per the powers granted to the FIAU by Article 13 of the Act, any credit or financial institution which contravenes any provision of the regulations or of any procedure or guidance issued in terms thereof, or of any direction given by the FIAU, shall be liable to an administrative penalty of not less than €250 and not more than €46,500 in respect of every separate breach. The FIAU may choose to issue a reprimand in writing instead of an administrative penalty in cases of minor contraventions. In the case of serious, repeated or systematic contraventions, the FIAU may impose administrative sanctions up to a total of €1,000,000.
Authorities having access to the register
The draft regulations propose that the following authorities shall have access to the data register under procedures set by the FIAU:
(a) the FIAU;
(b) national authorities conducting criminal investigations into or prosecutions of money laundering, associated predicate offences, funding of terrorism or any other serious criminal offence, including when supporting investigations concerning any of the said offences;
(c) the Asset Recovery Bureau;
(d) the Commissioner for Revenue;
(e) the Sanctions Monitoring Board; and
(f) the Security Service.
The authorities listed above shall access and make use of the data and information in the register on a case-by-case basis and to the extent that this may be necessary for the prevention, detection, investigation or prosecution of money laundering, associated predicate offences funding of terrorism or any other serious criminal offence. The data and information contained in the register may also be used to produce aggregate or statistical data in relation to the above activities.
Authorities may also access and use the data and information in the register to reply to justified requests for information received from foreign or supranational bodies having similar functions, as long as they disclose the identity of the body to which information is to be effected. Maltese authorities are to ensure that foreign bodies apply confidentiality and data protection standards equivalent to those in Malta.
Authorities granted access to the register must have in place adequate safeguards that ensure that data and information held in the register is accessed and made use of only when strictly required. Moreover, authorities are to ensure that they maintain high standards of confidentiality and data protection safeguards, that all of their employees are of high integrity, and that employees authorised to carry out searches in the register to be suitably trained. Authorities are to have in place internal policies and procedures governing access to the register as well as measures to ensure that data is secured to high technological standards.
Each authority authorised to access the register must hold statistical data on the number of
searches carried out through the register that shall be made available to the FIAU Unit or the European Commission upon request. The draft regulations establish a list of information that authorities are to retain on each search they undertake in order to maintain an audit trail for the purposes of monitoring that confidentiality and data protection requirements are upheld.
Authorities shall have to follow any FIAU procedures it may deem proper to impose in order to monitor and regulate their access and carrying out of searches for data and information contained in the register. The FIAU is empowered to suspend or terminate access to an authority that it deems is failing to comply with any of the regulations, and only reinstate said access where it is satisfied that the authority has implemented the necessary measures to prevent the same issues from re-occurring.
Consultation period
The FIAU consultation, aimed at credit and financial insititutions, runs until Friday 12 June, 2020.
Article by Mr Stefan Briffa.
For more information please contact Mr Stefan Briffa at sbriffa@gtgadvocates.com.
This publication is provided for your convenience and does not constitute legal advice.
This publication is protected by copyright © 2020 GTG Advocates.
[1] “credit institution” means any one of the following: (a) a person or institution which is for the time being licensed under the provisions of the Banking Act; (b) a branch in Malta of any person or institution which has been granted an equivalent licence or authorisation under the laws of any other jurisdiction; and (c) the Central Bank of Malta.
[2] “financial institution” means any one of the following: (a) a person or institution which is for the time being licensed under the provisions of the Financial Institution Act; and (b) a branch in Malta of any person or institution which has been granted an equivalent licence or authorisation under the laws of any other jurisdiction.