Jerseys Anti Money Laundering Legislation and the Data Protection (Jersey) Law 2005

Jerseys Anti Money Laundering Legislation and the Data Protection (Jersey) Law 2005

Introduction

This briefing in intended to provide an outline to the interrelation of the provisions of the money laundering legislation relating to “tipping off” and the provisions of the Data Protection (Jersey) Law 2005 (the “Data Protection Law”) relating to disclosure of personal data.

The Money Laundering Legislation

The following laws and order incorporate all the provisions contained in Jersey Law concerning money laundering:

• Proceeds of Crime and Terrorism (Miscellaneous Provisions) (Jersey) Law 2014
• The Proceeds of Crime (Jersey) Law 1999; and
• The Money Laundering (Jersey) Order 2008.

Suspicious transaction reports, also known as suspicious activity reports, can be made either to the law enforcement authorities or, where the individual works for an institution which has a Money Laundering Reporting Officer (“MLRO”), to the MLRO. Once a report is made to an MLRO, the responsibility rests on the MLRO to decide whether or not to make a report to the law enforcement authorities.

Suspicious transaction reports must be made where a person:

• knows or suspects that he or his organisation is about to become involved in money laundering.
• knows or suspects, or has reasonable grounds for knowing or suspecting, that another person is engaged in laundering either the proceeds of crime or crime-related property, but does not make a report to the law enforcement authorities.

Tipping Off

In order to prevent individuals from warning those about whom they have made or will make a suspicious transaction report, the money laundering legislation also criminalizes tipping off. Where a person knows or suspects that a suspicious transaction report has been made to the law enforcement authorities, it is an offence for him to make any disclosure which is likely to prejudice any investigation which might be or is being conducted following the making of any such report. It is worth noting that no offence is committed where the person making the disclosure of a suspicious transaction report did not know or suspect that the disclosure would likely prejudice an investigation.

Under the Article 25 Proceeds of Crime (Jersey) Law 1999, now criminalizes any disclosure made before a suspicious transaction report. Therefore, should a person now know or suspect that such a report will be made, and he makes any disclosure as that outlined above, he would be guilty of an offence.

The Data Protection Law

Under Article 7 of the Data Protection Law, a person is entitled, upon making a request in writing to a data controller (a person who alone of jointly determines the purposes for which and manner in which personal data are processed):

• to be informed by the data controller whether personal data of his is being processed by or on behalf of that data controller, and if so
• to be given by that data controller a description of the personal data being processed, the purpose of that data and the recipients, in addition to
• being supplied by the data controller with a copy (in intelligible form) of all the information which constitutes his personal data, and the source of this information.

Such a request is known as a subject access request, and data controllers are required to respond to such requests promptly, and in any case within 40 days. The 40 days begin from when the data controller has received the request, any further information he may need to identify the applicant and locate the personal data sought, and, if he charges one, a fee (of up to £10 maximum).

The Data Protection Law provides certain exemptions to the right of subject access, of which Article 29 is the most relevant in the present context. This provides that personal data are exempt from the subject access provisions in any case where the application of that provision would be likely to prejudice the prevention or detection of crime, or the apprehension of prosecution of offenders.

Article 7 and Tipping Off

Concerns have been raised as to the interrelation of the tipping off provisions and compliance with subject access requests pursuant to Article 7 of the Data Protection Law.

The starting point is the similar language used in the tipping off offences (disclosure would be likely to prejudice any investigation which might be conducted following the making of the suspicious transaction report) and Article 29 of the Data Protection Law (disclosure would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders).

Where disclosure of a particular suspicious transaction report would constitute a tipping off offence, the Article 29 exemption will apply, exempting the person from complying with the subject access request. Where disclosure of a suspicious transaction report would not constitute a tipping off offence, the Article 29 exemption will not be available in respect of the money laundering element.

It must, however, be emphasised that each time a subject access request is received, the institution concerned must carefully consider, in that particular case, whether the disclosure of the suspicious transaction report would be likely to prejudice the prevention or detection of crimes.

There is also added comfort introduced by the Data Protection (Subject Access Exemptions) (Jersey) Regulations 2005, which reinforces the fact that under Article 2, the tipping off offence is exempt from Article 7 requests.

Where a financial institution is in any doubt as to whether disclosure would be likely to prejudice an investigation or potential investigation, it should approach the Joint Financial Crimes Unit (the “JFCU”). Institutions should bear in mind the requirement to respond promptly to a subject access request and, in any event, within 40 days, and ensure that they approach the JFCU in good time. In view of the consequences of erring in its decision, financial institutions may wish to adopt a ‘safety first’ approach when deciding on whether or not to engage the JFCU.

It should be noted that, where an institution withholds a piece of information in reliance on Article 29 of the Data Protection Law, it is not obliged to tell the individual that any information has been withheld. It can simply leave out that piece of information and make no reference to it when responding to the individual who has made the request.

Data controllers would be well advised to keep a record of steps they have taken in determining whether disclosure of a suspicious transaction report would involve tipping off and/or the availability of the Article 29 exemption. This might be useful in the event of the data controller having to respond to enquiries made subsequently by the Data Protection Registrar or the courts.

Internal Reports

When a person makes a suspicious transaction report to his MLRO, but the MLRO has not passed on a suspicious transaction report to the JFCU, the principles outlined above also apply. While this particular suspicious transaction report may not have raised enough suspicion for the MLRO to deem it worthy of passing to the JFCU, the internal suspicious transaction report may be the basis for establishing a pattern of future transactions which later give rise to suspicion. Therefore, when dealing with a subject access request, the same approach set out above should be followed.

If the institution considers that disclosure of a suspicious transaction report made by one of its employees would be likely to prejudice the prevention or detection of crime, even if the suspicious transaction report has not been passed to the JFCU, then Article 29 may be relied on to withhold that information.

Summary

Article 29 does not provide a blanket exemption to subject access obligations for suspicious transaction reports. Each request for information must be considered on its merits. Institutions must consider whether, in the particular case, disclosure of the suspicious transaction report would be likely to prejudice the prevention or detection of crime.

• Where telling an individual that a suspicious transaction report relating to him has been made would constitute a tipping off offence, that information can be withheld in reliance on Article 29 of the Data Protection Law. This applies even where the suspicious transaction report has not been passed to the JFCU.
• Where disclosure of a suspicious transaction report would not constitute a tipping off offence, the Article 29 exemption will not be available in respect of the money laundering elements.
• It is always useful to remember that where any institution is in doubt as to whether or not to comply with a subject access request, it is always better to err on the side of caution in not making the disclosure, as there is no penalty for failing to respond to an Article 7 request. The data subject or the individual concerned would need to go to the Royal Court to attempt to enforce his request in any event.

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice