Court Rules on the Processing of Personal Data for AML/CTF Purposes and Compliance with the GDPR

Does a company of real estate agents (brokers) (“Company”) have to comply with anti-money laundering and/or anti-terrorist financing (“AML/CTF”) measures, and to what extent must these measures be applied? This is the question recently answered by the Supreme Administrative Court of Lithuania (“Court”), which not only reaffirmed that brokers must strictly comply with the provisions of the Law on the Prevention of Money Laundering and Terrorist Financing (“AML/CFT Law”), but also specified what personal data brokers must retain for the implementation of the AML/CFT Law and how the retention of such personal data complies with GDPR requirements.

In the case, the Company argued that it does not provide brokerage services directly itself, but that services to clients for the sale and/or rent of property are provided on behalf of the Company by other brokerage companies or brokers with whom the Company has signed brokerage service agreements. These brokerage companies are obliged entities in the context of the AML/CFT Law and they in turn comply with all the requirements laid therein, therefore the Company should not have been subjected to these additional requirements.

While upholding the fine imposed on the Company by the Financial Crimes Investigation Service (“FCIS”), the Court stated:

  • Real estate agents are obliged entities and are therefore subject to AML/CTF measures. Brokers must know the client, identify and verify the client’s identity, provide information to the FCIS on suspicious monetary operations or transactions of the client, on large cash settlements by the client, designate a responsible person, conduct training, etc.
  • The AML/CFT Law does not contain any exceptions under which obliged entities may not comply with their obligations under the AML/CFT Law if another obliged entity under the AML/CFT Law is involved in a transaction. Therefore, the Company’s arguments that the other brokerage company, which provided the services to the clients, complied with AML/CFT Law and therefore the Company should not have taken additional measures, were rejected. Thus, the Company was obliged to implement all the AML/CTF measures it was subject to without exception.
  • Brokerage service agreements with clients are signed in the name of the Company and the Company has to ensure that the persons providing brokerage services, even if they are not employed by the Company, are aware of the provisions of the AML/CFT Law.

This case also addressed the issue of what personal data (documents) must be retained by the Company for the implementation of the AML/CFT Law and how the retention of such personal data complies with the requirements of the GDPR.

The Court decided that:

  • The Company did not provide any evidence that it retains copies of the identity document of the client and its representative, the power of attorney to act on behalf of the client, the identity data of the beneficiary (owner of the legal entity);
  • No evidence was provided to confirm that the Company verifies whether there are circumstances to conduct enhanced client due diligence, does not collect data from the client as to whether the transactions and business relationships may be with politically exposed persons, high-risk third countries, and does not apply risk assessment and management procedures.

In response to such allegations, the Company stated that there is a direct threat of a formally disguised screening procedure under the AML/CFT Law, which would lead to unrestricted access to/disposal of information on natural and legal persons.

The Court rejected the Company’s arguments, stating that the processing of personal data for AML/CTF fulfills the condition of the lawfulness of the processing for reasons of public interest.

ECOVIS ProventusLaw recalls that the retention of information for the AML/CFT is defined in Article 19 of the AML/CFT Law, which sets out the main periods for the retention of information, including the retention of personal data:

  • data from logbooks shall be kept on paper or in electronic format for 8 years from the date of termination of the transaction or business relationship with the client,
  • copies of client identity documents, beneficiary identity data, payee identity data, live video feed, other data obtained during the identification of the client, invoices/contractual documents shall be kept for 8 years from the end of the transactions or business relationship with the client;
  • correspondence on business relationships with a client must be kept for 5 years from the date of the end of the transaction or business relationship in paper or electronic form,
  • documents and data supporting a monetary operation or transaction, or other documents and data having legal effect, relating to the execution of monetary operations or the conclusion of transactions must be kept for 8 years from the date of execution of the monetary operation or conclusion of the transaction,
  • virtual currency exchange operators and depository virtual currency wallet operators must keep information that allows the address of the virtual currency to be linked to the identity of the owner of the virtual currency for 8 years from the date of the end of the transaction or business relationship with the client.

Retention periods may be extended for an additional period of up to 2 years on the motivated order of the competent authority.

Prepared by ECOVIS ProventusLaw Certified Data Protection Expert, Associate Partner Brigida Bacienė

Newsletter SubscriptionGet in touch