Latvian government adopts rules on licensing and monitoring of Know-Your-Customer utility service providers

The rules came into force on the 8 July and cover the procedure for monitoring and licensing of Know-Your-Customer (hereinafter – KYC) utility service providers' activities. Articles 172 and 173 of the Law foresee that the Cabinet shall determine the requirements for updating information, including personal data, by using the KYC utility, the time periods for the storage of certain information as well as the requirements and procedures for obtaining, suspension of operation, re-registration and cancellation of the mandatory license of the KYC utility service provider. The authority responsible for implementing these oversight mechanisms is the Data State Inspectorate (hereinafter – DSI).

The new rules mainly apply to service providers and aim to fill an important gap in the complex system of existing KYC procedures that these companies must comply with. To meet the ever-growing demands of various AML and sanction regimes the legislator delegated the Cabinet to create the legal framework to enable the subjects of the Law to share their customer research data on a common platform outside of their groups, namely, on the KYC utility. Two different KYC utilities are to be implemented – the Open Shared utility and the Closed Shared utility. The distinction between the two is that the provider of an Open Shared KYC tool will process larger volumes of data coming from both public information systems and private databases. Companies dealing with KYC procedures will now be able to share the information available to them as well as gain information from other contributors (including state authorities) regarding a client’s status, activities, or other relevant data. The new tools will hopefully aid the service providers in the fight against crime by enabling the information to circulate more effectively and safely.

However, the annotation of the rules makes no mistake in that these tools present certain risks regarding clients’ data privacy and security. Therefore, only properly licensed parties will be allowed to access and utilize the planned platform for information exchange purposes. To obtain the license the individual or the company must meet the criteria set out in the new rules. For example, for a legal person the criteria include not having any tax debt, having appointed a certified data protection specialist, and not having any administrative fines imposed upon them within the last year. Additional terms apply to individuals (beneficial owners, shareholders, or board members of service providers) such as having an impeccable reputation and no criminal record. The DSI will base its assessment of reputation on the principle that a person has an unblemished reputation in the absence of facts that point to the contrary. Account will also be taken of a person’s overall good faith regarding the performance of their obligations under the legislation.

On the other hand, the rules also foresee mandatory civil liability insurance for licensed service providers in case of damages that could be caused to third persons due to incorrect or even malicious usage of the KYC utilities. This goes to show that the legislator considered the possible dual effects of the new tools by making sure their use is safe for all parties involved. The minimum limit of liability is set to EUR 50 000 per year as well as an excess of not more than EUR 1 500 per occurrence is provided.

The annotation of the rules anticipates the first three licenses to be issued in 2022, with a further gradual growth expected to lead to seven licenses in 2024 (three for the Open Shared tool and four for the Closed Shared tool). The service providers most interested in having access to the new utility are large credit and financial institutions. This new technological and regulatory advance in cooperation will hopefully ease the exchange of customer due diligence information while reducing the administrative burden on credit and financial institutions requesting customer due diligence information as well as on the subjects providing the information. The burden will also be reduced for public authorities which currently serve each subject separately.