The US Senate is currently considering The Combating Money Laundering, Terrorist Financing, and Counterfeiting Act, known as the "Grassley Bill". US Senator Chuck Grassley, who introduced the Bill last November, claims the legislation will be a vital tool in the fight against money laundering and terrorist financing.
If passed in its current form, the Act will:
- require banks outside the US which maintain US correspondent accounts to comply with subpoenas for information on account holders within 10 days;
- prohibit those banks from notifying the subject of the subpoena request; and
- in the event of non-compliance, the correspondent bank must terminate its relationship with the foreign bank or face a fine of $10,000 per day for every day of non-compliance.
Information requested within these subpoenas could require “information stored outside of the US”. As a result, any bank which is also subject to the EU’s General Data Protection Regulation (‘GDPR’) could easily fall foul of Article 48 of the GDPR (as well as the more general restriction on international transfers out of the EEA under Article 44).
Article 48 provides that data may only be transferred when requested by foreign authorities (i.e. the US) if that request:
is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer...
A breach of the GDPR in order to comply with the proposed US law could cost the bank a financial penalty, the limit of which is the greater of €20 million or 4% of annual turnover.
Institutions are permitted to transfer data under the GDPR where there is a “compelling legitimate interest” but would have to inform both the individual whose personal data is to be transferred and the local data protection authority.
The GDPR comes into effect on 25 May this year and the Grassley Bill has yet to pass the Senate; the hope is therefore that any final draft of the US legislation takes into account Article 48. Financial institutions implementing new policies and procedures to ensure compliance with the GDPR should monitor the progress of the Grassley Bill through the Senate.