Spain: The Business Creation and Growth Law introduces changes into the anti-money laundering and counter-terrorism financing law
Business Creation and Growth Law 18/2022, of September 28, 2022 published in the Official State Gazette on September 29, 2022, reforms Anti-Money Laundering and Counter-Terrorism Financing Law 10/2010 in its financial provision two.
It involves a very limited reform that introduces certain relevant changes already included in the latest EU directives that had not been implemented by Spanish law. It also includes provisions focused on the area of personal data protection and their AML/CFT implications.
The specific provisions concerned are as follows:
- Article 2.3 of Law 10/2010 is amended to include the cases in which the electronic money institutions, payment institutions and natural and legal persons referred to in Royal Decree-Law 19/2018, of November 23, 2018, on payment services and other urgent financial measures, are excluded from treatment as an obliged entity, provided that it can be evidenced that there is a low risk of money laundering or terrorist financing.
- In addition, article 12.1.a) of the law (non-face-to-face business relationships and transactions) is amended to clarify that in all cases in which the electronic signature used does not meet the requirements of a qualified electronic signature, the obliged entity must still obtain a copy of the identification document within one month after the business relationship starts. In other words, although the use of a non-qualified electronic signature is accepted for the purposes of non-face-to-face identification, this electronic signature will not exempt the obliged entity from having to obtain a copy of the identification document.
- Obliged entities that belong to the same category (credit institutions, jeweler’s shops, insurance companies, etc.) are permitted to create common systems for information, storage and gathered documentation for the purposes of complying with the due diligence obligations set out in Law 10/2010. The maintenance of these systems may be entrusted to a third party, even if it is not an obliged entity. The data obtained as a result of accessing the system may only be used for compliance by obliged entities with due diligence obligations. Obliged entities may only access the information provided by another obliged entity in cases where the person to whom the data relates is their customer. The data will be input in the system by the internal control bodies. These bodies will also channel any requests for access to the data contained in the system.
These obliged entities will be joint controllers of the data in this system and, therefore, will acquire new obligations, among others, the need to: (i) give notice of its creation to the Anti-Money Laundering Commission, (ii) inform the data subjects of the disclosure of their data to the system, if applicable, or (iii) reply to requests to exercise rights.
In the area of data protection, the main changes include the adjustment of the former articles of LOPD 15/1999 to the corresponding articles of the GDPR, while maintaining some of the aspects that were already regulated, such as (i) the absence of the need for consent, (ii) the exemption of the duty to give notice of the processing of data for this purpose, and (iii) the inappropriateness of responding to requests from data subjects to exercise their rights with respect to information concerning suspicious transactions that are reported to Sepblac.
As new developments in this area, the following may be highlighted:
- The need for obliged entities to conduct a DPIA (data protection impact assessment) in order to adopt the technical and organizational measures to ensure the integrity, confidentiality and availability of the personal data. Such measures must in all cases ensure the traceability of data accesses and disclosure. Only internal control bodies should carry out the processing.
- Likewise, obliged entities or parties that develop the systems that serve to support the exchange of information through common information systems must conduct an assessment of the impact that such processing has on data protection in order to adopt enhanced technical and organizational measures to ensure the integrity, confidentiality and availability of the personal data. Enhanced security and control measures will be applied.