This article will delve into potential conflicts between document retention obligations found under anti-money laundering and data protection legislation in Switzerland.
Money laundering is the concealment of the origin of funds coming from criminal activities in such a way as to make it impossible to trace their origins and to inject said funds into the normal legal circuits of the economy.
Although money laundering is a major economic phenomenon partially linked to international organised crime, the problem is also a national one.
Switzerland is active in combating money laundering at both national and international levels and its anti-money laundering legislation is renowned.
The legal provisions in force in Switzerland to fight against money laundering are, in particular:
- the Anti-Money Laundering Act (“AMLA”);
- the Anti-Money Laundering Ordinance (“ALO”);
- the FINMA Anti-Money Laundering Ordinance (“ALOF”); and
- Articles 305bis and 305ter para 1 of the Swiss Criminal Code (“SCC”) relating respectively to money laundering and the insufficient diligence in financial transactions.
Within this legal framework, bankers, lawyers, wealth managers, fiduciaries, investment advisors or, for example, precious metal dealers, i.e. so-called financial intermediaries, have the obligation to identify their contracting parties, the beneficial owners of the values they care for and the object of the concerned business relationship.
Such requirements, that can sometimes be seen to be excessive and time-consuming, include requesting detailed information on clients requiring the services of financial intermediaries.
The latter have the important role of reporting. If they know or suspect, on the basis of well-founded suspicions, that assets involved in their business relationship are related to certain offences, that they originate from a crime, that a criminal organisation exercises a power of disposal over said assets or that these assets are used for the financing of terrorism, they must report to the Money Laundering Reporting Office-Switzerland without delay.
Such obligations often lead financial intermediaries to collect more information than necessary on their clients without regard to the applicable legal provisions on data protection.
Document Retention Obligations
Under Article 2 para. 2 and 3 AMLA, financial intermediaries are, in short, natural or legal persons who, on a professional basis, accept, hold on deposit or help to invest or transfer assets belonging to third parties.
Banks, wealth managers, lawyers or, since 1 January 2019, holders of a FinTech license can, for example, be considered as financial intermediaries within the meaning of Article 2 para. 2 and 3 AMLA.
Financial intermediaries must, by documenting the clarifications required under the AMLA and the transactions carried out by their clients (Article 7 para. 1 AMLA):
- preventively identify the parties to the contract and determine the beneficial owners of the assets handed over;
- clarify the economic background and the purpose of the transaction or business relationship, if a business relationship or transaction appears unusual or if there are indications that assets are the proceeds of a crime, that a criminal organisation has a power of disposal over said assets or that they are used for the financing of terrorism; and
- establish and clarify more precisely business relationships and transactions with increased risks. This may in particular concern business relationships with clients from countries considered to be at risk or politically exposed persons (“PEP”).
We note that even if, in complex cases, financial intermediaries can delegate these tasks to external specialists, whether to auditing firms or to lawyers, the Swiss Federal Court ruled that they cannot bypass the above mentioned requirements by invoking the professional secrecy of the agent to whom they have delegated their tasks.
To do this would mean that, contrary to the requirements applicable under anti-money laundering provisions, financial intermediaries could, for example, in the context of criminal proceedings, oppose the sequestration of certain documents on the grounds of the professional secrecy of the lawyer to whom they have delegated some of their compliance tasks.
The duties of financial intermediaries exist not only at the time when they establish a business relationship with a client, but last throughout the duration of said relationship. This obligation to monitor transactions is not only laid down in Articles 3 to 7 AMLA, but also in Article 20 ALOF.
Under Article 7 para. 2 AMLA, financial intermediaries must retain the records in such a manner as to be able to respond within a reasonable time to any requests made by the prosecution authorities for information or for the freezing of assets.
Under Article 7 para. 3 AMLA, financial intermediaries must retain the records of identification documents of the contracting parties, the beneficial owners and the past transactions for ten years after the termination of the business relationship or after completion of the transaction.
The types of documents that may be collected by financial intermediaries about their clients as part of their obligations include: surnames, first names, dates and places of birth, nationalities, tax identification numbers, home addresses, identity documents, certificates of incorporation, pre-established forms completed and signed by the clients or internal documents of the bank, i.e. client profiles, visit reports or telephone interview notes.
In short, the clarifications required by the AMLA relate to a multitude of information about the clients which can be obtained either by the latter, financial intermediaries directly, or by third parties, for instance foreign specialist companies.
Source of Wealth
Determining a client’s source of wealth is an essential requirement for financial intermediaries when it comes to Anti-Money Laundering obligations. It is the financial intermediaries’ responsibility to obtain information on a client’s source of wealth and expected source of funds. Such information should allow financial intermediaries to fully understand the actual money laundering/financial transaction risks it is exposed to, especially when it comes to assessing clients’ risks.
According to Art. 9 para. 1 AMLA, a financial intermediary (for example, the bank employee responsible or the bank itself due to a lack of organisation according to Article 102 para 2 SCC) who knows or assumes, on the basis of well-founded suspicion, that the assets involved in the business relationship, in particular, originate from a crime, that a criminal organisation exercises a power of disposal over said assets or that the latter are used for the financing of terrorism must inform the Money Laundering Reporting Office-Switzerland without delay (“MROS”).
Such notification is mandatory for ongoing relationships, as well as for relationships that have been closed but for which it is still possible to freeze assets.
The financial intermediary is not always obliged to immediately block assets connected to transactions reported to MROS. Instead, as a general rule, blocking ensues only after MROS informs the intermediary that it will process the report on to the competent criminal prosecution authorities (Article 10 AMLA).
Financial intermediaries are not civilly or criminally liable towards their clients if they acted in good faith in reporting suspicions of money laundering to MROS.
In principle, financial intermediaries are not acting in good faith if they “denounce” their clients without having carried out a minimum level of investigation or having taken into consideration the answers given by their clients and if their examination of the situation is not such as to objectively give rise to well-founded suspicions.
On the other hand, financial intermediaries who do not sufficiently comply with their duties under AMLA risk incurring criminal liability pursuant to Article 305bis SCC, which also entails a risk of confiscation of the contaminated assets (Article 70 SCC).
Financial intermediaries may additionally be exposed to regulatory sanctions as well as prosecution for insufficient diligence in financial transactions pursuant to Article 305ter SCC.
It follows from the above that, in practice, financial intermediaries tend to collect more information than necessary on their clients for fear of communicating to MROS on unfounded suspicions or to be certain that such a communication is not necessary.
The difficulty lies in the legal qualification of the information collected and its use in connection with the Swiss Federal Act on Data Protection Act (“DPA”).
Article 33 AMLA specifically states that: “[t] he processing of personal data is governed by the Federal Act of 19 June 19921 on Data Protection”.
Applicable Data Protection Obligations
Under Article 1 and Article 2 para. 1 DPA, the purpose of the DPA is to protect the personality and fundamental rights of individuals and legal persons who are subject to data processing carried out by private persons or federal bodies. In this context, information collected by financial intermediaries on the basis of the requirements of the AMLA falls fully within the scope of the DPA.
In that respect, data processing must be carried out in accordance with the principles of good faith and proportionality. Consequently, data that are false, unnecessary or no longer of interest must be removed from the file of the client or destroyed, unless the financial intermediary can invoke a valid reason such as the consent of the person concerned, an overriding public or private interest, or by law.
Even if financial intermediaries should only collect the information necessary to comply with the requirements of the AMLA, practice shows that some financial intermediaries tend to require more information than necessary and especially contrary to any legal requirement.
For instance, a financial intermediary might unnecessarily be processing personal data when a PEP requests to open a bank account for their son or daughter, for the purpose of receiving university stipend payments, and asks for detailed information on the source of wealth of the PEP.
Another potential example is when financial intermediaries, before contacting a potential client, conduct extensive research on a prospect in order to verify if the latter meets, at least prior to full due diligence, the financial intermediary’s economic and legal criteria for a potential business relationship.
If information is collected in this way, in particular about the client’s private and professional life, his or her political, economic or religious relations, said information must be automatically destroyed if it is not used because the financial intermediary does not open a relationship with the potential client for any reason (Article 15 para. 1 DPA).
It is thus essential that financial intermediaries uphold the data protection principles applicable, such as the principles of good faith and proportionality, when complying with their Anti-Money Laundering obligations (Article 4 para. 2 DPA) and that their clients be aware of their rights.
A proposal for a total revision of the Swiss Data Protection Act is currently being examined. It aims in particular to adapt data protection to the digital age and to strengthen citizens’ rights. In addition, the aim of adapting the legislation to European law is to ensure that data transmission between Switzerland and the EU Member States can take place without additional hindrance.
In view of the practical problems and questions raised by this subject, the question of setting up departments responsible for data protection in financial institutions could arise.
General Data Protection Regulation (EU)
Finally, it should also be remembered that the General Data Protection Regulation (“GDPR”) may also apply to the activities of Swiss financial intermediaries, in particular if they direct their services towards European clients.
In this respect, Article 3 para. 2 GDPR states that: “[t] his Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union”.
It seems to become common practice for financial intermediaries to collect an ever-increasing amount of data about their clients. However, the resources available – and perhaps a lack of knowledge of data protection laws – do not always allow for the verification and deletion of inappropriate data.
The implementation of current Anti-Money Laundering requirements by financial intermediaries seems to potentially conflict with the principles of data protection.
Financial intermediaries should thus remember the purpose of the DPA in the context of the application of Anti-Money Laundering and their clients should be aware of their rights.
 See Article 305bis para. 1 of the Swiss Criminal Code.
 Message from the Swiss Federal Council (FF 2019 5237), pages 5243 and 5247.
 SR 955.0.
 SR 955.01.
 SR 955.033.0.
 SR 311.0.
 See Article 2 para. 2 AMLA.
 See on this subject our Newsletter of 8 January 2019 titled “The New FinTech License”.
 See judgement 1B_85/2016 of the Swiss Federal Court dated 20 September 2016.
 See Article 264 of the Swiss Code of Criminal Procedure.
 See Article 260quinquies para. 1 of the Swiss Criminal Code.
 See Art. 23 AMLA which defines and sets out the tasks of this body.
 Article 11 AMLA.
 See Article 4 para. 2 DPA.
 See section 2.1. of the “Guide for the processing of personal data in the private sector” published by the Federal Data Protection and Information Commissioner in August 2009.
 See Article 13 DPA.
 FF 2017 65 65.