Pursuant to several provisions of the French Code Monétaire et Financier, entities from the banking and financial sector are required to implement processes and strategies to detect, measure and manage operational risks within their group (on a consolidated basis). Fraud prevention/detection systems must be adapted to the entities’ activities and to the nature, scale and complexity of the risks inherent to their business model and organization.

The French data protection authority (CNIL) has just adopted Single Authorization No. AU-054 (the “AU-054”) on July 13, 2017 in order to cover the processing of personal data implemented in relation to these fraud prevention/detection systems. The new AU-054 provides a blanket authorization for entities processing personal data for purposes related to the prevention/detection of external fraud in the banking and financial sector assuming they adhere to a strict set of conditions set forth by the CNIL, the most significant of which are summarized below.

The AU-054, like all CNIL single authorizations, has the critical advantage of allowing entities to self-certify, in a short and simple form, their compliance with the conditions set forth by the CNIL. Fraud prevention systems not meeting those conditions require a specific authorization from the CNIL (a much more complicated and lengthy process).

1. Only certain categories of entities in the banking and financial sector are eligible to self-certify under the AU-054

The AU-054 covers entities from the banking or financial sector which are under the control of the French Autorité de Contrôle Prudentiel et de Résolution in accordance with Article L.511-20-III of the French Code Monétaire et Financier and related regulations.

More specifically, the entities authorized to implement a fraud prevention system under the AU-054 are the following:

  • Credit institutions;
  • Intermediaries in bank operations;
  • Payment service providers;
  • Providers of investment services;
  • Individuals who provide investment services;
  • Investment advisers;
  • Financing companies;
  • E-money institutions;
  • Financial holding companies; and
  • Parent companies of financing companies.

In particular, the AU-054 does not cover fraud prevention systems implemented by insurance, capitalization, reassurance, assistance companies or insurance brokers CMF (these companies must refer to Single Authorization No. AU-039).

In addition, all entities under the control of any of the entities listed above are also eligible to self-certify with the AU-054 when their activities qualify as “related” (“connexes“) within the meaning of Article L.311-2 of the Code Monétaire et Financier.

2. The AU-054 only covers prevention/detection systems addressing external fraud

The AU-004 covers fraud prevention/detection systems aimed at detecting and qualifying anomalies that qualify as “external fraud“. “External fraud” is defined by Article 324 of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms as “any event causing losses related to third party actions aimed at committing fraud or embezzlement of assets, or at violating the law.” External fraud therefore relates to any person that is a party or potential party to a contract (clients, beneficiaries) and any person involved in the performance of contracts (subcontractors, service providers, financial intermediaries…). The AU-054 does not cover internal fraud detection/prevention (i.e., fraud committed by employees or other staff members).

More specifically, the AU-054 states that it covers (i) fraud alerts further to the detection of an anomaly, an incoherence or the reporting of an act likely to be fraudulent, and their analysis by authorized personnel, and (ii) actual or attempted frauds qualified as such by the entity further to investigation by authorized personnel. It further provides some details regarding authorized purposes by referring to:

  • The detection of acts performed in the context of the execution, management and performance of contracts that show some kind of anomaly or incoherence;
  • The management and analysis of alerts coming from various information sources (internal control processes, client claims, judicial orders, etc.);
  • The compilation of lists of persons duly identified as fraudsters or attempted fraudsters further to investigations.

The AU-054 details the various categories of fraudulent activities that can be covered by (and reported through) a fraud prevention/detection system within its scope. These categories notably include fraud relating to the payment method, ID fraud, credit fraud, etc. If the fraud prevention/detection system aims at detecting certain categories of frauds that are not expressly listed in the AU-004, a specific impact assessment analysis must be carried out.

In addition, the AU-054 clearly states that fraud prevention systems may lead to punctual interconnections with data processed for other purposes, including notably (among others): client and prospects management; the execution, management and performance of banking and financial services agreements; the management of contractual relationships with intermediaries, service providers and others; money-laundering and terrorism financing prevention; and whistleblowing systems.

3. The broad range of personal data that can be processed under the AU-054

Assuming they are necessary for the purposes covered by the AU-054, only the following categories of personal data can be collected and processed through fraud prevention/detection systems:

  • Data relating to the execution, management and performance of banking and financial services agreements and to the management of the commercial relationship;
  • Identification data relating to the parties to the contract (client, actual beneficiaries) and prospects;
  • Data relating to personal, family and professional situations, to economic and financial information and life habits in relation to the execution of banking and financial services agreements;
  • Data relating to commercial operations and to the management of the commercial relationship;
  • Data relating to anomalies, incoherence and reports likely to reveal a fraud;
  • Data relating to fraud investigations, instruction and assessment of the scope and nature of the suspected or actual fraud and of its consequences;
  • Data relating to risk and damages assessment;
  • Identification data relating to the individuals involved in the detection and management of fraud;
  • Data relating to financial transactions, payment methods, etc.;
  • Browsing and connexion data (including location data and device related data) collected in the context of the agreements in force; and
  • Data relating to the management of contractual relationships with providers of services or of operational tasks that are “essential” or “important” within the meaning of applicable laws, and with banking operations and payment services intermediaries, subcontractors and agents.

4. Strict requirements regarding access rights and management of the fraud prevention/detection system

Generally, the system and related data may only be accessed by specifically authorized personnel subject to ethical and confidentiality obligations.

More specifically, information relating to fraud alerts (suspected frauds) can only be accessed by:

  • Staff members in charge of fraud prevention within the entity or another entity of the same group when acting on behalf of such entity;
  • Staff members in charge of money-laundering and terrorism financing prevention within the entity;
  • Investigators, auditors and experts, on a punctual basis during investigations;
  • Staff members from the entity’s compliance department in charge of internal control or of the litigation department; or
  • Public authorities as authorized under the law.

In case of actual (proven) frauds, the information can only be accessed by:

  • Staff members in direct contact with the clients;
  • Staff members in charge of fraud prevention within the entity or another entity of the same group when acting on behalf of such entity;
  • Staff members in charge of money-laundering and terrorism financing prevention within the entity;
  • The entity’s top management, the operational risks department, the compliance department in charge of internal control or the litigation department, the legal department, staff members in charge of internal control, audit, inspection and financial security;
  • Providers of services or of operational tasks that are “essential” or “important” in accordance with applicable laws, with banking operations and payment services intermediaries, as soon as they are concerned by the fraud or are involved in the management of the matter;
  • Investigators, auditors and experts, on a punctual basis during investigations;
  • As the case may be, fraud victims or their agents; or
  • Public authorities as authorized under the law.

In addition, the information collected through the fraud detection systems may be shared by the entity with other entities of its group under specific conditions, which are detailed in the AU-054.

5. Other relevant requirements to keep in mind

The AU-054 reiterates that data subjects must be informed of the characteristics of the processing of their personal data in accordance with applicable law. This notice must be provided upon execution of the service agreement, and if, after some investigation, the fraud is confirmed, some decisions with legal consequences are made on that basis and the data subject is listed as potential fraudster for future reference.

It also reiterates that no decision with legal consequences can be made based only on an automated fraud prevention system. As a consequence, any fraud alert generated by these systems must be followed up by a non-automated analysis and by additional non-automated investigation, if necessary. In addition, any individual subject of a fraud alert must be able to respond if a decision with legal consequences on him/her is made in relation to the execution or performance of a contract.

In addition to general security and confidentiality obligations, the AU-054 requires entities to define a security policy specifically adapted to the risks raised by fraud prevention/detection systems. Specific requirements as to the content of this policy are detailed in the AU-054.

In terms of data retention, alerts must be “qualified” (i.e. be confirmed or not) within 12 months after they arose. Any alert that is not relevant must be deleted immediately. If an alert has not been investigated and qualified after 12 months, it must be deleted. Data related to confirmed fraud can be stored for 5 years maximum (or until the end of the judicial proceedings where relevant).

Lastly, the AU-054 states that transfers of personal data to non EU countries that are not members of the EEA can only be performed if (i) the destination country has been considered as providing adequate protection by the EU Commission, or (ii) the recipient is Privacy Shield certified, or (iii) Model Contractual Clauses or Binding Corporate Rules are in place, or (iv) they are carried out for the purpose of performing contracts or enforcing warranties or rights before a court (it being specified that this can only apply to non-massive transfers happening on a punctual basis).