There are legal limits

Information hunger amongst Spanish banks

10 / Oct

We receive many complaints from clients who are tired of Spanish banks arbitrarily and excessively requesting information from them, considering the bank’s demands for information and/or documentation to be abusive.

It is true that banks, in compliance with Law, have incurred certain obligations in relation to the prevention of money laundering, and must therefore demand certain information and/or documentation from their customers under certain circumstances.

However, the need for information must and can be limited, as the data obtained can often be used for other purposes, such as commercial or other purposes.

Banks are not allowed to abuse this legal requirement and their position to ask for all kinds of information in an arbitrary and unjustified manner.

In relation to the prevention of money laundering and terrorist financing, the main obligation of banks is:

(i) the identification of the persons (natural or legal) conducting business or involved in transactions.

In this case, the banks should only require information that allows the identity of the account holder to be accredited.

The second obligation is aimed at:

(ii) Obtain information on the nature of the professional or business activity declared by the user.

The rigorousness of the demand will depend on the level of “risk” that the bank accredits according to:

(i) the type of customer;
ii) the type of business relationship; and;
iii) the type of transaction.

In view of the plurality of situations, it has been left to the banks to estimate those cases which, within their operations, present a high level of risk.

Neither the Banco de España nor the Money Laundering and Monetary Offences Commission (SEPBLAC) have established clear parameters as to what type of documentation may be demanded by banks.

However, data collection activity by banks is governed by a number of principles that must guarantee the rights of the client (Regulation (EU) 2018/1725), with emphasis on:

(i) purpose limitation: The activity of collecting data must be determined, explicit and legitimate. Data may not be processed for different and incompatible purposes;

(ii) data minimisation: Adequate, relevant and limited in relation to the purposes. No data can be required that has no relevance to the transaction being carried out.

For this reason, if you consider that you are being asked for information in an unreasonable or excessive manner, you should:

1. Ask the bank for the justification of the request: motivation and connection between what is required and the purpose for which it is being requested.

2. Request confirmation that all provided information is exclusively used for the purposes indicated and provided for by law and the bank.

Further you should know that in the event of dispute that leads to a refusal of the client to provide the required information and/or documentation, the bank may not proceed to block the account without first notifying the client and justifying the reasons for doing so.

In the event of disagreement, a complaint may be submitted to the Customer Defence Department of the corresponding institution, or to the Bank of Spain’s Complaints Service, or a legal action may be filed subsequently, setting out the reasons for the disagreement.

In summary, banks may request data and/or documentation that allows them to identify the user, their activity and the transaction they are going to carry out, but this data collection must always be duly motivated, justified and notified to the customer in order to avoid abuse of their position.
Camila Lizarazo / Roeland van Passel