Banking institutions are good students!

2022 01 24 ccin

The Data Protection Authority of Monaco (CCIN) maintains a close relationship with the Monegasque Government and with the financial investigation unit, SICCFIN. We talked to Ms Agnès LEPAULMIER, Secretary-General of the CCIN, about the highlights from 2020/2021.

During the recent period of disruption as a result of COVID, what were your priorities?

As the authority responsible for protecting personal data, our priority remains the security of customer data. Banks and some management companies contacted the CCIN during the pandemic, and particularly during lockdown, looking to introduce teleworking very quickly but also safely. We were not terribly concerned because we knew that the banks’ information systems were sufficiently robust to enable highly secure remote access, however we very quickly developed best practice guidance for other types of company, and this was posted on our website. This guidance provided a useful “user manual” for employers on security relating to remote access and best practices to protect the private lives of employees. We did not want certain decisions taken urgently to create additional stress for employees, and so we sought to avoid that.

What about after lockdown?

As business resumed, we were contacted by a number of employers, and particularly banks, seeking advice on the best health measures to put in place in order to gradually bring their employees and customers back into their premises. Following the large number of questions we were asked, we once again published information on key topics (taking employee temperatures, testing, etc.) on our website.

Did you work with SICCFIN, too?

We held meetings with SICCFIN in July 2020 and in May 2021, because we were working together on a document about data retention and protecting personal information. Although the money laundering legislation is extremely detailed, it doesn’t necessarily cover everything. For SICCFIN and the CCIN, our common goal was to produce a harmonisation document, to agree on best practices where nothing was specified in the legislation.

In addition, the CCIN sometimes has to set data retention periods, and we try to find out what SICCFIN’s position is so that we can be consistent. Our aim is to help ensure that organisations subject to the legislation are not sanctioned by either the CCIN or SICCFIN. At the request of the CCIN, some data retention periods are now set out in the legislation, which was not the case before. I’m thinking in particular of the retention periods for SICCFIN requests for information.

So the issue of data retention periods is a very important one?

Yes. When data retention periods are not specified in domestic law, then very often organisations want to apply the laws in force for their Group, which may be different to the practices accepted by the CCIN. We also discussed with SICCFIN the exact scope of who is subject to the money laundering due diligence obligations. Under Monegasque law, some categories of employees in a bank are covered by the due diligence requirements, but not all of them. When a work permit is issued in Monaco, numerous checks have already been done in any case.

In addition, in recent weeks we have been contacted by a number of banks regarding the creation of a new register of bank accounts, which is now mandatory under the money laundering legislation. Organisations subject to the legislation must declare to SICCFIN any accounts they open, and they want to know what CCIN procedures they have to complete in order to comply with the legislation.

Does the CCIN have regular contact with SICCFIN and banks, then?

Yes. Banks and some management societies are definitely in the habit of contacting us. They are good students! We work a lot with the State: if legislation is going to have an impact on personal data, the CCIN must be asked for its opinion. Sometimes the National Council also wants to hear from a CCIN delegation when it is reviewing a bill.