Processing of personal data in the Bank and Payment Accounts Register and in the aggregating application

General information on the Bank and Payment Accounts Control System

In the Bank and Payment Accounts Control System, Customs acts as the controller of the personal data processed with the aggregating application and the Bank and Payment Accounts Register.

The Bank and Payment Accounts Control System consists of two different functionalities. These functionalities are:

1. a centralised automated account information system; and
2. a centralised electronic balance and account transaction system 

Centralised account information system refers to a centralised automated mechanism, which makes it possible to immediately obtain bank and payment account details as well as safe deposit box information. This system is provided for in Chapter 2 of the Act on the Bank and Payment Accounts Control System (571/2019). (in Finnish and Swedish) 

Centralised electronic balance and account transaction system refers to a method of processing balance and account transactions details as well as information on securities from the Bank and Payment Accounts Control System based on electronic data processing. This system is provided for in Chapter 3 of the Act on Payment and Accounts Control System.

The application of the functionality concerning balance and account transaction details as well as information on securities will begin on 1 June 2026. Information on a customer’s securities can be requested via the centralised electronic Balance and Account Transaction System as of 10 July 2027.

Basis for processing personal data

The basis for processing personal data is the controller’s legal obligation. The processing of personal data in the Bank and Payment Accounts Control System is based on the above-mentioned Act.

According to the Act, the personal data of the Bank and Payment Accounts Control System is processed using the bank and payment accounts data retrieval system, the Bank and Payment Account Register, the data disclosure system, and the aggregating application.

According to the Act on Payment and Accounts Control System, Customs maintains the aggregating application, which it uses to transfers data requests by the authorities to data suppliers (payment institutions, electronic money institutions, credit institutions and providers of crypto-asset services), and transfers the data received from these suppliers to the competent authority in accordance with the request. Customs is the controller of the personal data processed in the aggregating application.

According to the Act on Payment and Accounts Control System, Customs is the controller of the Bank and Payment Accounts Register. Customs task laid down by law is to disclose data from the Bank and Payment Accounts Register to the competent authorities.

Purpose of the processing of personal data

The purpose of the Act on the Bank and Payment Accounts Control System is to promote the automatic access to information by authorities concerning bank accounts, payment accounts and safe deposit boxes as well as information on securities, and to improve the data security of personal details to be disclosed. 

Only the competent authorities referred to in the Act can use the Bank and Payment Accounts Control System if it is necessary for carrying out their tasks and if the authority has the right provided elsewhere in law to obtain the data referred to in the Act on the Bank and Payment Accounts Control System. The competent authorities and the purposes for which they can use the data are listed under Regular disclosures of personal data.

Customs is the data controller of the Bank and Payment Accounts Register and, in that role, maintains the register and is responsible for submitting the information stored in the Register to the competent authorities via the aggregating application. The purpose of the Bank and Payment Accounts Register is to receive and store the data referred to in the Act on the Bank and Payment Accounts Control System and to disclose data stored in the Register. 

The aggregating application is an automated technical solution maintained by Customs, by which Customs transmits the information requests by competent authorities to the suppliers of data (and to the Bank and Payment Accounts Register insofar as it is relevant) and transmits the data received from it in accordance with the information request to the competent authority. Customs is the controller of the personal data processed in the aggregating application.

Information to be processed in the Bank and Payment Accounts Register is listed under Categories of personal data. 

Sources of personal data

Bank and Payment Accounts Register

Notwithstanding the secrecy provisions and other restrictions on access to information, data for the Bank and Payment Accounts Register are provided by payment institutions, electronic money institutions and crypto-asset service providers, and by credit institutions that have been granted an exemption by the Financial Supervisory Authority. These parties are responsible for the accuracy of the data they submit for storage to the Bank and Payment Accounts Register, and for rectifying data without undue delay. Any new data and notifications of changes to existing data must be submitted to the Bank and Payment Accounts Register no later than on the following banking day. 

What is provided for in the Act on the Bank and Payment Accounts Control System regarding a payment institution, electronic money institution, credit institution or a provider of crypto-asset services also applies to Finland-based branches of foreign payment institutions, electronic money institutions, credit institutions and crypto-asset service providers.

Balance and account transaction information is not stored in the Bank and Payment Accounts Register. Operators who store information in the Bank and Payment Accounts Register and who have not built a data retrieval system (see the next chapter about this concept) release their balance and account transaction information to the Data Disclosure System administered by Customs. From this Data Disclosure System, the balance and account transaction information is transferred to the aggregating application, that is, to the same place where the balance and account transaction information of data retrieval systems is stored temporarily to be retrieved by an authority.

Aggregating application

Credit institutions must maintain an electronic Data Retrieval System for bank and payment accounts, for disclosing information about their clients and their balance and accounts transaction information referred to in the Act to the competent authority, notwithstanding secrecy provisions. Payment institutions, electronic money institutions and crypto-asset services can also maintain a data retrieval system. In that case, they should use the data retrieval system to disclose information referred to in the Act to the competent authority.

Thus, a bank and payment account data retrieval system refers to a system, whereby credit institutions and other operators who have created a data retrieval system disclose information about bank and payment accounts and their balance and account transactions, safe deposit boxes and securities to the competent authorities.

Information in a data retrieval system is not stored in the Bank and Payment Accounts Control System, rather it is transferred directly from the credit institution to the authority via the aggregating application maintained by Customs. 

The aggregating application therefore transmits the information requests of the competent authorities to the Bank and Payment Accounts Register maintained by Customs as well as to the data retrieval systems maintained by the data suppliers. The aggregating application also transfers the received information to the competent authority in accordance with the request for information. 

Regular disclosures of personal data

Customs maintains an aggregating application by which it transfers requests for information from the competent authorities to the data suppliers referred to in the Act on the Bank and Payment Accounts Control System for the purposes of processing laid down in the Act, and discloses the information received from them by transmitting it to the competent authority in accordance with the request for information.

Customs task is to disclose information from the Bank and Payment Accounts Register to the competent authorities. This information is also disclosed through the aggregating application. 

As controller, Customs does not transfer data outside the EU or EEA.

Centralised automated account information system

The following competent authorities have the right to access the Bank and Payment Accounts Control System to obtain the bank and payment account information in accordance with section 4 (data retrieval systems) and the information stored in accordance with section 6 (Bank and Payment Accounts Register), if such access is necessary for the performance of the following tasks and the authority has, under other legislation, the right to obtain the aforementioned information: 

1. the Police, the Financial Intelligence Unit, Customs and the Border Guard for the prevention, detection, and investigation of offences under Annex I to the Europol Regulation (Regulation (EU) 2016/794 of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA); 
2. The Tax Administration (a) for the purpose of allocating the obligation to provide information laid down in section 19 of the Tax Procedure Act (1558/1995); (b) for the purposes of section 3 of the Act on the national implementation and application of the provisions of the Council Directive on administrative cooperation in the field of taxation and repealing Directive 77/799/EEC (185/2013);
3. Customs for the purpose of allocating the duty to provide information laid down in section 102(2) of the Customs Act (304/2016) for the purpose of carrying out a duty of taxation and tax control as well as for preliminary investigation and for the purpose of preventing and detecting customs offences referred to in chapter 1, section 2, paragraph 3 and 4 of the Act on Crime Prevention by Customs (623/2015);
4. The Enforcement Authority for the enforcement referred to in the Enforcement Code (705/2007);
5. The competent authorities referred to in the Act on Preventing Money Laundering and Terrorist Financing (444/2017) (Financial Supervisory Authority, National Police Board, National Board of Patents and Registration, Regional State Administrative Agency [from 1 January 2026 Finnish Supervisory Agency] and the Bar Association) to perform the supervisory task referred to in the Act;
6. The Financial Intelligence Unit for carrying out tasks in accordance with section 2, subsection 1, paragraphs 1–4, 7 and 8 of the Act on the Financial Intelligence Unit (445/2017);
7. The Police for the prevention, detection, investigation as well as prosecution of offences and maintenance of national security, for the performance of the task of supervising fundraising referred to in the Money Collection Act (863/2019) as well as information needed in a police investigation referred to in chapter 6 of the Police Act (872/2011) if an important public or private interest so requires; 
8. The Defence Forces for the prevention, detection and investigation of offences referred to in the Act on Military Discipline and Combating Crime in the Defence Forces (255/2014) as well as in accordance with section 104 of the Act on Military Intelligence (590/2019); 
9. The Financial Supervisory Authority for carrying out tasks in accordance with section 3 of the Act on the Financial Supervisory Authority (878/2008);
10. The Border Guard for the prevention, detection and investigation and prosecution of criminal offences in accordance with the Act on Crime Prevention by the Border Guard (108/2018).

A centralised electronic balance and account transaction system

The following competent authorities have the right to obtain balance data from the centralised electronic balance and account transaction system by means of a technical interface for the following purposes, if this is necessary for the performance of the authority's tasks:

1. the Police, for the purposes referred to in chapter 4, section 3 and chapter 5a, section 50 of the Police Act;
2. the Financial Intelligence Unit, for the purposes referred to in section 4 of the Act on the Financial Intelligence Unit;
3. Finnish Customs for the purposes referred to in section 102, subsection 2 of the Customs Act and chapter 2, section 14, subsection 1 of the Act on Crime Prevention by Finnish Customs;
4. the Border Guard for the purposes referred to in section 20 of the Act on the Processing of Personal Data by the Border Guard (639/2019);
5. the Tax Administration for the purposes referred to in section 18 a of the Tax Assessment Procedure Act;
6. the enforcement authority for the purposes referred to in Chapter 3, sections 64 and 66 of the Enforcement Code;
7. the Financial Supervisory Authority for the purposes of section 18 of the Act on the Financial Supervisory Authority;
8. the Defence Forces for the purposes of Section 104 of the Act on Military Intelligence and Section 112 of the Act on Military Discipline and Combating Crime in the Defence Forces.

The following competent authorities have the right to obtain account transaction details and securities information from the centralised electronic balance and account transaction system by means of a technical interface for the following purposes, if this is necessary for the performance of the authority's tasks:

1. the Police, for the purposes referred to in chapter 4, section 3 and chapter 5a, section 50 of the Police Act;
2. the Financial Intelligence Unit, for the purposes referred to in section 4 of the Act on the Financial Intelligence Unit;
3. Finnish Customs for the purposes referred to in section 102, subsection 2 of the Customs Act and chapter 2, section 14, subsection 1 of the Act on Crime Prevention by Finnish Customs;
4. the Border Guard for the purposes referred to in section 20 of the Act on the Processing of Personal Data by the Border Guard;
5. the Tax Administration for the purposes referred to in section 18 a of the Tax Assessment Procedure Act;
6. the enforcement authority for the purposes referred to in Chapter 3, sections 64 and 66 of the Enforcement Code;
7. the Financial Supervisory Authority for the purposes of section 18 of the Act on the Financial Supervisory Authority;
8. the Defence Forces for the purposes of Section 104 of the Act on Military Intelligence and Section 112 of the Act on Military Discipline and Combating Crime in the Defence Forces.

Categories of personal data

Centralised automated account information system

Customs uses the aggregation application to transfer information stored in the Bank and Payment Accounts Register as well as bank and payment account information disclosed from the data retrieval system of data suppliers.

Bank and Payment Accounts Register

The following data shall be stored in the Bank and Payment Accounts Register on a customer of a payment institution, electronic money institution and crypto-asset service provider who shall be identified as provided for in chapter 3, section 2 of the Anti-Money Laundering Act:

1. full name, date of birth and Finnish personal identity code or, if lacking, citizenship of the account holder, of the person authorised to use the account and of the customer of a crypto-asset service provider, or, if the account holder or the customer of a crypto-asset service provider is a legal person, its full name, registration number, date of registration and registration authority as well as all persons authorised to use the account and the information on them referred to above regarding natural persons, or, if the person authorised to use the account is a public guardian, instead of the name, date of birth and personal identity code of the guardian, the identification data of the service provider, the title of the guardian and, if the service provider has more than one public guardian, the order number of the guardian;
2. the start and end dates of the customer relationship and access to the account;
3. payment account IBAN or other unique identifier.

If the Financial Supervisory Authority has exempted a credit institution from the obligation to maintain a data retrieval system as referred to in section 1d(1), the following data are to be stored in the Bank and Payment Accounts Register:

1. full name, date of birth and Finnish personal identity code or, if lacking, citizenship of the account holder and the person authorised to use the account or, if the account holder is a legal person, its full name, registration number, date of registration and registration authority, start and end date of the customer relationship as well as all persons authorised to use the account and the information on them referred to above regarding natural persons, or, if the person authorised to use the account is a public guardian, instead of the name, date of birth and personal identity code of the guardian, the identification data of the service provider, the title of the guardian and, if the service provider has more than one public guardian, the order number of the guardian;
2. full names, dates of birth and Finnish personal identity code or, if lacking, citizenships of factual beneficiaries referred to in Chapter 1 sections 5-7 of the Finnish Act on the Prevention of Money Laundering and Funding of Terrorism;
3. IBAN or other unique identifier of the bank and payment account, as well as the opening and closing dates of the account;
4. full name, date of birth and Finnish personal identity code or, if lacking, citizenship of the lessee safe deposit box and the length of the lease period, or, if the lessee is a legal person, its full name, registration number, date of registration and registration authority, as well as the specifying details on the safe deposit box, and the duration of the lease period, or, if the person authorised is a public guardian, instead of the name, date of birth and personal identity code of the guardian, the identification data of the service provider, the title of the guardian and, if the service provider has more than one public guardian, the order number of the guardian.

As for reserve accounts administered by an attorney, specific information on the bank or payment account being a reserve account with a client’s assets administered by an attorney and covered by the attorney’s obligation of secrecy must be indicated in connection with such accounts. Information on reserve accounts must not be disclosed via the register, only the information that the account in question is a reserve account with a client’s assets administered by an attorney as well as which attorney’s reserve account is in question.

Data retrieval systems

The following information must be disclosed to the competent authority through the data retrieval system, if the competent authority is entitled to receive it under other legislation notwithstanding the provisions on secrecy and other restrictions on access to information:

1. full name, date of birth and Finnish personal identity code or, if lacking, citizenship of the account holder and the person authorised to use the account or, if the account holder is a legal person, its full name, registration number, date of registration and registration authority, start and end date of the customer relationship as well as all persons authorised to use the account and the information on them referred to above regarding natural persons, or, if the person authorised to use the account is a public guardian, instead of the name, date of birth and personal identity code of the guardian, the identification data of the service provider, the title of the guardian and, if the service provider has more than one public guardian, the order number of the guardian;
2. full names, dates of birth and Finnish personal identity code or, if lacking, citizenships of factual beneficiaries referred to in Chapter 1 sections 5-7 of the Finnish Act on the Prevention of Money Laundering and Funding of Terrorism;
3. IBAN or other unique identifier of the bank and payment account, as well as the opening and closing dates of the account;
4. full name, date of birth and Finnish personal identity code or, if lacking, citizenship of the lessee safe deposit box and the length of the lease period, or, if the lessee is a legal person, its full name, registration number, date of registration and registration authority, as well as the specifying details on the safe deposit box, and the duration of the lease period, or, if the person authorised is a public guardian, instead of the name, date of birth and personal identity code of the guardian, the identification data of the service provider, the title of the guardian and, if the service provider has more than one public guardian, the order number of the guardian.

As for reserve accounts administered by an attorney, specific information on the bank or payment account being a reserve account with a client’s assets administered by an attorney and covered by the attorney’s obligation of secrecy must be indicated in connection with such accounts. Information on reserve accounts must not be disclosed via the data retrieval system, only the information that the account in question is a reserve account with a client’s assets administered by an attorney as well as which attorney’s reserve account is in question.

A centralised electronic balance and account transaction system

It is possible to request the following information related to the bank and payment account balance from the central electronic balance and account transaction system:

1. account number;
2. account balance;
3. date and time of the account balance.

The balance information concerning customer reserve accounts administered by an attorney may not be disclosed via the central electronic balance and account transaction system.

It is possible to request the following information related to account transactions from the central electronic balance and account transaction system:

1. type of transaction;
2. date and time of transaction;
3. amount of the transaction in the account currency and the original currency;
4. message and reference number of the transaction:
5. account number of the transaction;
6. name of recipient or sender;
7. transaction-related information from the ISO20022 message structure other than those referred to in paragraphs 1 to 6.

In addition, the information on customer's securities can be requested via the centralised electronic balance and account transaction system.

The above-mentioned information concerning customer reserve accounts administered by an attorney may not be disclosed via the central electronic balance and account transaction system.

Time limits for storage and deletion of personal data

Bank and Payment Accounts Register

Personal data stored in the Bank and Payment Accounts Register are deleted after ten years from the expiry of the grounds for entering the data in the Register. The grounds for expiry is usually the termination of the customer relationship. 

Aggregating application

The processing of personal data in the aggregating application processes is automated. The data supplied via the aggregating application must be deleted from the application as soon as the data has been supplied. If the competent authority has not retrieved the requested information from the aggregating application using its data retrieval system within the time limit set by Customs, the information will be automatically deleted from the application.

Log data

The log data are kept for the current year and the following five years, except if they are needed for a pending supervisory matter. 

The data subject’s right of access

Bank and Payment Accounts Register

The data subject’s right of access covers the data in the Bank and Payment Accounts Register database. 

Aggregating application

By way of derogation from Article 15 of the GDPR on the data subject's right of access, there is no access to the data when the data is processed by an aggregating application.

The data must be provided to the Data Protection Ombudsman at the request of the data subject in accordance with the provisions of section 34 of the General Data Protection Act (1050/2018). A request for the exercise of the right of indirect inspection must be made to the Data Protection Ombudsman or to Customs in accordance with section 35(2) of the Act on the Processing of Personal Data by Finnish Customs (650/2019). A request made to Customs shall be referred to the Data Protection Ombudsman forthwith.

Controller

Contact person of the controller and additional information:

Ms Pirkko Alamäki-Karkiainen
pirkko.alamaki-karkiainen@tulli.fi