The Monetary Authority of Singapore (“MAS”) published a consultation paper dated 2 June 2014 proposing the addition of a paragraph on “personal data” to the various MAS notices relating to the prevention of money laundering and countering the financing of terrorism (“AML/CFT Notices”). The proposed amendments set out in the consultation paper are intended to be effective from 2 July 2014.
The proposed amendments are in light of the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”), the main data protection rules of which will come into force on 2 July 2014.
Under the PDPA, organisations (including financial institutions) will generally be required to obtain consent for the collection, use, and disclosure of personal data. Organisations will also be required to allow individuals to access and correct errors in their personal data, as well as to provide individuals with information about the ways in which their personal data may have been used or disclosed. These requirements could, if viewed as superseding the AML/CFT Notices, hamper the effectiveness of financial institutions’ anti-money laundering and countering of terrorism financing measures, in particular their ability to perform effective customer due diligence.
Given that the Singapore legislature intends for the provisions of the PDPA to apply concurrently with other Singapore laws and regulations, the proposed amendments seek to clarify how financial institutions’ obligations under the AML/CFT Notices would apply in the context of their obligations under the PDPA.
THE PROPOSED AMENDMENTS
New paragraph on “personal data”
For the various AML/CFT Notices, MAS proposes to insert a paragraph on “personal data” in the following form (the “Personal Data Amendment”):
“XX PERSONAL DATA
XX.1 For the purposes of paragraph XX –
- “personal data” has the same meaning as defined in section 2(1) of the Personal Data Protection Act (Cap. 26); and
- a reference to “individual” shall mean a natural person.
XX.2 An [FI] shall, as soon as reasonably practicable, upon the request of an individual customer, an individual natural person appointed to act on behalf of a customer or an individual beneficial owner of the customer, provide the requesting individual with the right to access and correct an error or omission in relation to the following types of personal data of that requesting individual, that is in the possession or under the control of the [FI]:
- the full name, including any alias;
- the unique identification number (such as an identity card number, birth certificate number or passport number);
- the existing residential address and contact telephone number(s);
- the date of birth;
- the nationality; and
- any other personal data of the respective individual provided by that individual to the [FI].
XX.3 Subject to paragraph XX.2 and for the purposes of complying with this Notice, an [FI] shall not be required to provide an individual customer, an individual person appointed to act on behalf of a customer or an individual beneficial owner of a customer, with:
- any access to personal data about the individual that is in the possession or under the control of the [FI];
- any information about the ways in which the personal data of the individual under subparagraph (a) has been or may have been used or disclosed by the [FI]; and
- any right to correct an error or omission of the personal data about the individual that is in the possession of or under the control of the [FI].
XX.4 For the purposes of complying with this Notice, an [FI] may, collect, use and disclose personal data of an individual customer, an individual person appointed to act on behalf of a customer or an individual beneficial owner of the customer, without the respective individual’s consent.
Affected AML/CFT Notices
MAS has also indicated that the AML/CFT Notices applying to the following types of financial institutions will be affected:
- Approved Trustees (MAS Notice SFA13-N01);
- Banks (MAS Notice 626);
- Capital Markets Intermediaries (MAS Notice SFA04-N02);
- Financial Advisers (MAS Notice FAAN06);
- Finance Companies (MAS Notice 824);
- Holders of Money-Changer’s Licence and Remittance Licence (MAS Notice 3001);
- Holders of Stored Value Facilities (MAS Notice PSOA-N02);
- Life Insurers (MAS Notice 314);
- Merchant Banks (MAS Notice 1014); and
- Trust Companies (MAS Notice TCA-N03)
Impact of the Personal Data Amendment
The Personal Data Amendment clarifies that for the purposes of complying with an AML/CFT Notice, a financial institution may collect, use and disclose personal data without the relevant individual’s consent. This is in line with MAS’ view that whilst financial institutions will have to adjust their processes to comply with the PDPA, they cannot be compromised in their ability to carry out effective customer due diligence in order to comply with anti-money laundering and countering of terrorism financing legislation.
The Personal Data Amendment also acknowledges customers’ rights under the PDPA to access and correct their personal data. Customers will have the right to access and correct all personal data that they have provided to the financial institution and their factual identification data. Outside of these categories and for the purposes of complying with the relevant AML/CFT Notice, a financial institution would not be obliged to provide access to or correct personal data held by it, or to provide any information about the ways in which such personal data may have been used or otherwise disclosed by the financial institution.
Please click on the links below to refer to the relevant documents.
Consultation Paper on “Obligations of Financial Institutions under the Personal Data Protection Act 2012 – Amendments on Notices on Prevention of Money Laundering and Countering the Financing of Terrorism”