Legal basis for processing personal data
All processing of personal data requires a legal basis to be lawful.
Article 6(1) (a–f) of the General Data Protection Regulation (GDPR) contains an exhaustive list of six legal bases for the lawful processing of personal data.
In this sandbox project, we have taken no position on whether banks have a legal basis for processing personal data in the artificial intelligence (AI) tools that Finterai is offering. This applies both to the use of AI tools as part of the banks’ anti-money laundering activities and any use of personal data to train the algorithms. Nor have we taken any position on whether Finterai has a legal basis for processing personal data, should this become relevant.
The discussions in this sandbox project presume that the data controllers, whether Finterai itself or the banks, find a legal basis for processing personal data when using and further developing this service. If not, it will not be possible to use the service legally.
We assume that the banks’ obligations and potential leeway under the anti-money laundering regulations will be a natural starting point for an assessment of the legal basis for processing personal data for the purpose of uncovering suspicious transactions (Article 6(1)(c) of the GDPR). In some of our discussions, therefore, we have referred explicitly to this regulation, without this implying we have taken a position on whether the banks’ use of the service may be authorised pursuant to the anti-money laundering regulations.
If the processing cannot be authorised under the anti-money laundering regulations, the banks must themselves identify another legal basis for doing so. Legitimate interests, (Article 6(1)(f) of the GDPR) will probably be the most relevant alternative, although we have taken no position on that here.
Which personal data are processed?
SWIFT messages are made up of transaction data. SWIFT is an international payment network for the transfer of funds between banks not located in the same country. SWIFT messages may contain personal data if an individual is the sender or recipient in the transaction.
“Know your customer” (KYC)
Financial institutions are obligated to collect information about their customers (including their identities), the purpose of the customer relationship and its intended nature, which of the reporting entity's products and services they use and the source of the funds, etc. This is known as the “know your customer” principle and is used to classify customers in various risk categories and to verify that transactions are performed in accordance with the information collected.
Not all categories of KYC data necessarily contain personal data, but some categories do. KYC data is obtained both from the customers themselves and from publicly available websites and third-party suppliers offering this type of data as a paid service. Data obtained from publicly available websites and third-party suppliers is referred to as third-party data.
Third-party data is used to add new information or verify information provided by customers themselves. This could, for example, be information that someone is a politically exposed person (PEP), that they are on a sanctions list, that they have been the subject of negative media reports, or information from other public sources relating to criminal offences, litigation, etc. Third-party data may include datasets that are compiled from a variety of data sources. Third-party data is often collected through different platforms and websites, which are then aggregated by a data supplier. Third-party data does not always contain personal data.
The assessments in this report relate solely to the processing of data considered to constitute personal data.