Processing of personal data in the Bank and Payment Accounts Register

Purpose of processing personal data

The purpose of processing personal data is provided for in the Act on the Bank and Payment Accounts Control System (571/2019). Customs maintains the Bank and Payment Accounts Register, and is responsible for submitting the information stored in the register to the competent authorities. The purpose of the Bank And Payment Accounts Register is to receive and store as well as to release information specified in section 6 subsections 2 and 3 of the above-mentioned Act and provided by payment institutions, electronic money institutions and virtual currency providers, as well as information specified in section 6 subsection 3 provided by credit institutions.

The competent authorities have the right to use the Bank and Payment Accounts Control System if this is necessary to prevent, detect and investigate money laundering and terrorist financing: 

  1. the enforcement authorities and the Bar Association referred to in the Act on Preventing Money Laundering and Terrorist Financing (444/2017) in order to carry out a control task provided for by the Act. The competent authorities referred to in the Act are the Financial Supervisory Authority, the Patent and Registration Office and the Regional State Administrative Agency.
  2. the Financial Intelligence Unit for carrying out tasks in accordance section 2 subsection 1(1–4, 7) of the Act on the Financial Intelligence Unit (445/2017);
  3. authorities for implementing due diligence in accordance with Chapter 9 section 5 of the Act on Preventing Money Laundering and Terrorist Financing. The authorities in question are Customs, the Border Guard, the Tax Administration, the National Enforcement Authority and the Bankruptcy Ombudsman.

Categories of personal data

In accordance with Chapter 3 section 2 of the Act on Preventing Money Laundering and Terrorist Financing, a payment institution, electronic money institution and provider of virtual currency shall in the Bank and Payment Accounts Register store the following information on a customer to be identified:

  1. full name, date of birth and Finnish identity code or, if lacking, citizenship of the account holder, the holder of the access right to the account and virtual currency provider, or if the account holder or virtual currency provider is a legal person, then the full name, registration number, date of registration and registration authority as well as start and end date of the customer relationship;
  2. start and end dates of the customer status;
  3. payment account IBAN or other identifier.

If the credit institution has obtained an authorisation from the Financial Supervisory Authority for deviating from the obligation to maintain an information retrieval system in accordance with section 4 subsection 1, the following information is to be stored in the bank and payment accounts register:

  1. full name, date of birth and Finnish identity code or, if lacking, citizenship of the account holder and the holder of the access right to the account, or if the account holder is a legal person, the full name, registration number, date of registration and registration authority as well as start and end date of the customer relationship;
  2. full name, date of birth and Finnish identity code or, if lacking, citizenship of factual beneficiaries referred to in Chapter 1 sections 5-7 of the Finnish Act on the Prevention of Money Laundering and Terrorist Financing;
  3. IBAN number or other unique identifier of the bank and payment account, as well as the opening and closing dates of the account;
  4. full name, date of birth and Finnish identity number or, if lacking, nationality of the leaser of the safety deposit box and of the person authorised to use it, or if the leaser is a legal person, then the full name, registration number, date and authority, as well as the specifying details on the safety deposit box, and the duration of the lease period.

As for reserve accounts administered by attorneys, specific information on a bank or payment account being a reserve account of an attorney’s client that is covered by the attorney’s obligation of secrecy must be indicated in connection with such accounts. Data on reserve accounts must not be transferred to the register.

Sources of personal data

Information for the Bank and Payment Accounts registered is provided by credit and payment institutions, electronic money institutions, virtual currency providers and credit institutions with exceptional authorisation from the Financial Supervisory Authority. These parties are responsible for the correctness of the information they submit for storage to the bank and payment accounts register, and for correcting information without undue delay. New information and notifications of any changes to existing information must be submitted to the bank and payment accounts register no later than on the following banking day. Information is provided notwithstanding secrecy provisions and other restrictions on access to information.

Regular disclosures of personal data

Customs is entrusted with releasing data from the Bank and Payment Accounts Register to the competent authorities. 

Data can be released notwithstanding Article 18(1)(a) of the General Data Protection Regulation on restrictions of processing by the register controller (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

The below competent authorities have the right to use the Bank and Payment Accounts Control System if this is necessary to prevent, detect and investigate money laundering and terrorist financing:

  1. the enforcement authorities and the Bar Association referred to in the Act on Preventing Money Laundering and Terrorist Financing in order to carry out a control task provided for by the Act. The competent authorities referred to in the Act are the Financial Supervisory Authority, the Patent and Registration Office and the Regional State Administrative Agency.
  2. the Financial Intelligence Unit for carrying out tasks in accordance section 2 subsection 1(1–4, 7) of the Act on the Financial Intelligence Unit (445/2017);
  3. authorities for implementing due diligence in accordance with Chapter 9 section 5 of the Act on Preventing Money Laundering and Terrorist Financing. The authorities in question are Customs, the Border Guard, the Tax Administration, the National Enforcement Authority and the Bankruptcy Ombudsman.

Personal data retention and disposal times

Personal data stored in the Bank and Payment Accounts Register are deleted after ten years after the expiry of the grounds for entering the data in the Register.

Contact person of the data controller and additional information

Esko Hirvonen 
esko.hirvonen(at)tulli.fi