Although I am not a lawyer, I enjoy the limited exposure I have to the law – it’s like trying to unpick a puzzle, making sure that you have completely understood all the requirements, down to the last sub-clause and comma. However, I do find it frustrating when the law is written in such a way that it is almost impossible to obey. I am sure this happens more often than we would wish, but the occurrence against which I butt up frequently is the mismatch between AML legislation and data protection legislation.
In short, data protection legislation empowers individuals to inspect the information held on them by institutions. In theory, this information should include any SARs concerning that individual. Of course, to show them a SAR would be madness – madness, I say! So the MLRO has to choose between tipping off (two/five years depending on your jurisdiction) or a contravention of data protection (a fine). I can see which I would choose, but I shouldn’t have to choose.
Most data protection legislation has a woolly get-out clause along the lines of “you don’t have to reveal any information that might interfere with the investigation or prosecution of crime”, but it’s not a blanket exemption: you have to show in each and every case that revealing the information concerned would cause a problem. And isn’t that the case with every single SAR? Well, duh, as my teenage niece would say. So why can’t we have an exemption written into the data protection legislation, excluding all reports of suspected criminality – including, of course, SARs.