Regulation 41 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 imposes requirements, with criminal sanctions for non-compliance, on training in data protection issues and the duration for which records are kept.  The SRA are auditing firms for AML compliance: the SRA are themselves subject to audit by the Office for Professional Body Anti-Money Laundering Supervision (OPBAS), so this is an issue which is unlikely to go away.  The Heathrow Airport monetary penalty notice highlighted the need for training.

In Lonsdale v National Westminster Bank Plc [2018] EWHC 1843 (QB), the High Court ordered a bank to disclose a suspicious activity report (“SAR”) to a customer (who happened to be an English barrister), observing that SARs may amount to “personal data”.

‹ Back to Publications