The main data protection rules of the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”) came into force on 2 July 2014. Pursuant to the PDPA, organisations, including financial institutions (“FIs”), are now generally required to obtain consent for the collection, use and disclosure of “personal data”, to allow individuals to access and correct errors in their personal data, and to provide individuals with information about the ways in which their personal data may have been used or disclosed.
In light of this, the Monetary Authority of Singapore (“MAS”) published a consultation paper dated 2 June 2014, proposing the addition of a paragraph on personal data (“Proposed Personal Data Amendment”) to the various MAS notices relating to the prevention of money laundering and countering the financing of terrorism (“AML/CFT Notices”). The Proposed Personal Data Amendment aimed to clarify that for the purposes of meeting AML/CFT requirements, FIs may collect, use and disclose personal data without customer consent, as per existing practice. Our earlier update on this consultation can be accessed here.
Following the close of the consultation, on 1 July 2014, MAS amended each of the relevant AML/CFT Notices to incorporate a revised version of the Proposed Personal Data Amendment (“Finalised Personal Data Amendment”). MAS also published responses to the feedback received during the consultation (“Response”), which helped clarify how the Finalised Personal Data Amendment should be interpreted.
IMPACT OF FINALISED PERSONAL DATA AMENDMENT ON AML AND CFT MEASURES
Clarification of scope of individuals’ access and correction rights
The Proposed Personal Data Amendment provided that customers will generally have the right to access and correct their factual identification data, as well as personal data that they have provided to the FI. In addition to this, the Finalised Personal Data Amendment also explicitly clarifies that such access and correction rights are subject to certain exceptions provided for in the PDPA, including where granting access could reasonably be expected to reveal personal data about another individual or threaten his health or safety, where a request for access would unreasonably interfere with the operations of the organisation, or where a request for correction of information involves a document related to a prosecution for which proceedings are still on- going.
MAS clarified in its Response that other than the types of personal data specified as being subject to access and correction rights in the Finalised Personal Data Amendment, FIs would not be obliged to provide such rights for any other personal data, including information obtained by FIs from third party sources for verification purposes and FIs’ internal analyses of individuals’ money-laundering/terrorism financing risk.
MAS also stated that where FIs did grant access and correction rights, the approach to granting such rights should generally be aligned with the PDPA. For example, an FI may deny access if doing so may reveal the personal data of another individual, and for correction, an FI should be satisfied that there are reasonable grounds for such a request.
While the Proposed Personal Data Amendment did not expressly state this, the Finalised Personal Data Amendment clarifies that the personal data of certain “connected parties” (including company directors, partners and natural persons with executive authority) fall within its ambit.
MAS noted in its Response that for customers that are not individuals, the existing customer due diligence measures under the AML/CFT Notices require the identification of “connected parties” including directors, partners and persons having executive authority. During the consultation, there were also suggestions that “connected parties” such as individuals acting on behalf of a beneficial owner and beneficiaries in a remittance transaction be caught by the Finalised Personal Data Amendment.
MAS has clarified that it is looking to refine the definition of “connected parties” as part of a broader consultation on comprehensive amendments to the AML/CFT Notices. It appears likely that this definition will catch any individual on whom FIs are required to do AML/CFT related customer due diligence.
Personal data obligations of other entities
The Finalised Personal Data Amendment also reflects minor amendments to the Proposed Personal Data Amendment to clarify that the exceptions to the consent requirements for collection, use and disclosure of personal data apply not only to the direct handling of such personal data by FIs, but also where an FI does so through a third party.
MAS clarified in its Response that this amendment is partly to address queries as to whether the Proposed Personal Data Amendment would apply to third parties such as data intermediaries working with FIs. The intention of the Finalised Personal Data Amendment is that FIs may as per existing practice, collect, use and disclose personal data without customer consent whether directly or through a third party. MAS also noted that the personal data obligations of data intermediaries are governed by the PDPA including section 4(2) thereof, which provides that certain parts of the PDPA do not impose any obligations on a data intermediary in respect of its processing of personal data for another organisation pursuant to a written contract.
Personal data obligations of FIs for non-AML/CFT purposes
During the consultation, certain FIs requested that MAS also set out a similar clarification of FIs’ PDPA obligations in the context of non-AML/CFT requirements such as risk management.
MAS responded that it did not intend to do so at this point, and that it had taken the view that the regulatory obligations most likely impacted by ambiguity in the context of the PDPA were the AML/CFT Notices. Nevertheless, MAS has indicated that it will continue to monitor developments and will continue to assess if further amendments might be necessary in respect of non-AML/CFT obligations.
Other clarifications from MAS
Feedback was also received requesting MAS to clarify FIs’ obligations with respect to the withdrawal of consent in relation to the Finalised Personal Data Amendment.
MAS responded that the Finalised Personal Data Amendment clarifies that for the purposes of meeting AML/CFT requirements, FIs may as per existing practice, collect, use and disclose customer personal data without customer consent. Given customer consent is not required, it cannot be withdrawn.
The MAS’ Response reiterates its view that FIs should not be compromised in their ability to carry out effective customer due diligence in order to comply with anti-money laundering and countering of terrorism financing legislation. In particular, MAS has clarified that FIs may as per existing practice, collect, use and disclose personal data without customer consent.
At the same time, the Finalised Personal Data Amendment also acknowledges customers’ rights under the PDPA to access and correct their personal data, to the extent that this does not interfere with AML/CFT measures. While the Singapore legislature’s intention has been that the provisions of the PDPA should apply concurrently with other Singapore laws and regulations, the Finalised Personal Data Amendment and MAS’ Response help provide guidance to FIs as to how to fulfil their AML/CFT obligations in the context of the PDPA.
Please click on the link below to refer to the document.
MAS Response to the Consultation Paper on “Obligations of Financial Institutions under the Personal Data Protection Act 2012 – Amendments on Notices on Prevention of Money Laundering and Countering the Financing of Terrorism”