Tag Archives: Sarbanes-Oxley

Immediate Vault Immediate Access

Lawfulness of Financial Crime Data Processing Under GDPR

Posted on by

Much that has been written about the General Data Protection Regulation (GDPR) relates to the burden of obtaining proper consents in order to process data. This general theme has provoked questions about whether and how financial institutions can process data to fight financial crime if they need consent of the data subject. While there are certainly valid questions, GDPR is much more permissive to the extent data is used to prevent or monitor for financial crime.

Clients and counterparties will often be more than happy to consent to data processing in order to participate in financial services. But consent can be withdrawn, so offering individuals the right to consent will give the impression that they can exercise data privacy rights which are not appropriate for highly-regulated activities.

Rather than relying on consent, the GDPR also permits (1) processing that is necessary for compliance with a legal obligation to which the controller is subject and (2) processing that is necessary for purposes of the legitimate interests pursued by the controller or a third party.

Some areas of financial crime prevention are clearly for the purpose of complying with a legal obligation. For example, in most countries there are clear legal obligations for monitoring financial transactions for suspicious activity to fight money laundering. The European Data Protection Supervisor stated in 2013 that anti-money laundering laws should specify that “the relevant legitimate ground for the processing of personal data should… be the necessity to comply with a legal obligation by the obliged entities….” The fourth EU Anti-Money Laundering Directive requires that obliged entities provide notice to customers concerning this legal obligation, but does not require that consent be received. And the U.K. Information Commissioner’s Office gave the example of submitting a Suspicious Activity Report to the National Crime Agency as a legal obligation which constitutes a lawful basis.

Very few commentators have attempted to cite a legal authority for anti-fraud legal obligations. The Payment Services Directive 2 (PSD2) requires that EU member states permit personal data processing by payment systems and that payment service providers prevent, investigate and detect payment fraud. But PSD2 has its own requirement for consent and this protection may fail without adequate implementing legislation in the relevant jurisdiction. Another possible angle is that fraud is a predicate offense for money laundering, and therefore the bank has an obligation to investigate fraud in order to avoid facilitating money laundering.

“Legitimate interests” are also permitted as a basis for processing. However, this basis can be challenged where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Financial institutions may not feel comfortable threading the needle between these ambiguous competing interests.

The GDPR makes clear, however, that several purposes related to financial crime should be considered legitimate interests. For example, “the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest” and profiling for the purposes of fraud prevention may also be allowed under certain circumstances. It is also worth recognizing that many financial market crimes such as insider trading, spoofing and layering are often prosecuted under anti-fraud statutes.

Compliance with foreign legal obligations, such as a whistle-blowing scheme required by the U.S. Sarbanes-Oxley Act, are not considered “legal obligations,” but they should qualify as legitimate interests.

While legal obligations and legitimate interests do not cover all potential use cases, they should cover most traditional financial crime processing. Some banks have been informing their clients that a legal obligation justifies their processing for AML and anti-fraud. Others have included legal obligations and/or legitimate interests as potential justifications for a laundry list of potential processing activities.

While the GDPR became effective earlier this year, financial institutions will continue to fine-tune their approaches based on continuing familiarity with the requirements and legal and regulatory developments. Financial institutions need to revisit their client notifications to make sure that they have disclosed their data processing in a manner that reserves their rights for financial crime purposes. They should also confirm that their financial crime processing adequately falls under a defensible basis. And with this basic housekeeping performed there is hopefully little disruption to their financial crime and compliance operations.

The Supreme Court’s Sarbanes-Oxley Ruling in Plain English

Posted on by

If you’re like me, you’re not that smart. And when you read complicated articles like this New York Times breakdown of Monday’s Supreme Court decision involving Sarbanes-Oxley, your head starts to hurt a little. Wait? What exactly happened? Will this change anything for companies?

Fortunately, Anand Rao, partner at Diamond Management & Technology Consultants, is an expert in the history of and the controversy surrounding Sarbanes-Oxley and can clearly explain exactly what you need to know about the Supreme Court’s ruling.

supreme court

Jared: What was the main controversy about Sarbanes-Oxley that the Supreme Court was ruling on?

Rao: Sarbanes-Oxley was passed in 2002 as a response to some of the accounting issues related to Enron and Worldcom. The law created the Public Company Accounting Oversight Board (PCAOB) to regulate the accounting industry. The five board members were accounting specialists appointed by the Securities and Exchange Commission. The SEC could remove board members if there was a good cause to do so.

Free Enterprise Fund, a nonprofit advocacy group, along with a small Nevada accounting firm Beckstead and Watts challenged the creation of the PCAOB in Sarbanes Oxley, specifying that the removal of board members by the commission for just cause contravened the separation of powers in the U.S. Constitution as it gave wide-ranging executive power to board members without subjecting them to presidential control.

Jared: Why did the Court rule against this structural set-up?

Rao: With a 5-4 majority ruling, the Supreme Court declared that the act “not only protects Board members from removal except for good cause, but withdraws from the President any decision on whether that good cause exists.” It claimed that “by granting the Board executive power without the Executive’s oversight, this Act subverts the President’s ability to ensure that the laws are faithfully executed.” To remedy this situation the Supreme Court has ruled that the SEC now may remove the Board members at will, without the need to demonstrate a good cause.

However, the Supreme Court made it very clear that this had no bearing on the remaining aspects of the Sarbanes Oxley Act by stating that the “unconstitutional tenure provisions are severable from the remainder of the statue.” So for all practical purposes, there will be no change to the way PCAOB operates.

Jared: Will the change have any effect on companies? How about risk and compliance employees? Insurance companies?

Rao: Although the Supreme Court ruling impacts how board members may be removed, it has no impact on what public companies need to do. All public companies will continue to be subject to the same requirements as before under the Sarbanes Oxley Act and there will be no change to the operational functioning of the public companies. Similarly, there will be no impact to risk and compliance employees or insurance companies – it’s just a re-validation that the act is here to stay.