I have just been asked by my bank to let them know what my possible turnover is next year, which is fine. The have also asked me to let them know how many customers pay me cash regularly, as they are seeing me paying cash in. They are now asking if I can give them the names of those customers. I think this is a potential GDPR violation, or am I missing something? I thought I had to get the permission of people whose information I hold to pass it onto a third party. Are the bank a 'responsible' organisation with regard to GDPR and therefore exempt?
IIRC they could argue legitimate interest on the grounds of fraud prevention or legal compliance. I've not had enough coffee for GDPR ****. You could always just ask why they want/need the info.
To comply with anti AML laws and regulation you do have to be able to explain where your money comes from. To comply with GDPR you can't just go and hand over customer data to a company requesting it. I know the cost can be an issue, but I'd strongly advice seeking proper legal advice from a lawyer.
Bit of an odd one, as asking you to confirm such things could be classed as "tipping off", which itself is a crime in the UK, with a possible prison sentence and fine. I wouldn't give them any personal details of your customers without their permission. If that means a lot of legwork for you to contact them all, I would just tell your bank that your clients have declined the release of their data. They have no power to demand it.
No one's exempt from GDPR, or the local regulations that supplement it (DPA 2018 in the UK) If they're requesting personal data for any of your customers they should be providing you with a properly formed request, stating what information they need, why they need it and what it is needed for, as well as stating which exemption of GDPR/DPA they are requesting it under. As already said, they probably want it for AML/sanctions checks, which are covered in the relevant exemption (GDPR Schedule 2, DPA S29 i think) Information Commissioner's Office have a lot of guidance and reference material available online eg: https://ico.org.uk/for-organisation...l-data-protection-regulation-gdpr/exemptions/ Edit, realized I direct linked to a pdf
Pretty normal money laundering questions the bank will ask, nothing dodgy. Example of this from work https://www.santander.com/content/d...cial-crime-compliance-corporate-framework.pdf
While anti AML investigations would indeed be covered under the exemptions, the potential problem I smell is that they are seemingly asking for "everything" rather than say data on a specific Customer or transaction making the whole thing smell of fishing expedition rather than an investigation into something specific. And if the exemptions really cover such very broad requests? I'd say that requires proper legal expertise to assess. But in my armchair lawyer assessment the request seems to broad to be allowed.
Aye, broad requests would be considered fishing, which are a no-no and a bank would get hauled up for doing. A request made using the exemptions has to be specific in what information is requested and why. In order to be able to address whether the request is lawful, and information can be legally disclosed you need that extra information, as would any legal bod approached for advice. Starting point is always, don't disclose anything and then see if the request actually warrants sending it. Short of a court or production order you can't be compelled to release personal data, and it's a criminal offence for someone to try to get hold of data they are not entitled to. The bank will in all likelihood be making a legitimate request, but that request needs to be made properly so suitable advice can actually be sought. Speak to the bank though, being open about concerns and issues around a request won't harm anything. They'll generally provide more detail about why they're asking. The more information on hand the easier, quicker and cheaper it is to take proper advice.
Well, I've learned a lot in the past 60 seconds that, as a small business, I should probably have already known...
Many thanks for the further input all. I did think that the request for further information seemed a little casual and broad, but have not dealt with AML in detail before. I can email my account manager on Monday and sse if they have a form to fill in, or ask to speak to the branch manager. What it comes down to, is I am paid regularly and semi regularly by 4 customers for services that are invoiced in advance and go through my books, so there is not 'pocketing of cash' here. My concern is that they are all sole traders with legitimate business operations, and it is not (as far as I am aware) my business to ask where their income is sourced, not tell a third party their names. Two are in the motor trade, and are paid cash a lot. Again, (IMHO) it is up to them to declare what they earn, and whether to pay me in cash or bank it and then send me the money. Again, all transactions are invoiced in advance and I give a duplicate receipt for every amount of cash I am given. I have spoken to one today, and he is happy to BT the payment monthly when I have reminded his of my bank details. One other would be fine to go to full BT I'm sure. The other 2 are older and not very IT literate, so I'm not sure how hot they'd be with phone banking, as I don't think they have PCs. That said, maybe going to the bank and asking for a standing order would do. What's interesting is the interface between AML requirements and privacy afforded by GDPR. Sadly, the GDPR training I had with the Scout Association doesn't seem to cover this eventuality...
If it seemed too casual and broad to you then it probably was. As an example, most of the insurance industry use a 3 page template form for requesting any personal information from any source, including banks (RAD1 from the IFB). I wouldn't go changing the way you do business, especially with repeat customers, unless it works out more convenient. Especially not without getting more info from the bank. Plenty of people still prefer cash and it's perfectly legal. AML checking is an assumption, it's just the most likely reason for them to be interested in more detail of cash transactions specifically. You may find that explaining everything is invoiced in advance, plus recorded in your books and there's therefore a full, auditable paper trail addresses whatever reason they're asking for the details. Hopefully speaking to them next week will give you a bit more information, and put your mind at rest.
The bank isn't trying to ascertain the nature of their income, they're asking for information about yours, they have no power to ask them about their income, they just need to be able to have on file details that they have asked you the necessary questions about your income. The cash deposits have likely just triggered an automated flag on the system that has generated the request, once you know the specifics of the request it should be straightforward and as the request has now been made changing customers to cheque or bank transfer won't change the bank's current demand of information.