New guidance for Singapore banks on observing privacy rights whilst meeting anti-money laundering obligations

Out-Law News | 07 Jul 2014 | 11:18 am | 2 min. read

Banks, merchant banks and finance companies operating in Singapore have been issued with new guidelines by the country's financial services regulator on how to observe individuals' privacy rights whilst meeting their obligations to combat money laundering and terrorist financing.

New data protection rules came into force in Singapore on 2 July and provide individuals with a general right to request access to and the correction of personal data held about them by businesses operating in the country.

However, the Monetary Authority of Singapore (MAS) has outlined guidelines (23-page / 132KB PDF) which explain the extent to which financial institutions have to observe individuals' access and correction rights whilst ensuring compliance with their duties on conducting anti-money laundering and terrorist financing checks.

In accordance with their duties to help prevent money laundering and counter the financing of terrorism, banks in Singapore must engage in a range of due diligence activities. This includes verifying the identity of customers they engage with, obtaining information about the purpose of customers' business relations with them, and monitoring customer transactions to "ensure that the transactions are consistent with the bank’s knowledge of the customer, its business and risk profile and where appropriate, the source of funds".

When adhering to those due diligence duties, MAS has set a general rule that financial institutions are not required to provide individuals with "any access to personal data about the individual" that is in its possession or under its control; "any information about the ways in which the personal data of the individual ... has been or may have been used or disclosed" by it; or "any right to correct an error or omission of the personal data about the individual" that is in its possession or under its control.

However, the MAS guidelines provides for limited rights for individuals to request that financial institutions (FIs) provide them with access to, or correct, their personal data.

This is because "unfettered rights to access and correct all types of personal data could ... affect the quality of FIs’ customer due diligence data and their ability to aid in combating money laundering and terrorism financing crimes" it explained in response to industry feedback (6-page / 220KB PDF) it received following a consultation on the issue.

Under the MAS guidance, individuals have a right to access certain personal data that financial institutions may hold about them, including their name, unique identification number, date of birth and nationality "as soon as reasonably practicable".

In adhering to the access request rights, financial institutions must also disclose any other personal data they hold about individuals, subject to the release of that data adhering to a rule under the Personal Data Protection Act (PDPA) which, among other things, prohibits the disclosure of personal data if it could endanger the safety of others, if it runs contrary to national security or if the disclosure could involve revealing a third party's personal information, for example.

Financial institutions must, "as soon as reasonably practicable", "correct an error or omission" in the personal data that individuals have a right to access, subject to an exemption to that correction right applying under the PDPA.

However, MAS said that financial intuitions "are not obliged to provide individuals access to and correction of any other personal data". This means that personal data that the financial institutions collected from other organisations or sources to verify those individuals' identity do not need to be disclosed, it said in its consultation feedback response. Financial intuitions would not have to disclose personal data contained in their "internal analyses" of individuals’ money laundering or terrorist financing risk either, it said.