Further to queries received in relation to third-party requests for AML documentation and to the Gazette article in April 2019, ‘KYC and AML requirements of certain funds operating in the Irish market’, there are a few updates to report.

In response to a query received by the Data Protection Commission (DPC) regarding an investment firm selling properties and seeking to obtain AML identification or ‘know your customer’ (KYC) data from the third-party purchasers, the DPC has instructed that “pursuant to the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended), the investment firm could not be considered a ‘designated person’ (nor an ‘obliged entity’ as defined in the AML directives) to collect AML KYC documentation. This is a statutory public interest function only, proper to the purchaser’s solicitor or the credit institution that is providing a mortgage or loan facility to the purchaser. Both the purchaser’s solicitor and/or the lending institution are a ‘designated person’ under the 2010 act and, as such, each should comply with the AML requirements when ascertaining the ‘customer due diligence’ of their client(s) who are purchasing the property from the vendor.

“From a data-protection perspective, unless there is a proper legal justification for the collection of this KYC documentation of third-party purchasers, then the practice of seeking to collect these documents should cease immediately. Otherwise, it could potentially contravene the principles of article 5 of the GDPR.”

It is clear to the committee that the DPC has instructed that investment funds and, by implication, their associated entities and agents (including receivers), have no legal obligation under the Criminal Justice Act 2010, as amended, to act as a designated person to collect customer duediligence documents on thirdparty purchasers who are acquiring assets on an arms-length basis from such investment funds.

The committee agrees with the DPC that the collection of this KYC and/or AML documentation from third-party purchasers (or, in the view of the committee, through their solicitors who are usually asked to furnish such information on behalf of the purchaser) should cease. While the report says that “following DPC representations, the companies agreed to cease this practice of seeking KYC AML documentation from third-party purchasers and their representatives”, it is clear to the committee that the practice appears to still be prevalent among investment funds and other parties. Practitioners are entitled to refuse such requests and, if they so wish, should continue to refer any such requests, whether made directly to the client or through their solicitor, to the DPC by way of complaint.

The committee acknowledges that solicitors have their own separate and independent KYC and AML requirements in relation to their own clients. Practitioners are referred to the regulations and the Law Society’s previous practice notes and guidance dealing with these obligations. The committee continues to receive numerous queries from practitioners in relation to letters that are being sought by or on behalf of investment funds that create certain obligations in favour of the fund/lender in relation to KYC and AML enquiries. A number of these letters include other non-related AML and KYC queries. The view of the committee is as follows:

• Solicitors should not be asked to confirm that the firm or the solicitors therein are not subject to any disciplinary proceedings. This is not relevant to AML and KYC.

• Solicitors, whether acting for a vendor or a purchaser, should not be asked to certify that sale proceeds/purchase moneys are not the proceeds of crime. This is a matter that should only be certified by the client.

• A fund/lender is entitled to complete the usual KYC and/or the AML enquiries in respect of its own customer (the vendor/borrower), but this can be dealt with directly with their vendor/borrower client.

• Once a sale closes, the funds belong to the vendor client.

• A solicitor should not be asked to confirm that they adhere to the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 as amended by part 2 of the Criminal Justice Act 2013 or by the Criminal Justice Money Laundering and Terrorist Financing Amendment Act 2018. These are statutory obligations.

The committee is aware that some of these letters request that the solicitor hold the personal data of their client for a period of at least five years from the date of the conclusion of the proposed transaction. While solicitors have their own recordretention duties with regard to their own clients, solicitors should not be obliged to retain data at the behest of the investment fund/lender. There is no clear rationale for doing this, and the committee is of the view that this places solicitors in potential breach of GDPR and they should not be asked to do it.

Practitioners who do, however, intend to comply with any such requests should confirm their clients’ instructions and obtain any appropriate consents from their clients.

Solicitors should also be cognisant of the relevant obligations under GDPR in respect of these matters, including the following articles of Regulation EU 2016/679 of the European Parliament and of the Council:

• Article 5(1)(a) – lawful, fair and transparent processing (that is, ensuring that clients are made aware of any such requests, and what data may be collected and disclosed by solicitors if they decide to comply with such requests),
• Article 6 – legal basis for processing (that is, satisfying one of the grounds for processing the data in question – for example, obtaining the consent of the client,
• Article 5(1)(b) – purpose limitation (that is, ensuring that the personal data in question is collected for specified, explicit, and legitimate purposes, and is not further processed in a manner that is incompatible with those purposes, and
• Article 5(1)(c) – data minimisation (ensuring that the data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed).