Data Protection Board: green light for a centralised anti-money laundering database

The Data Protection Board issued a positive opinion on the amendment that has been presented to Legislative Decree no. 231/2007 on the prevention of the use of the financial system for the purpose of money laundering and terrorism financing.

In particular, the proposed amendment supported by the Data Protection Board envisages the establishment of a centralised cyber database, aimed at collecting data, which are useful for assessing the risk of money laundering.

In order to minimize any possible risk for personal data, the database should have the following characteristics:

  • it should collect only those data which are already under a ten year conservation obligation for the obliged subjects; in this way, the obligation of data conservation would stay unaltered, both in terms of time and content;
  • the access to the database should be limited to an exhaustive list of authorised subjects;

The database in question serves a twofold purpose: on one hand, it assists the competent authorities (Ministry of Economy and Finance, Financial Intelligence Unit for Italy, special currency police unit of the Italian Finance Police, Anti-Mafia Investigation Department) in carrying out their analysis and investigation activities, while, on the other hand, it offers support to individual professionals in fulfilling their obligation to report suspicious transactions (pursuant to Article 35, Legislative Decree no. 231/2007).

In particular, the fulfilment of the professionals’ obligation to report suspicious transactions would be simplified through the generation of an alert by the system. The alert would be generated when certain conditions are met and certain thresholds are exceeded, specifically those, which are considered to be symptomatic of a potentially risky activity. In this regard, however, the Data Protection Board has requested legislative intervention to regulate how alerts are generated and to ensure that the rights of data subjects are protected. The problem that arises is, in fact, the potential use of automated systems as well as the possible presence of data (e.g. sensitive data, data concerning criminal convictions or offences), which entail a high risk of profiling.