Implementation of the personal data minimization principle in financial institutions: Lithuania’s case
| DOI | https://doi.org/10.1108/JMLC-11-2020-0128 |
| Published date | 22 July 2021 |
| Date | 22 July 2021 |
| Pages | 664-680 |
| Subject Matter | Accounting & finance,Financial risk/company failure,Financial compliance/regulation,Financial crime |
| Author | Marius Laurinaitis,Darius Štitilis,Egidijus Verenius |
Implementation of the personal
data minimization principle
in financial institutions:
Lithuania’s case
Marius Laurinaitis and Darius Štitilis
Mykolas Romeris University, Vilnius, Lithuania, and
Egidijus Verenius
State Data Protection Inspectorate, Vilnius, Lithuania
Abstract
Purpose –The purpose of this paper is to assess such processing of personal data for identification
purposes from the point of view of the principle of data minimisation, as set out in the EU’s General Data
ProtectionRegulation (GDPR) and examine whether the processingof personal data for these purposes can be
considered proportionate, i.e. whether it is performed for the purposes defined and only as much as is
necessary.
Design/methodology/approach –In this paper, the authors discuss and present the relevant legal
regulation and examine the goals and implementation of such regulation in Lithuania. This paper also
examines the conditions for the lawful processing of personal data and their application for the above-
mentionedpurposes.
Findings –This paper addressesthe problem that, on the one hand, financial institutions must comply with
the objectives of collecting as much personal data as possible under the AML Directive (this practice is
supported by the supervisory authority, the Bankof Lithuania), and, on the other hand, they must comply
with the principleof data minimisation established by the GDPR.
Originality/value –Financial institutions process large amounts of personal data. These data are
processed for differentpurposes. One of the purposes of processing personal data is (or may be) relatedto the
prevention of money launderingand terrorist financing. In implementing the Know Your Customer principle
and the relevant legal framework derived from the EU AML Directive, financial institutions collect various
data, includingprojected account turnovers, account holders’relativesinvolved in politics, etc.
Keywords Data protection, General data protection regulation, Data controller, Data subject,
Financial institution, Principle of personal data minimisation
Paper type Research paper
1. Introduction
Customer identification is an essential element of an organisation’s internal control system,
which is necessary to protect banks from the risk of abuse and fraud, operational risk,
reputational risk, the risk of loss of trust and strategic risk [1]*. However, customer
identification is only required to comply with legal requirements and to prevent money
laundering and terrorist financing. The so-called Know Your Customer principle is applied
based on which personal data are collected and processed not only for customer
Solving privacy paradox: Promoting High Standards of Data Protection as a Fundamental Right and
Central Factor of Consumer Trust in Digital Economy 814754.
JMLC
24,4
664
Journalof Money Laundering
Control
Vol.24 No. 4, 2021
pp. 664-680
© Emerald Publishing Limited
1368-5201
DOI 10.1108/JMLC-11-2020-0128
The current issue and full text archive of this journal is available on Emerald Insight at:
https://www.emerald.com/insight/1368-5201.htm
identification, but also to carry out certain customer monitoring. The amounts of personal
data being processed are rather substantial. This raises questions about the scope of
personal data processed by financial institutions as well as their compliance with the
principles set out in the General Data Protection Regulation(GDPR) of the European Union
(EU), in particular the principleof data minimisation.
The questions that merit deeper analysis include the legal basis on which financial
institutions collect and process personal data in the case of Know Your Customer
procedures, the legal obligation to do so and the specific types of personal data that are
required. Questions also arise as to how to achieve a balance between the wish of financial
institutions to protect themselves from the risks of abuse and fraud the one hand and the
customer’s right to privacy on the other. To what extent and in what cases must the
customer’s rightto privacy be restricted to achieve the above objectives?
The impact of GDPR on the banking sector has been examined in scientificpublications.
For instance, Lori Baker in her 2017 publication discusses the impact of GDPR on the
banking sector in the areas of the data subjects’rights, competitionlaw and Brexit [2]. Ralf
Sydekum in his 2018 article discusses consumer security aspects in the context of GDPR
application in the financial/banking sector [3]. Authors Basin, David, Debois and Soren, in their
December 2018 publication, proposed a GDPR compliance verification methodology [4].
However, the application of the principles of proportionality and data minimisation in the
context of GDPR, especially in relation to the Know Your Customer principle, has not been as
yet addressed in the scientificliterature.
To examine the issues raised, it is essential to first addressthe origins of the Know Your
Customer practices.
1.1 Historical discourse on the Know Your Customer rule and the collection of personal
data. Applications in Lithuania
For a long time, anonymity in the financial world was associated with anonymousaccounts
and the possibility of tax evasion or money launderingwas considered to be an integral part
of the service. In their fight against money laundering, EU Member States on 10 June 1991
purpose of money laundering”, which required Member States to prohibit their credit and
financial institutions from keeping anonymous accounts or anonymous passbooks. Since
the banning of anonymous accounts, customeridentification methods and the improvement
of these methodshave become one of the key areas in the activities offinancial institutions.
In 1989, the G7 Summit in Paris adopted a decision on the establishment of the Financial
Action Task Force on Money Laundering(FATF). The main area tackled by the FATF was
monitoring trends and technologiesin the shadow economy.
FATF sets international standards and pursues policies to combat money laundering
and terrorist financing. In 1990, this organisation adopted 40 [6] recommendations for the
fight against money laundering.The recommendations were first revised in 1996 in the light
of changes in money laundering trends. The above-mentioned 40 recommendations were
endorsed by 130 states in 1996 and became international anti-moneylaundering standards.
In 2001, FATF was assigned additional responsibilities for implementing preventive
measures countering terrorist financing. In October of the same year, FATF issued eight
Special Recommendationson how to combat terrorist financing.
Money laundering methods and techniques have been constantly evolving. FATF has
consistently drawn attention to advanced money laundering techniques, such as increased
use of legal entities, disguised ownership and increased use of professionals. The
assessment of these factors and the accumulated FATF expertise have led to the revision
Personal data
minimisation
principle
665
To continue reading
Request your trial