Teksta versija
LEGAL ACTS OF THE REPUBLIC OF LATVIA
LV  EN
home
 

Republic of Latvia

Cabinet
Regulation No. 396
Adopted 5 July 2022

Regulations Regarding the Requirements for Updating Information in the Shared Know-Your-Customer Utility and the Licensing and Supervision of the Shared Know-Your-Customer Utility Service Provider

Issued pursuant to
Section 17.2, Paragraph seven
and Section 17.3, Paragraph six
of the Law on the Prevention of Money Laundering
and Terrorism and Proliferation Financing

I. General Provisions

1. The Regulation prescribes:

1.1. the requirements for updating the information, including personal data, to be processed by using the open shared Know-Your-Customer utility and the time periods for the storage of the information;

1.2. the requirements for obtaining the licence of the closed and open shared Know-Your-Customer utility service provider (hereinafter - the licence), including the requirements for the civil liability insurance of the shared Know-Your-Customer utility service provider;

1.3. the procedures for the issuing of the licence, suspension of its operation, procedures for and cases of re-registration and cancellation of the licence;

1.4. the procedures for paying the State fee for the issuing and re-registration of the licence and the annual State fee for the supervision of the operation of the shared Know-Your-Customer utility service provider, and also the amount of the abovementioned State fees;

1.5. the information to be published on the website of the State Data Inspectorate on the shared Know-Your-Customer utility service provider licensed, and also the procedures and time periods for updating such information.

2. Prior to taking the decision to issue, re-register, suspend, or cancel the licence, the State Data Inspectorate is entitled to provide instructions to the capital company which has submitted an application for obtaining the licence or to the shared Know-Your-Customer utility service provider regarding the activities to be performed in its field of operation in order to ensure the conformity of the capital company which has submitted an application for obtaining the licence or the shared Know-Your-Customer utility service provider and their operation with the requirements of this Regulation.

3. The State Data Inspectorate shall, within three working days after taking the decision, but not later than one working day before entering into effect of the decision, publish and update the following information on its website on the shared Know-Your-Customer utility service provider:

3.1. the name;

3.2. the registration number;

3.3. the contact details (legal address, telephone, electronic mail address);

3.4. the date of granting the licence;

3.5. the date of suspending the licence, renewing a suspended licence, cancelling the licence, and also the date when amendments have been made to the licence;

3.6. the information on the activities for the performance of which the licence has been issued.

II. Requirements for Updating and Storing Information by Using the Open Shared Know-Your-Customer Utility

4. Data in the open shared Know-Your-Customer utility which have been obtained within the scope of exchange of information or from a customer questionnaire shall be updated within 24 hours.

5. The information on the customer to be processed in the open shared Know-Your-Customer utility is stored for five years from the day when it has been last requested.

6. A person whose data is stored in the open shared Know-Your-Customer utility may, at any moment, request the correction or deletion of the publicly available data or consent to further storage of data in the shared Know-Your-Customer utility for a time period of up to five years after the time period of storage of information referred to in Paragraph 5 of this Regulation has expired.

7. After the end of the time period of storage of the information referred to in Paragraph 5 of this Regulation, the open shared Know-Your-Customer utility service provider shall destroy the information on the person at its disposal if the person has not consented to further storage of data in the shared Know-Your-Customer utility.

III. Requirements in Relation to the Obtaining, Validity, and Civil Liability Insurance of the Licence

8. In order to obtain the licence, and also during the period of validity of the licence, a capital company shall conform to the following general requirements:

8.1. it has been registered in accordance with the procedures laid down in the laws and regulations governing commercial activity in the Republic of Latvia or another Member State of the European Union or of the European Economic Area (if it has not been established in Latvia, it has registered a branch in Latvia);

8.2. it has a data protection specialist in accordance with the laws and regulations in the field of personal data protection (the capital company may submit a submission for obtaining the licence concurrently with a submission regarding appointing a data protection specialist);

8.3. it does not have tax debts (including a debt of mandatory State social insurance contributions) the total amount of which exceeds EUR 150;

8.4. a prohibition to perform commercial activity in the field of financial services has not been imposed on it;

8.5. the licence issued to it has not been cancelled within the last three years, except for the case if the licence has been cancelled upon request of the capital company itself;

8.6. within the last year, it has not been punished for an administrative offence in commercial activity, in the field of the prevention of money laundering and terrorism and proliferation financing, requirements of international and national sanctions, or personal data protection.

9. In order to obtain the licence, and also during the period of validity of the licence, stockholders or shareholders of a capital company (hereinafter - the shareholders of the capital company), beneficial owners, supervisory board members and executive board members thereof shall conform to the following requirements:

9.1. the shareholder of the capital company who owns more than five per cent of the capital shares of the capital company and the beneficial owner have impeccable reputation;

9.2. supervisory board members and executive board members have impeccable reputation, the education necessary for the performance of official duties, and three-year professional work experience in performance of similar duties;

9.3. supervisory board members and executive board members have not been punished for committing an intentional criminal offence against the State, property, or administrative order, for committing an intentional crime in national economy or service of State authorities, or for unlawful activities involving personal data;

9.4. supervisory board members and executive board members which have been held criminally liable for committing an intentional criminal offence against the State, property, or administrative order, for committing an intentional crime in national economy or service of State authorities, or for unlawful activities involving personal data, but criminal proceedings against them have been terminated for reasons other than exoneration - when a year after entering into effect of the ruling has passed;

9.5. within the last year, supervisory board and executive board members have not been punished for an administrative offence in commercial activity, in the field of the prevention of money laundering and terrorism and proliferation financing, requirements of international and national sanctions, or personal data protection.

10. If the capital company has not been established in Latvia and it has registered a branch for the provision of services in Latvia, the requirements applicable to the supervisory board and executive board members of the capital company shall also be applicable to the person or persons managing the operation of the branch in Latvia.

11. The requirements in relation to the civil liability insurance of the capital company:

11.1. the capital company has a valid civil liability insurance contract throughout the period of validity of the licence and it conforms to the following requirements:

11.1.1. the insurance object is the civil liability of the shared Know-Your-Customer utility service provider for the direct losses to the third parties which have been caused due to its action or failure to act in relation to the processing of information in the shared Know-Your-Customer utility;

11.1.2. the minimum limit of liability is EUR 50 000 during a year and the deductible does not exceed EUR 1500 per one insurance event;

11.2. after disbursement of the insurance compensation to the third party, the shared Know-Your-Customer utility service provider shall, within five working days, renew the minimum liability limit of civil liability insurance.

12. The security and organisational administration of the information systems and processing of personal data of the capital company (hereinafter - the system) shall be ensured in conformity with the laws and regulations regarding personal data protection and the Latvian national standard LVS ISO/IEC 27001:2014 L, Information technology - Security techniques - Information security management systems - Requirements, or the requirements equivalent thereto, and it shall be certified by an external audit report (hereinafter - the audit report) in which the conformity of the capital company with the requirements of this Regulation has been assessed and established.

13. The audit report shall be prepared:

13.1. before obtaining the licence;

13.2. if changes have occurred in ensuring the fulfilment of the security and organisational administration of the systems which affect personal data protection and information security;

13.3. upon request of the State Data Inspectorate.

14. The audit report shall be prepared by an expert in accordance with the laws and regulations in force in the Republic of Latvia on the basis of the following requirements laid down for the expert (hereinafter - the expert):

14.1. he or she has technical capabilities, the necessary knowledge and at least five-year experience, in determining the conformity of security of information systems, devices, and procedures, personal data processing and protection with the requirements of the laws and regulations and with generally accepted basic principles of good practice;

14.2. he or she is legally and financially independent from the capital company, the shareholders of the capital company, and from other economic operators of Latvia or foreign countries which are within the same group of companies as the capital company, and also from the State Data Inspectorate;

14.3. he or she is not engaged in the production and supply of such information systems and other information technologies which are used for the operation of the shared Know-Your-Customer utility.

15. If the expert establishes during the audit that the capital company has intentionally provided false information which may affect the operation of the shared Know-Your-Customer utility, the expert shall notify the State Data Inspectorate thereof.

16. The expert shall ensure non-disclosure of the information obtained during the audit (except for the information available to the public).

IV. Issuing and Re-registration of the Licence

17. In order to obtain the licence, the capital company shall submit a submission to the State Data Inspectorate. The following information (appending documents justifying it) shall be indicated in the submission:

17.1. information on the submitter (the name, registration number, legal address, contact telephone, and electronic mail address of the capital company);

17.2. the list of such shareholders of the capital company who own more than five per cent of the capital shares of the capital company and information on the beneficial owner of the capital company;

17.3. if a shareholder of the capital company is a foreigner - a statement regarding criminal and administrative record which has been issued by the institution of the permanent place of residence of the person which maintains information on the criminal record in accordance with the laws of the relevant country. The statement shall be issued not earlier than three months before the day of submitting a submission for obtaining the licence;

17.4. if the submission is submitted by a foreign capital company which has registered a branch in Latvia - a statement certified by the relevant State tax administration institution or competent authority that the capital company does not have tax debts (including a debt of the mandatory State social insurance contributions) the total amount of which exceeds EUR 150;

17.5. information which includes at least the following details:

17.5.1. the connection diagram of the computer network for the devices and servers to be used;

17.5.2. a list of the devices for the storage of server data and of the network devices (indicating the names of models);

17.5.3. a list of the software to be used with versions;

17.5.4. the address of the location of devices;

17.6. the system security policy, the security and operational rules;

17.7. a risk evaluation document. The following information shall be indicated therein:

17.7.1. the field of operation of the system;

17.7.2. the impact of identified risks on the operation of the system (including evaluating the probability of setting in of risks, material and non-material losses), impact on the availability of the system, confidentiality of data;

17.7.3. if security breaches of the system have occurred, in addition the following information shall be indicated:

17.7.3.1. countermeasures for the prevention of such breaches;

17.7.3.2. means of protection to be used if security breaches of the information system are to repeat;

17.7.3.3. the recorded risks that have not been rectified;

17.7.3.4. the list of the necessary improvements (indicating them in priority order);

17.8. the audit report;

17.9. information certifying the conformity of the capital company with the requirements referred to in Sub-paragraphs 9.1, 9.2 and Paragraph 11 of this Regulation;

17.10. information on the types of the sources of information of the shared Know-Your-Customer utility as to how the capital company is planning to obtain the customer research information, and also categories of the recipients of information;

17.11. a certification that personal data processing, information systems, devices, and procedures conform to the requirements referred to in this Regulation and to the Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing. The abovementioned certification shall be issued by the capital company which determines the objectives of personal data processing and the means of processing and is responsible for personal data processing;

17.12. if the capital company or any of the elements necessary for its operation (for example, devices or infrastructure) are located outside the Republic of Latvia - the document justifying that the State Data Inspectorate will be able to perform the supervision of the shared Know-Your-Customer utility service provider in relation to the activity performed outside the Republic of Latvia which concerns the operation of the shared Know-Your-Customer utility in Latvia or to those elements which are located outside the Republic of Latvia.

18. In order to take the decision to issue the licence, the State Data Inspectorate shall obtain the following information:

18.1. from the State Revenue Service - the information referred to in Sub-paragraph 8.3 of this Regulation;

18.2. from the Enterprise Register - the current information on the capital company, its shareholders, executive board and supervisory board members, and beneficial owners;

18.3. from the State information system "Punishment Register" administered by the Information Centre of the Ministry of the Interior - the information referred to in Sub-paragraphs 8.4, 8.6, 9.3, 9.4, and 9.5 of this Regulation;

18.4. other information from the institutions referred to in this Paragraph or from other institutions which is necessary to assess the conformity of the capital company with the requirements of this Regulation.

19. The State Data Inspectorate shall take the decision to issue the licence or to refuse to issue the licence within a month from the day when all the information and documents referred to in Paragraphs 17 and 18 of this Regulation have been received.

20. If all the documents referred to in this Regulation have not been appended to the submission or all the information referred to in Paragraphs 17 and 18 of this Regulation has not been provided, or the information provided is incomplete or inaccurate, or the documents have not been drawn up in accordance with the requirements laid down in laws and regulations, or additional information for taking the decision is necessary, the State Data Inspectorate shall inform the capital company thereof in writing by indicating the time period by which the capital company must submit the relevant documents or information and shall extend the time period for taking the decision referred to in Paragraph 19 of this Regulation accordingly.

21. The State Data Inspectorate shall take the decision to refuse to issue the licence after assessment of the information at the disposal thereof if:

21.1. the capital company, the shareholders, beneficial owner, supervisory board or executive board members of the capital company do not conform to the requirements of this Regulation;

21.2. the capital company has not submitted the relevant documents or information within the time period indicated by the State Data Inspectorate;

21.3. the information received does not ensure that the State Data Inspectorate is able to perform supervision of the shared Know-Your-Customer utility service provider in accordance with the procedures and in the amount laid down in the Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing;

21.4. the State fee for issuing the licence has not been paid.

22. The State Data Inspectorate is entitled to take the decision to refuse to issue the licence after assessment of the information and documents at the disposal thereof if:

22.1. the capital company has provided false information and it affects the conformity of the capital company with the requirements of this Regulation;

22.2. the documents submitted for obtaining the licence or the information indicated therein does not conform to the requirements laid down in the laws and regulations.

23. The licence may be issued in the form of an electronic document if the capital company has expressed such a request.

24. The State Data Inspectorate shall indicate the date of entering into effect of the licence in the decision to issue the licence.

25. In order to re-register the licence, the shared Know-Your-Customer utility service provider shall, not earlier than four months and not later than two months before the end of the period of validity of the licence, submit a submission to the State Data Inspectorate for re-registration of the licence. The State Data Inspectorate shall examine the submission for re-registration of the licence within the same time period and according to the same procedures as the submission for obtaining the initial licence is examined.

26. If any of the documents or information with complete and current content is already at the disposal of the State Data Inspectorate, a certification may be submitted instead of the relevant document or information that no changes have been made to the document or information previously submitted to the State Data Inspectorate.

V. Changes in the Period of Operation of the Licence, Suspension of Operation and Cancellation of the Licence

27. If, during operation of the licence, information which has been indicated in the licence issued to the shared Know-Your-Customer utility service provider has changed, the shared Know-Your-Customer utility service provider shall, within three working days after entering into effect of the relevant changes, submit a submission to the State Data Inspectorate regarding the necessary amendments to the licence. The documents certifying the facts referred to therein shall be appended to the submission.

28. The State Data Inspectorate shall, within 10 working days after receipt of the information referred to in Paragraph 27 of this Regulation, take the decision to make amendments to the licence or to refuse to make amendments to the licence. If additional information or verification of information is necessary for taking the decision, the time period may be extended for up to 30 days.

29. If changes in ensuring the fulfilment of the requirements referred to in Chapter III of this Regulation or in the documents or information referred to in Paragraph 17 of this Regulation occur during the period of operation of the licence, the shared Know-Your-Customer utility service provider shall, within 30 days from the day when changes have occurred, submit information to the State Data Inspectorate thereon by appending the documents and information confirming the changes. If changes in ensuring the fulfilment of security and organisational administration of the systems have occurred which do not affect personal data protection and information security, the shared Know-Your-Customer utility service provider shall submit information thereon to the State Data Inspectorate within a year.

30. The shared Know-Your-Customer utility service provider shall inform the State Data Inspectorate of changes in relation to the information previously submitted to the State Data Inspectorate which affects the fulfilment of the requirements referred to in Sub-paragraph 8.1 of this Regulation, changes in the documents or information referred to in Sub-paragraphs 17.2 and 17.12 of this Regulation at least 15 days before their entering into effect.

31. If a person wishes to become a shareholder of the shared Know-Your-Customer utility service provider - capital company - with participation in the amount of at least five per cent from the capital shares of the shared Know-Your-Customer utility service provider, a beneficial owner, a supervisory board or executive board member, the person shall, a month in advance, notify the State Data Inspectorate thereof and submit all the necessary documents justifying its conformity with the requirements of this Regulation in relation to the beneficial owner, shareholder, supervisory board or executive board member of the capital company - shared Know-Your-Customer utility service provider.

32. The State Data Inspectorate shall, within a month after receipt of all the necessary documents, provide to the person who wishes to become a shareholder of the capital company - shared Know-Your-Customer utility service provider - with the participation in the amount of at least five per cent from the capital shares of the shared Know-Your-Customer utility service provider, the beneficial owner, the supervisory board or executive board member, an opinion on whether he or she conforms to the requirements of this Regulation in relation to the beneficial owner, shareholder, supervisory board or executive board member of the capital company.

33. The State Data Inspectorate is entitled to take the decision to suspend the operation of the licence for a period of up to six months if:

33.1. the shared Know-Your-Customer utility service provider, its beneficial owner, shareholders, supervisory board or executive board members do not conform to the requirements referred to Chapter III of this Regulation;

33.2. the shared Know-Your-Customer utility service provider has repeatedly failed to submit the documents and information requested by the State Data Inspectorate thereto for the performance of the examination of the shared Know-Your-Customer utility service provider or does not cooperate with the State Data Inspectorate;

33.3. the operation of the shared Know-Your-Customer utility service provider does not conform to the requirements of the Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing, this Regulation, or the laws and regulations in the field of personal data protection or the decision of the State Data Inspectorate binding on the shared Know-Your-Customer utility service provider is not fulfilled within the time period stipulated thereby;

33.4. the total amount of late taxes, fees, or other mandatory payments of the shared Know-Your-Customer utility service provider does not exceed EUR 150;

33.5. the annual State fee for the supervision of the operation of the shared Know-Your-Customer utility service provider and the late payment charge calculated for it have not been paid.

34. If the shared Know-Your-Customer utility service provider has rectified the violations established in the decision of the State Data Inspectorate to suspend the operation of the licence, the State Data Inspectorate shall take the decision to renew the operation of the licence within 10 working days from the day when the shared Know-Your-Customer utility service provider or another institution has provided all the necessary information to the State Data Inspectorate confirming rectification of the violation. If additional information or verification of information is necessary for taking the decision, the time period for taking the decision may be extended for up to 30 days. After renewal of the licence it shall be in effect until the end of the period of validity of the initial licence.

35. The State Data Inspectorate shall, without delay after taking the decision to renew a suspended licence, notify the shared Know-Your-Customer utility service provider thereof in writing.

36. The State Data Inspectorate shall take the decision to cancel the licence if:

36.1. within a year after taking the decision by the State Data Inspectorate to issue the licence, the shared Know-Your-Customer utility service provider has not commenced the provision of the shared Know-Your-Customer utility service or it has discontinued the provision of the service for a period exceeding six months. The time period when the decision of the State Data Inspectorate to suspend the operation of the licence is in effect shall not be included in this time period;

36.2. the shared Know-Your-Customer utility service provider has submitted a submission with a request to cancel the licence;

36.3. the shared Know-Your-Customer utility service provider has been declared insolvent or the decision to commence liquidation has been taken by its shareholders;

36.4. a court ruling has been rendered or information on terminating the operation of the shared Know-Your-Customer utility service provider has been included in the Commercial Register;

36.5. the operation of the licence has been suspended temporarily and the shared Know-Your-Customer utility service provider has not eliminated, within this time period, violations due to which the operation of the licence was suspended.

37. If, within a year after taking the decision by the State Data Inspectorate to issue the licence, the shared Know-Your-Customer utility service provider has not commenced the provision of the shared Know-Your-Customer utility service or it has discontinued it for a period exceeding six months, it shall, without delay, inform the State Data Inspectorate thereof in writing.

38. The State Data Inspectorate is entitled to take the decision to cancel the licence if:

38.1. a significant violation of the laws and regulations governing the operation of the shared Know-Your-Customer utility service provider, other commercial activity, or personal data protection has been established;

38.2. the shared Know-Your-Customer utility service provider, repeatedly within a year, does not execute a decision or instruction of the State Data Inspectorate;

38.3. the shared Know-Your-Customer utility service provider has intentionally provided false information to the State Data Inspectorate on execution of the requirements referred to in Chapter III of this Regulation.

39. The State Data Inspectorate shall indicate the date of entering into effect of the decision in the decision to suspend or cancel the licence.

VI. Amount and Payment Procedures of the State Fees

40. The amount of the State fee for the issuing of the licence for the provision of the open shared Know-Your-Customer utility service shall be EUR 10 000. The amount of the State fee for the re-registration of the licence for the provision of the open shared Know-Your-Customer utility service shall be EUR 5000. Such fee shall be paid before submission of the relevant submission to the State Data Inspectorate.

41. The amount of the State fee for issuing the licence for the provision of the closed shared Know-Your-Customer utility service shall be EUR 5000. The amount of the State fee for the re-registration of the licence for the provision of the closed shared Know-Your-Customer utility service shall be EUR 2500. Such fee shall be paid before submission of the relevant submission to the State Data Inspectorate.

42. The amount of the annual State fee for the supervision of the operation of the open shared Know-Your-Customer utility service provider shall be EUR 10 000. The amount of the annual State fee for the supervision of the operation of the closed shared Know-Your-Customer utility service provider shall be EUR 5000. Such fee shall be paid within a month after issuing the licence and hereinafter each year until the date when the licence was issued.

43. The capital company and the shared Know-Your-Customer utility service provider shall pay the State fee with the intermediation of a credit institution or such institution which has the right to provide payment services by indicating the purpose of the payment - State fee for the issuing or re-registration of the licence or for the supervision of the operation of the shared Know-Your-Customer utility.

44. The State fee shall be transferred in the revenues account of the State basic budget in the Treasury.

45. If the State Data Inspectorate refuses to issue or re-register the licence, the State fee referred to in Paragraphs 40 and 41 of this Regulation shall not be reimbursed.

Acting for the Prime Minister -
the Deputy Prime Minister,
Minister for Defence A. Pabriks

Acting for the Minister for Finance -
the Minister for Economics I. Indriksone

Translation © 2022 Valsts valodas centrs (State Language Centre)

  
Document information
Title: Noteikumi par informācijas aktualizēšanas prasībām kopīgajā klienta izpētes rīkā un kopīgā .. Status:
In force
in force Issuer: Cabinet of Ministers Type: regulation Document number: 396Adoption: 05.07.2022.Entry into force: 08.07.2022.Publication: Latvijas Vēstnesis, 129, 07.07.2022. OP number: 2022/129.5
Language:
LVEN
Related documents
  • Issued pursuant to
  • Annotation / draft legal act
  • Explanations
333782
08.07.2022
87
0
  • X
  • Facebook
  • Draugiem.lv
 
0
Latvijas Vestnesis, the official publisher
ensures legislative acts systematization
function on this site.
All Likumi.lv content is intended for information purposes. 		About Likumi.lv
News archive
Useful links
For feedback
Contacts 		Mobile version
Terms of service
Privacy policy
Cookies
X logo facebook logo youtube logo instagram logo RSS logo
Latvijas Vēstnesis "Everyone has the right to know about his or her rights."
Article 90 of the Constitution of the Republic of Latvia
 © Official publisher "Latvijas Vēstnesis"