Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context

I have consulted with the Data Protection Commission and the Central Bank of Ireland on this matter.

Under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (‘the CJA 2010’), the Central Bank of Ireland (‘Central Bank’) is the competent authority responsible for supervision of the financial sector’s compliance with the anti-money laundering and countering the financing of terrorism (‘AML/CFT’) obligations set out in Part 4 of that Act. EU and national level legislation both require a risk-based approach in relation to the development and application of AML/CFT controls.

Specifically, the CJA 2010 contains customer due diligence (‘CDD’) provisions relating to the requirement to identify and verify a customer (or person purporting to act on their behalf) or a beneficial owner. In accordance with a risk-based approach, the CJA 2010 and the Central Bank’s AML Guidance do not provide prescriptive or definitive examples of documentation or information that it considers would satisfy customer identification and verification requirements. Rather, firms are advised that they should determine the documents and information which they will accept for the purposes of CDD and set out their approach to this in their policies and procedures. In doing so, the Central Bank expects that firms offering financial products and services which can be accessed by minors to have:

• identified any heighted ML/TF risk associated with respect to such products and services in their Customer Risk Assessment and Business Wide Risk Assessments (‘BWRA’);
• risk-based CDD measures in place to establish the nature and purpose of the business relationship with the customer, identify and verify the child, and parent/guardian where appropriate; and
• specific transaction / ongoing monitoring rules in place, to identify and mitigate any risks highlighted within the BWRA associated with the use of their products and services by minors, in addition to other monitoring rules used to identify any heightened risks.

The Central Bank monitors firms’ adherence to their legal obligations set out in the CJA 2010 and its supervisory expectations with respect to same.

It is relevant to mention that the Financial Action Task Force (‘FATF’) , which is the global standard-setting body in the area of AML/CFT, in March of this year published a report on “Detecting, Disrupting and Investigating Online Child Sexual Exploitation”. Subsequently, the Central Bank has proactively promoted awareness of this report during its supervisory engagements with relevant firms .

Separately, I have also consulted with the Data Protection Commission and it has provided the following information.

The provisions of Article 8 of the General Data Protection Regulation (GDPR) apply to the offering of what is termed ‘information society services’ directly to a child. However, it is not clear that the services offered by financial institutions fall within this category. Secondly, Article 8 GDPR applies where the data subject has given consent to the processing of relevant information. Accordingly, it may be more likely that processing in these cases will be based on Article 6(1)(b) GDPR, “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. As such, it is the responsibility of the financial institution as a data controller to identify the appropriate legal basis for processing personal data.

Under Article 5 (2) GDPR, it is the primary responsibility of a controller offering 'information society services' to children, on the basis of their consent to processing their personal data, to ensure compliance with Article 8. This requires them to make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.

In carrying out its task under Article 57(1)(d) GDPR, the Data Protection Commission (DPC) has published the guidance document, Children Front and Centre: Fundamentals for a Child-oriented Approach to Data Processing, which addresses the age of digital consent and age verification. The DPC also engages with the financial sector in Ireland through its supervision function to promote awareness of controllers in that sector of their obligations.

Enforcement of the GDPR by the DPC is governed by Part 6 of the Data Protection Act 2018. To date, no enforcement actions under Part 6 have been carried out in relation to the offering of 'information society services' to children by financial institutions.

Furthermore, other cross-sectoral initiatives are relevant. Last February I launched Ireland’s first National Financial Literacy Strategy. This has thirty-two aims and objectives and includes promoting awareness around financial abuse, frauds and scams and harnessing opportunities for financial literacy in the school curriculum.

FraudSMART is an initiative developed by the Banking and Payments Federation Ireland (BPFI) which involved a major awareness campaign about ‘money mule-ing’. This is where someone who allows their bank account to be used for moving money generated by criminal activity. Young people have often been targeted for this purpose.

A “Money Mules” module is also in development by the Garda National Community Policing Unit in collaboration with the Department of Education for the Garda Schools Programme. This, when finalised, will aim to teach young people about the implications of involvement in this criminal activity and their vulnerability to it.