Bank and payment account monitoring system
The legal act concerning the bank and payment account monitoring system entered into force on 1 May 2019. The purpose of the act is to facilitate electronic data acquisition by authorities from bank and payment accounts of citizens, companies and corporations . In this way, the combat against money laundering and the financing of terrorism is enhanced.
The bank and payment account monitoring system comprises two technically different systems:
- The Account Register maintained by Customs, and
- a distributed data retrieval system.
In order to release bank and payment details of their customers, financial operators must either join the Account Register or establish their own data retrieval systems. Both procedures require operators to undertake preparations for which Customs offers instructions on these pages. Both the Account Register and the data retrieval system along with their interfaces must be operational as of 1 September 2020 for enquiries by authorities.
Credit institutions are obligated to maintain a data retrieval system. Credit institutions can request permission from the Financial Supervisory Authority to deviate from the obligation to maintain such a system. In practice, this means joining the Account Register.
Payment institutions, electric money institutions and virtual currency providers can choose between implementing a data retrieval system or joining the Account Register.
For financial operators:
The Account Register, i.e. the bank and payment account register, is created and maintained by Customs. It consists of the Account Register application and the related update and query interfaces. It is an element of the bank and payment account monitoring system.
The information in the Account Register consists of data on accounts, customers and safety deposit boxes sent by financial operators (data providers). Competent authorities can make electronic enquiries using this data.
Here is how you sign up for the Account Register
To sign up for the Account Register, send a free-form email message addressed to the Customs Account Register Project to the Customs Registry Office at kirjaamo(at)tulli.
Credit institutions must apply for a an exemption from maintaining a data retrieval system from the Financial Supervisory Authority by sending a free-form email message to the registry office of the Financial Supervisory Authority at kirjaamo(at)finanssivalvonta.fi by 30 April 2020.
Instructions on deploying the Account Register with Customs
Data providers are responsible for their own applications, services and data connections with the Customs update interface, and for the costs incurred by them to their organisations, and to possible third parties whose services may be required for deployment.
Data providers should read with care the Account Register interface descriptions and instructions for deployment and maintenance.
Customs and the data provider will determine a schedule, and define the approval criteria for deploying the update interface. Deployment involves opening data connections, testing, and accepting the service. Customs wishes that the cooperating organisation assigns a person responsible for deployment and further contacts. The details on the person in question can be emailed to Customs at tilirekisteri(at)tulli.fi.
In unclear situations, Customs will provide further instructions and support by email at tilirekisteri(at)tulli.fi.
As of 1 September 2020, data providers can start releasing information to the Account Register. This means that the so-called production use will start.
Responsibility for accuracy of information in the Account Register
The party that releases data to the Account Register is the register holder. This party is responsible for indicating that the personal details are accurate and, when necessary, updated. As the Account Register maintainer, Customs will store information in the Register database in the received format. The data provider is responsible for making sure that the provided information is accurate and up-to-date.
Interface specifications may change – Customs will notify about changes well in advance
Customs will notify its partners about any changes to the update interface description of the Account Register, https://finnishcustoms-suomentulli.github.io/account-register-information-update, and about changes to the query interface description by directly notifying the assigned data provider contact persons.
If a data provider notices a need for making a change in the Account Register update interface or in the Account Register application, they can send their proposal on the change to Customs at tilirekisteri(at)tulli.fi.
Disruptions and malfunctions involving update interfaces
The data provider and Customs must without delay inform other concerned parties about malfunctions in their service that affect the functionality of the update interface. The data provider must also inform Customs about any planned interruptions involving maintenance and use which may affect the update interface or the release of information to Customs. Likewise, Customs will notify data providers in good time about any planned interruptions involving the use of the Account Register.
Mon-Fri 7 am–6 pm
The data retrieval system is created by the data provider, and comprises the data provider’s own systems, as well as the query interface defined by Customs.
The data retrieval system is an element of the bank and payment account monitoring system.
In the data retrieval system, credit institutions are data providers. If they so wish, also payment institutions, electronic money institutions and virtual currency providers can provide data. The authorities, i.e. data users, make enquiries on bank and payment accounts through the query interface of the data retrieval system. When authorities make enquiries in the system, data providers must submit the information determined by law without delay and notwithstanding any secrecy provisions.
Customs will notify the authorities utilising the information in the bank and payment account monitoring system about the financial operators who will implement their own data retrieval system.
Your query interface for the data retrieval system must be operational on 1 September 2020.
Please notify the Customs Registry Office about your intention to implement a data retrieval system
Data providers must notify the Customs Registry Office about implementing a data retrieval system by email to kirjaamo(at)tulli. After this, Customs will send instructions for creating and testing a data retrieval system.
Data providers will create their data retrieval systems in accordance with the technical specifications set out by Customs. Query interface description for the data retrieval system: https://finnishcustoms-suomentulli.github.io/account-register-information-query/
Customs will support the implementation of your data retrieval system, and give further information in unclear situations. Customs wishes that the cooperating organisation assigns a person responsible for deployment and further contacts. The details on the person in question can be emailed to Customs at tilirekisteri(at)tulli.fi.
In unclear situations, Customs will provide further instructions and support by email at tilirekisteri(at)tulli.fi on weekdays from 7 a.m. to 6 p.m.
As register keepers, data providers are responsible for the availability of information by maintaining a data retrieval system and interface. In turn, the competent authority as a register keeper is responsible for the information it processes through the data retrieval system.
Responsibility for accuracy of information in the data retrieval system
As a register keeper, the party who implements the data retrieval system, i.e. the data provider, is responsible for indicating that any personal details are accurate and, if required, updated. This responsibility is directly based on the EU Data Protection Regulation.
Register keepers must carry out all possible and reasonable measures for making sure that any information deemed imprecise and incorrect in terms of processing are corrected or erased without delay.
Query interface for the data retrieval system
Data providers must submit an immediate and unfiltered reply to any electronic queries from competent authorities.
The query interface for the data retrieval system must be available at all times. More information on distributed data retrieval systems, data protection and certificates
Changing from the Account Register to a data retrieval system? Please notify the Customs Registry Office
When they so wish, all financial operators can switch over from the Account Register to their own data retrieval system. Customs must be notified about this by email to kirjaamo(at)tulli. After this, Customs will send instructions for creating a data retrieval system. After testing and approval, Customs will close the credit institution update interface in the Account Register.
Mon-Fri 7 am–6 pm
From a citizen’s viewpoint, the elements of the monitoring system, the Account Register and data retrieval systems administered by financial operators are similar. Information is gathered so that certain authorities can use it in investigations relating to financing of money laundering and terrorism. Gathering of data and the monitoring system itself are regulated by a national legal act on a bank and payment account monitoring system based on the EU anti-money laundering directive.
The legal act on a bank and payment account monitoring system determines the parties who utilise monitoring data. These include the Finnish Patent and Registration Office, the Regional State Administrative Agencies, the Financial Intelligence Unit of the National Bureau of Investigation, the Gambling Administration of the National Police Board and the bar associations. Separate legislation on each party utilising information provides for information acquisition rights.
The monitoring system helps to establish an electronic and secure channel for obtaining information from credit and payment institutions, electronic money institutions and virtual currency providers. The legal act does not increase the competence of authorities, but instead gives them a new way of gathering information in a secure electronic way.
Data transfer and storage are based on appropriate high-standard data security measures. The system has specific rights of use for different authorities, and each enquiry that is made is recorded in the system log.
Due to the EU Directive and national legislation, only certain authorities have access to the information in the bank and payment account monitoring system. If you have doubts about the accuracy of information, you should contact the credit or payment institutions where you have accounts, safety deposit boxes or customer relations.
Finnish Customs has been entrusted with the implementation of the bank and payment account monitoring system, and has set up an Account Register Project for this purpose. Customs will implement the Account Register and the related interfaces, i.e. the update interface for banks and payment institutions, and the query interface for authorities who use the Register. Furthermore, Customs has issued instructions on how financial operators can establish a distributed data retrieval system and any related interfaces. The Account Register Project is coordinated by the Ministry of Finance.