Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Sep 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Monaco: Data Protection in the Financial Sector

Financial Services
sankai / Signature collection / istockphoto.com

1. Governing Texts

1.1. Legislation

Financial institutions (i.e. credit institutions, portfolio management companies, etc.) in Monaco have been amongst the first, as well as the most active entities to collaborate with the Monegasque data protection authority ('CCIN') in order to adapt general data protection principles to the specificities of their activity. Thus, a number of local professional associations such as the Monaco Compliance Officers Association ('AMCO') or the Monaco Association for Financial Activities ('AMAF') have worked closely with the CCIN, resulting, over the years, in the adoption of several recommendations containing provisions directly applicable to financial institutions (e.g. collection of identification documents for anti-money laundering ('AML') purposes, supervision of emails for reverse takeover or AML purposes, compliance with the US Foreign Account Tax Compliance Act ('FATCA') or the Organisation of Economic Co-operation and Development ('OECD') Common Reporting Standard ('CRS') obligations, etc.) by the CCIN.

In addition, Monaco has a general set of rules regarding data protection, which will be discussed in the following sections.

In 1993, Monaco passed its first general data protection law, Act No. 1.165 on the Protection of Personal Data (23 December 1993) ('the Act'). This Act has since been modified and updated several times, most importantly in 2008 (notably to grant the CCIN the status of an independent authority pursuant to international requirements) and in 2015 (to create a constitutionally compliant legal framework for the CCIN's investigating powers).

Other relevant provisions to be noted are the following:

  • International conventions and regulations:
  • Constitution of the Principality of Monaco, in particular Title III on the fundamental freedoms and rights of individuals, including the right to privacy.
  • National provisions implementing the Act:
    • Sovereign Ordinance No. 2.230 of 19 June 2009 (only available in French here) implementing the Act;
    • Ministerial Order No. 2002-269 of 23 April 2002 enacting a simplified declaration procedure for personal data processing operations related to securities and financial instruments (only available in French here);
    • Ministerial Order No. 2002-270 of 23 April 2002 enacting a simplified declaration procedure for personal data processing related to client accounts and portfolios management (only available in French here); and
    • Ministerial Order No. 2005-133 of 3 March 2005 enacting a simplified declaration procedure for personal data processing related to the execution, management, and performance of contracts implemented by duly authorised insurance, capitalisation, reinsurance, and assistance companies (only available in French here) ('the Insurance Order').
  • Other national legislation containing some provisions related, directly or indirectly, to data protection:
    • Act No. 1.362, as modified, of 3 August 2009 on the Fight against Money Laundering, Terrorism Financing and Corruption (only available in French here) ('the AML Act'), and its implementing Sovereign Ordinance No. 2.318 of 3 August 2009 (only available in French here) ('the AML Ordinance');
    • Act No. 1.444 of 19 December 2016 implementing various measures to protect personal information and confidentiality in the context of the automatic exchange of information in tax matters (only available in French here) ('the Automatic Exchange Act');
    • Act No. 1.338 of 7 September 2007 on financial activities (only available in French here) ('the Act on Financial Activities'), and its implementing Sovereign Ordinance No. 1284 of 10 September 2007 (only available in French here); and
    • Act No. 1.314 of 29 June 2006 on financial instrument custody and management (only available in French here), and Ministerial Order No. 2012-199 of 5 April 2012 (only available in French here).
  • CCIN Recommendations:
    • Decision No. 2017-001 of 4 January 2017 providing recommendations on automated processing of personal information for purposes of 'Managing legal obligations relating to automatic exchanges of information for tax purposes' implemented by reporting financial institutions (only available in French here);
    • Decision No. 2013-116 of 16 September 2013 providing recommendations on automated processing of personal information for purposes of 'Managing obligations arising from the FATCA Regulation' (only available in French here);
    • Decision No. 2015-111 of 18 November 2015 providing recommendations on automated processing of personal information for purposes of 'Monitoring or controlling electronic messaging systems' (only available in French here);
    • Decision No. 2015-113 of 18 November 2015 providing recommendations on the collection and retention of copies of identity documents (only available in French here);
    • Decision No. 2017-054 of 19 April 2017 providing recommendations on telephone conversation recording devices implemented at the workplace by credit institutions and similar entities (only available in French here);
    • Decision No. 2017-206 of 20 December 2017 providing recommendations on automated processing of personal information for purposes of 'Managing authorisations and IT Access implemented for monitoring or controlling access to the Information System' (only available in French here); and
    • Decision No. 2019-084 of 15 May 2019 providing recommendations on security measures for the use of payment cards in the context of remote or online sale of goods or provision of services (only available in French here).

It must be noted that, as far as the GDPR is concerned, it applies to Monaco data controllers or processors only to the extent that the processing activities are related to:

  • the targeted or active offering of goods or services to persons within the territorial scope of the GDPR; or
  • the monitoring of the behaviour of persons within EU territory.

1.2. Supervisory authorities

The CCIN is the Monaco data protection authority. Other authorities may also be involved in the implementation of the legal corpus listed in section 1.1. above, including the Monaco AML Authority, the Financial Circuits Information and Control Service ('SICCFIN'), and Monaco judicial authorities more generally.

2. Personal and Financial Data Management

2.1. Legal basis for processing

The Act, as well as the GDPR, provide that data controllers can process data on the following grounds:

  • consent of the data subjects;
  • compliance with legal obligations;
  • public interest;
  • performance of a contract or pre-contractual measures with the data subject;
  • fulfilment of the data controller's legitimate interest, to the extent that it does not infringe upon the interests, or the fundamental rights and freedoms of the data subjects; and/or
  • protection of the vital interest of the data subject or another individual.

Some specific grounds are also provided by law where a data controller plans on transferring personal data to a country not considered as having an adequate level of data protection (generally speaking, non-EU countries; the list of countries with an adequate level of data protection is only available in French here):

  • safeguarding the data subject's life;
  • compliance with legal obligations for the exercise of judicial proceedings or rights in court (e.g. discovery procedures, defence in foreign judicial proceedings);
  • the consultation of a public register (not commonly used); and/or
  • for the execution of a contract with a foreign/extraterritorial third party in the interest of the data subject.

In practice, and depending on the type of processing activities, financial institutions usually only refer to parts of the legal bases listed above, some of which do so pursuant to the CCIN recommendations including in relation to:

  • compliance with legal duties of the data controller: all data processing operations related to CRS and tax issues, AML (including whistleblowing and collection of identification documents), reception and transmission of orders (phone conversation recording or email monitoring);
  • legitimate interest of the data controller: all FATCA-related requirements (being foreign legislation, it is not considered a legal ground on its own strength in Monaco), subject, under certain conditions, to the data subject's consent (see below); all necessary technical or organisational measures taken by financial institutions (monitoring of IT systems, access control, video-surveillance, etc.);
  • consent of data subjects: certain transfers of data covered by banking secrecy; with respect to FATCA; data processing operations aiming at determining whether a client is a US person and allowing such client to provide any evidence to the contrary, as the case may be; data transfers to the IRS; and/or
  • the performance of a contract with the data subject: all processing operations related to customary client-relationship management.

2.2. Privacy notices and policies

As a general principle, all data controllers are required to inform data subjects of their processing activities. This is required both under both the Act and the GDPR. In practice, the CCIN will pay particular attention to notices provided in respect of monitoring activities (e.g. AML, phone conversation recordings, email monitoring) or where personal data is transferred to countries not having an adequate level of data protection. The CCIN also requires that, as far as email management is concerned, data controllers are required to establish internal archiving policies.

More specifically, in the financial sector, the Automatic Exchange Act related to CRS requires that clients must also be informed of the following:

  • the legal basis of data processing activities;
  • data retention periods;
  • data subjects' right to remedy before administrative or judicial authorities, and the procedure to exercise such a right; and
  • their right to refer matters to the CCIN, as well as the latter's contact details. 

2.3. Data security and risk management

Monaco has recently implemented legislation relating to cybercrime (see e.g. Act No. 1.435 of 8 November 2016 relating to the fight against technological crime (only available in French here)). In 2017, the financial sector has been classified by Ministerial Order as a 'sector of vital importance' subject to a series of IT security requirements under the supervision of the Monaco Digital Security Agency ('AMSN') which was created in 2015. However, such requirements only apply to financial institutions which have been expressly designated as 'operator of vital importance' by the Monaco Government.

Monaco credit institutions are under the supervision of France's banking regulator, the Prudential Supervisory Authority ('ACPR'), and also subject to:

2.4. Data retention/record keeping

As a general principle, personal data cannot be recorded for longer than necessary for the purposes for which it had been collected and is being processed. Data controllers must therefore, for each category of data processed, and depending on the purpose, determine the relevant retention periods.

In certain areas, data retention periods are defined by law or pursuant to recommendations of the CCIN. The most common record-keeping rules in the financial sectors are the following:

  • AML: Know Your Customer data must be recorded for five years after termination of the client relationship, data related to client transactions must be stored for five years from the date of such transaction or operation, and prospect-related data as well as requests from the SICCFIN must be stored for five years from their date. Generally speaking, these five-year periods can be renewed once:
    • by decision of the data controller when such measure is necessary, on a case-by-case basis, to prevent or detect AML/CFT operations or to comply the AML obligations of the Group; or
    • at the request of the SICCFIN, or for the purposes of AML proceedings.
  • CRS: data reported to the Monaco tax authorities must be recorded for five years from such report; all actions taken as well as evidence of the proper performance of reporting and due diligence obligations must be recorded for five years.
  • Phone recording: records must be stored for five years from the date of the phone conversation.
  • FATCA: the list of US persons and all related banking data may be stored for up to the end of the sixth year following that in which the reporting obligations incurred; and
  • Litigation: data can be stored up until a final court decision is issued, and any subsequent enforcement measures have been carried out.

For other data processing activities, absent any specific rule, financial institutions usually define data retention periods pursuant to the relevant statutes of limitation under general civil or commercial law principles.

Please note that Bill No. 1.035 of 30 April 2021 amending Law No. 1.338 on financial activities (only available in French here) ('Bill 1.035') is under discussion before the National Council. Amongst other measures, the Bill provides those financial institutions shall keep relevant information and a record of all services they provide, so that the CCAF can monitor compliance of their obligations, in particular with respect to their clients. Implementing provisions will be taken by Sovereign Order once Bill 1.035 becomes law.

3. Financial Reporting and Money Laundering

Monaco has implemented a set of rules with regard to combating money laundering, terrorism financing, and corruption (the AML Act, and the AML Ordinance). This legislation has been adopted in the light of the successive European AML directives, and thus it contains the usual due diligence and transactions-reporting obligations to which financial institutions are subject.

The main duties of financial institutions can be summarised as follows:

  • before establishing a business relationship or carrying out a transaction, financial institutions are required to identify their clients as well as their representatives, agents, and beneficial owners, as the case may be;
  • identity verification must be conducted based on reliable documents and data;
  • financial institutions must determine the purpose and intended nature of the business relationship;
  • they must conduct ongoing monitoring of the business relationship, keeping all records up to date, and scrutinise transactions, based on risk assessment;
  • enhanced due diligence measures must be applied for politically exposed persons, high-risk clients or transactions, clients or transactions bearing links with high-risk States, remote business relationships, and complex, unusual or unexplainable transactions; and
  • in case of suspicion of money laundering, financial institutions must file a report with the SICCFIN, which is strictly confidential as provided by law.

Non-compliance with such obligations gives rise to administrative as well as criminal sanctions, as the case may be.

The AML Act has been recently amended by Act No. 1.503 of 23 December 2020 (only available in French here), aligning the Monegasque legislation with Directive (EU) 2018/843 of 30 May 2018 Amending Directive (EU) 2015/849 on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing, and Amending Directives 2009/138/EC and 2013/36/EU ('the Fifth AML Directive'). Amongst other measures, payment institutions and EMIs have been added to the list of professionals subject to the AML Act.

4. Banking Secrecy and Confidentiality

As a general principle under Monaco data protection legislation, data controllers are required to ensure the security and confidentiality of all personal data processed. This means that:

  • such data cannot be accessible, or transferred to persons who are not allowed to process or receive such data; and
  • data controllers must implement appropriate technical and organisational measures to protect personal data, adapted to the risks incurred (e.g. more stringent measures in case of processing of sensitive data, identification documents, etc.).

More specifically, Monaco has also passed several laws relating to professional secrecy:

  • Article 308 of the Criminal Code (only available in French here);
  • Article 33 of the Act on Financial Activities, referring to the above-mentioned provisions of the Criminal Code; and
  • Article L. 511-33 of France's Monetary and Financial Code applicable in Monaco (only available in French here) ('the France Monetary and Financial Code').

Pursuant to Article L. 511-33 of the France Monetary and Financial Code, applicable solely to Monaco credit institutions, banking secrecy can be released in the following cases:

  • upon the client's express and specific consent;
  • to credit rating agencies, for the purposes of rating financial products;
  • for transactions on financial contracts, when data communication to a central depository is required by law;
  • to persons or entities with whom financial institutions negotiate, execute, or perform the following operations, provided that the information communicated is necessary:
    • credit transactions carried out, directly or indirectly, by one or more credit institutions or finance companies;
    • transactions on financial instruments, guarantees or insurance to hedge credit risk;
    • acquisitions of holdings or control in a credit institution, investment firm or finance company;
    • disposals of assets or business assets;
    • assignments or transfers of receivables or contracts;
    • service contracts executed with a third party in order to entrust the latter with important operational functions; and
    • when analysing or drafting any type of contract or operation, provided that these entities belong to the same group as the data expedient.

It shall be noted that banking secrecy cannot be cited to oppose criminal judicial authorities as well as the ACPR or the Bank of France.

In addition, the AML Act authorises the exchange of confidential information strictly for AML purposes between financial institutions within the same group, provided that:

  • all entities are subject to equivalent obligations in terms of AML, professional secrecy, and data protection; and
  • data exchange procedures have been established within the group.

Data exchange is also allowed with regard to suspicious transaction reports, notably where several financial institutions work for the same client on the same transaction, subject to strict conditions provided by law.

Lastly, other types of data exchange are permitted for purposes of consolidated supervision, under the provisions of Ordinance No. 14.892 of 28 May 2001 between France and Monaco on harmonised supervision of credit institutions (only available in French here). 

5. Insurance

The insurance industry in Monaco is subject to the general data protection rules and principles provided by the Act as well as the GDPR, where applicable. In addition, the Insurance Order authorises a 'simplified declaration' procedure for personal data activities related to the execution, management, and performance of contracts implemented by duly authorised insurance, capitalisation, reinsurance, and assistance companies. This procedure applies to basic data processing operations that fall within the scope of the Insurance Order and which do not manifestly infringe upon the fundamental rights and freedoms of data subjects.

6. Payment Services

With regard to payment services, Monaco applies rules set forth by France and the EU, based on, and under the conditions provided by several conventions executed with France (see e.g. the exchanges of letters of 2010) and the EU (the Monetary Agreement). The Monetary Agreement includes a list of directives and regulations to be implemented by Monaco:

  • either directly, by applying the French implementing provisions in Monaco (Annex A of the Monetary Agreement); or
  • indirectly, by adopting laws or regulations having an equivalent effect in Monaco (Annex B of the Monetary Agreement).

These two annexes are amended on a regular basis, and in 2018, Sovereign Ordinance No. 7.114 of 14 September 2018 (only available in French here) added the Payment Services Directive (Directive (EU) 2015/2366) ('PSD2') to the list. It must therefore be implemented in Monaco:

  • to the extent it has been implemented in France;
  • provided that it pertains to the activity and/or supervision of credit institutions or the prevention of systemic risks to payment and securities settlement systems; and
  • in any case, to the exception of Title III ('Transparency of conditions and information requirements for payment services') and Title IV ('Rights and obligations in relation to the provision and use of payment services') of PSD2.

7. Data Transfers and Outsourcing

Subject to the developments in the foregoing regarding banking and professional secrecy (see section 4 above), financial institutions can transfer personal data to third parties under the conditions set forth under the Act and the GDPR, where applicable:

  • such transfer must be compliant with the purpose for which the personal data were originally collected and processed;
  • notice must be provided to the data subjects informing them that their data may be transferred to certain recipients (or categories of recipients) and for which purpose;
  • the recipient must ensure the security and confidentiality of the received data, and not use the same for any other purpose;
  • if the recipient is a contractor, a written contract must be executed with the data controller providing a framework for such transfer, in compliance with the Act and/or the GDPR;
  • transfers to a country not having an adequate level of data protection are subject to the prior authorisation of the CCIN;
  • FATCA: transfers to the US Federal Internal Revenue Service ('IRS') are subject to the prior consent of the client, in addition to CCIN authorisation (mentioned above); and
  • CRS: transfers to Monaco tax authorities are subject to a specific prior notice granted to clients.

As far as cloud computing is concerned, the principles listed above are applicable. Financial institutions will need to pay particular attention to:

  • the location of the data centres (a CCIN authorisation might be necessary);
  • the security and confidentiality measures provided by the service provider; and
  • the terms and conditions of service, which shall be compliant with the Act and/or the GDPR.

Lastly, regarding outsourcing, provisions of the Internal Control Order apply. The principal rules are the following:

  • a written contract must be executed between the parties;
  • in certain cases, notice must be given to the ACPR;
  • the contractor must be licenced for the outsourced activities;
  • such contractor must commit itself to an adequate level of service to ensure normal functioning and continuity of the service, as well as protection of confidential data;
  • financial institutions must establish monitoring policies on outsourcing, implement audit and control measures (including on site), and manage outsourcing-related risks, also by adopting business continuity plans taking into account such risks;
  • outsourcing termination must in no event affect client service continuity or quality;
  • the ACPR and any other regulators, if applicable, must be granted access (including on site) to outsourced data;
  • outsourcing does not trigger any delegation of responsibility of the financial institution's effective managers; and
  • outsourcing must not impact clients nor compliance of the financial institution with its banking licence as issued by the ACPR.

8. Breach Notification

The Act does not provide for any breach notification obligation. However, such obligation derives from Articles 33 and 34 of the GDPR. Therefore, Monaco financial institutions that process personal data of EU persons under the conditions set forth in Article 3(2) of the GDPR, will be required to:

  • notify breaches to the relevant data protection authority, unless the personal data breaches are unlikely to jeopardise the rights and freedoms of natural persons; and
  • inform data subjects of any breaches that are likely to result in a high risk to their rights and freedoms.

For further information on general data breach requirements, see EU – GDPR – Data Breach.

In addition, under the Automatic Exchange Act, any security breach related to personal data collected for CRS purposes must be notified to the CCIN.  Subsequently, if the CCIN considers that such breach constitutes a violation of the security and confidentiality obligations of the data controller as provided by the Act, it will inform both the data subjects concerned as well as the Minister of State.

9. Fintech

To date, there is no regulation in Monaco for FinTech.

A bill was presented on blockchain in June 2019 and initially aimed at setting a general framework for the use of blockchain technologies is Monaco. However, this bill was completely redrafted and gave birth to Act No. 1.491 on Initial Coin Offering (only available in French here), which was voted in on 23 June 2020. 

Another important Act to point out is Act No. 1.383 on a Digital Principality, as modified by Act No. 1.482 dated 17 December 2019 (only available in French here). This Act creates a list of trusted services in the digital world, some of which directly concern banks and financial institutions, including e-archiving of digital assets, digital safes, depositing of digital assets on a digital recording device on a shared registry, etc. The AMSN is in charge of authorising trusted services providers.  

The CCIN also issued Decision No. 2019-084, providing recommendations on security measures for the use of payment cards in the context of remote or online sale of goods or provision of services (see section 1.1. above).

In the future, Monaco could be concerned by FinTech-related EU regulations or directives implemented in France, if such texts were to be included in Annex A or Annex B of the Monetary Agreement (see section 6 above). 

10. Enforcement

Violations of the Act can lead to administrative sanctions (e.g. warning, formal notice, injunction) as well as criminal sanctions, including fines (up to €90,000 for individuals, and five times this amount for legal entities) and prison sentences (up to one year). In so far as the GDPR is concerned, it is currently unclear how administrative fines would be imposed considering that, presently, the CCIN has no power to impose pecuniary sanctions. However, at the EU level, an EU-based parent company could be fined by the local data protection authority of the EU Member State in question for any breach committed by its Monaco branch.

Violation of banking secrecy by individuals is sanctioned by a fine of up to €18,000 and/or a prison sentence of up to one year. The fine will be multiplied by five for a legal entity.

With respect to AML legislation, several types of sanctions are provided by law, such as:

  • administrative sanctions: warning, reprimand, licence withdrawal, and for individuals, temporary suspension of the exercise of management functions for a period of up to ten years;
  • pecuniary sanctions: up to €1 million, or €5 million in certain cases, or twice the benefit derived from the breach; and
  • criminal sanctions: up to ten years of imprisonment and a fine of up to €900,000.

Please note that a Bill No. 1.041 of 28 June 2021 (only available in French here) is currently under discussion before the National Council, aiming at adopting certain criminal provisions, pursuant to:

11. Additional Areas of Interest

The CCIN has issued an FAQ section with regard to the impact of the GDPR in Monaco. Indeed, to date, the existence of two distinct set of rules (one from the Act, and one from the GDPR) in respect of data protection, raises many questions and issues concerning Monaco data controllers or processors. A revision of the Act is currently under discussion, and a bill could be submitted to the National Council in 2021 or 2022.

Olivier Marquet Managing Partner
[email protected]
CMS Pasquier Ciulla Marquet & Pastor, Monaco

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback