One has to feel sorry for Estate Agents (did I say that?), not only are they now subject to AML supervision by HMRC, but also subject to GDPR and having to register with the Information Commissioners Office. Unfortunately, leaving the EU under whichever deal, is not likely to lessen the regulatory burden, particularly given the “level playing field” principle which will guide Monsieur Barnier’s negotiations.
Estate Agents are in the unhappy position of having to undertake Customer Due Diligence on not only their customer, but also the counterparty on any sale or purchase. Helpfully, Regulation 39 of the Money Laundering Regulation 2017, allows a firm subject to Money Laundering Supervision to rely on the Customer Due Diligence undertaken by another “regulated” firm.
The Joint Money Laundering Steering Group Guidance, last updated December 2017, (the Bank of England bible on Anti-Money Laundering) helpfully includes a number of template confirmations that such firms can provide to transaction counterparties agents, thereby avoiding the need for duplication of Customer Due Diligence measures. Well that should have been an easy end to the matter, but then along comes GDPR in May 2018, which doesn’t even get the sniff of a mention in the Bank of England Guidance.
GDPR basically chucks a bit of a spanner in the works. Whilst, Estate Agents can agree with its customer that the Customer Due Diligence can be passed to the other agent, the GDPR mandates the agents’ to enter into a written Data Controller and Data Processor agreement before the information is transmitted to the other agent. Unfortunately, despite best efforts, I have not been able to create a precedent agreement shorter than four pages. The agreement needs to cover Controller/Processor instructions; cyber security measures; confidentiality; sub-agents; data retention and disposal and transfers outside the EU.
The advice must be that the real estate industry should adopt a standard set of documents which meet the requirements of both regulations.