ECSH33510 - Checking record keeping, reliance and GDPR: introduction

During your compliance check, you must consider the business’s compliance with its obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) in relation to:

• record keeping 
• reliance
• data protection 

Record keeping

Under regulation 40 MLR 2017, a business must keep a copy of any documents and information it has obtained to satisfy the customer due diligence requirements in Part 3 as well as sufficient supporting records to enable a transaction to be reconstructed. For details of records which must be retained, and how long they must be retained for, please see ECSH33520

Reliance

A business may rely on another supervised person to carry out due diligence checks in relation to identifying and verifying:

• customer identity (including corporate bodies)
• any person acting on behalf of a customer, and
• beneficial owners

This is set out in regulation 39 MLR 2017.Please follow the guidance in ECSH33550

Please note that reliance doesn’t extend to enhanced due diligence checks for customers deemed to be high risk. You can find more guidance on how to check Customer due diligence in ECSH33300.

Data protection

Any personal data (information identifying a natural person) a business obtains when carrying out customer due diligence checks may only be processed to prevent money laundering, terrorist financing or proliferation financing. This requirement is set out in regulation 41 MLR 2017. To test the business is complying with the data protection requirements, please follow the guidance at ECSH33575 .

For more information regarding personal data, the Data Protection Act and General Data Protection Regulations, see ECSH10000.