As the date approaches for the UK to leave the EU, will current EU regulation for cross-border transferring and handling of client data become irrelevant?
After the UK voted to leave the European Union, several banks and financial institutions have been transferring some of their business entities to the EU in order to onboard new clients and establish an EU foothold for existing clients in case of a no-deal Brexit scenario. This has a considerable impact on an institution’s Know Your Customer (KYC) process.
On June 19th 2018, the 5th EU Anti-Money Laundering Directive (AMLD 5) was published in the official journal of the European Union, which dictates that all obliged parties are to consult the corresponding beneficial ownership register in the EU when performing a KYC prior to any new business relationship.
The beneficial ownership register consists of the beneficial owner’s month and year of birth, country of residence, nationality, and the nature and extent of the beneficial interest held. Furthermore, member states are to create a list of national public offices and functions that qualify as politically exposed persons (PEP).
The exchange of such sensitive client-related information between the EU and the UK is regulated by the General Data Protection Regulation (GDPR), which will remain in place in the EU after Brexit.
On May 25th 2018, GDPR was implemented EEA-wide with the primary aim of granting individuals control over their personal data, while allowing the personal data to be shared between EEA member states.
In the UK, the Data Protection Act 2018 was enacted containing equivalent protections and regulations enabling GDPR to function as a national law. GDPR prohibits the transfer of personal data to “third countries” outside the EEA unless such third countries are considered to have adequate laws in place to safeguard personal data.
Following a so-called ‘hard Brexit’ or a possible transition period, the UK will become a ‘third country’ under GDPR definition. Consequently, the transfer of personal data will become forbidden under GDPR unless the European Commission issues a finding of adequacy for the UK’s post-Brexit data protection laws and data protection authority. A positive adequacy decision however, would not entitle the Information Commissioner’s Office (ICO) – enforcer of the Data Protection Act 2018 – to participate in the European Data Protection Board, which leads to the current UK Government’s goal of establishing a legally binding data protection agreement with the EU – or an enhanced adequacy decision – that would also enable the ICO to have a seat at the European Data Protection Board.
The UK’s Financial Conduct Authority (FCA) has stated that it is working to mitigate ‘cliff-edge’ risks by getting a high level of equivalence with EU regulation. In fact, on day one of post-Brexit Britain, the UK will have the most regulatory equivalent framework to the EU of any country in the world, and while proposals to convert European law into British law give us some hope for the future, the EU Commission has stated on November 13th 2018 that an adequacy decision of the UK’s data protection regime is not part of its contingency planning.
The outcome of both the EU’s and UK’s decision on a potential agreement to a reciprocal approach for the regulatory framework - including the adequacy decision on data protection - remains as difficult to predict as the Brexit negotiations themselves. Client onboarding and the corresponding data transfer handling requirements might become a huge challenge after Brexit. It is therefore recommended to plan for a worst-case scenario, where the UK becomes a ‘third country’ in light of the unprecedented regulatory journey ahead.
So, will current EU regulation for cross-border transferring and handling of client data become irrelevant? Most likely not.