ORDER OF THE GOVERNMENT OF THE REPUBLIC OF MOLDOVA

of January 20, 2021 No. 7

About approval of the Regulations on procedure for maintaining the Electronic register of Service according to the prevention and anti-money laundering created by the Automated information and communication system for the prevention and anti-money laundering

Based on Item m) parts (1) article 19 of the Law No. 308/2017 on the prevention and anti-money laundering and terrorism financing (The official monitor of the Republic of Moldova, 2018, Art. No. 58-66, 133), with subsequent changes, DECIDES: the Government

1. Create the Electronic register of Service according to the prevention and anti-money laundering.

2. Approve Regulations on procedure for maintaining the Electronic register of Service according to the prevention and anti-money laundering created by the Automated information and communication system for the prevention and anti-money laundering it (is applied).

3. To provide to service according to the prevention and anti-money laundering as the owner of the Automated information and communication system for the prevention and anti-money laundering implementation, functioning and development of the specified system according to the legislation and international agreements which party the Republic of Moldova is.

4. To provide to service of information technologies and cyber security as the owner of general government technological framework ("MCloud") availability of the information technological resources requested by Service according to the prevention and anti-money laundering to creation and storage of backup copies of the Automated information and communication system for the prevention and anti-money laundering on general government technological framework of "MCloud" according to the regulated access regulations.

5. To perform accomplishment of provisions of this resolution for the account and within the financial resources provided annually in the government budget and from other sources according to the legislation.

6. To impose control over the implementation of this resolution on Service according to the prevention and anti-money laundering.

Approved by the Order of the Government of the Republic of Moldova of January 20, 2021 No. 7

Regulations on procedure for maintaining the Electronic register of Service according to the prevention and anti-money laundering created by the Automated information and communication system for the prevention and anti-money laundering

I. General provisions

1. The regulations on procedure for maintaining the Electronic register of Service according to the prevention and anti-money laundering created by the Automated information and communication system for the prevention and anti-money laundering (further - the Provision), establish procedure for the organization and information content of activities and transactions, suspicious in sense of the actions for money laundering connected with it crimes and financing of terrorism and also other relevant information collected by Service according to the prevention and anti-money laundering according to provisions of the Law No. 308/2017 on the prevention and anti-money laundering and financing of terrorism, subjects of the legal relations in the field of creation and functioning by the Automated information and communication system for the prevention and anti-money laundering (further - System), their rights and obligation, information objects and the list of the data included in them, procedures of collection and data management; access to data of System, operational compatibility with other registers and information systems, procedure for maintaining and ensuring functioning of System, form of control and accountability.

2. The concepts used in this Provision mean the following:

reporting units - the physical persons and legal entities obliged according to provisions of the Law No. 308/2017 on the prevention and anti-money laundering and financing of terrorism to deliver information in System for the purpose of the prevention of money laundering and financing of terrorism;

the special form - set of the structured information intended for informing Service according to the prevention and anti-money laundering concerning doubtful property, activities or transactions, suspicious in sense of money laundering, the crimes connected with it and financings of terrorism;

The EGMONT group - the international organization of divisions of financial investigation which purpose is improvement of interaction in the field of information exchange, training and experience exchange in the field of the prevention and anti-money laundering and terrorism financing;

data processing - any transaction or number of transactions with data which are performed by means of the automated means, namely: collection, registration, the organization, storage, adaptation or change, extraction, consultation, use, disclosure by transfer, distribution or any different way, accession or combination, blocking, removal or destruction of data;

The automated information and communication system for the prevention and anti-money laundering - the automated information system consisting of set of information resources and technologies, technical software and the interconnected methodologies intended for acceptance, storage, processing, informing, the analysis, prevention and distribution of information on the prevention and anti-money laundering and terrorism financing;

the user - person given the right of complete or partial information access from System.

3. Set of the information documented and which is stored in the Electronic register of Service according to the prevention and anti-money laundering (further - the Register), will be organized according to the Law No. 71/2007 on registers.

II. Subjects of the legal relations in the field of creation, operation and use of the register. Powers of subjects

4. Subjects of the legal relations in the field of creation, operation and use of the Register are:

1) owner;

2) owner;

3) holder;

4) registrar;

5) consumer;

6) user.

5. Owner Reestra is the state performing the property right, managements and uses of the data containing in Reestra.

6. The owner Reestra is the Service according to the prevention and anti-money laundering.

7. Holder Reestra is the Service according to the prevention and anti-money laundering having rights of creation, management, use and ownership of information resource. The service according to the prevention and anti-money laundering provides legal, organizational and financial resources for Reestr's functioning, carrying out both functions of the owner, and the functions established by the legislation namely:

1) providing organizational and financial conditions for functioning of the Register;

2) determination of the purposes and functional tasks of the Register;

3) determination of the information objects which are subject to registration in the Register and their contents;

4) control of process of registration and data processing in the Register;

5) management of activities for operation and maintaining the information content of System;

6) safety and data protection, containing in the Register;

7) approval and introduction of changes/corrections for adjustment which is necessary for functioning and updating of the Register;

8) permission, suspension and withdrawal of right of access to the Register;

9) determination of technical and organizational measures for protection and safety of the Register;

10) control and, on circumstances, correction of requirements to safety and compliance of the Register in the field of personal data protection.

8. The rights and obligations of the owner are established according to the Law No. 467/2003 on informatization and the state information resources and the Law No. 308/2017 on the prevention and anti-money laundering and terrorism financing.

9. Registrars are Service according to the prevention and anti-money laundering and the reporting units specified in article 4 of the Law No. 308/2017 on the prevention and anti-money laundering and terrorism financing which, on circumstances, have access through the workers to System owing to the powers conferred by the legislation, regulations or specifications of the staff list of reporting units.

10. The service according to the prevention and anti-money laundering as the registrar has the following powers:

1) provides collection, input and processing of the relevant information from the Register according to the established conditions and at the scheduled time;

2) provides authenticity, completeness and integrity of the data containing in the Register;

3) also confidentiality of information entered into the Register ensures safety;

4) provides input and data processing and exercises control of process of their input.

11. Reporting units as registrars shall:

1) to provide collection and input of the relevant information in the Register according to the established conditions and at the scheduled time;

2) to provide authenticity, completeness and integrity of the data containing in the Register;

3) to ensure safety and confidentiality of information entered into the Register;

4) to provide input and data processing and to exercise control of their input;

5) every time to report to the owner the accident in the infrastructure, system mistakes or mistakes caused by human factor for their correction.

12. Reporting units as registrars have the right:

1) to demand from the owner of permission of access, and also suspension and withdrawal of access rights to System;

2) to submit to the owner applications for change of the rights of accesses/roles of these or those users;

To report 3) to the owner about system problems when using System;

4) to send requests about need of development and improvement of System;

5) to take part in the working groups organized for the purpose of development and improvement of System.

13. If registrars are legal entities, then they appoint and report the owner of number, surname and names of the workers, representatives to enter information into the database, and also special powers conferred to them for execution of the functions connected with management in System.

14. Each registrar shall provide, on circumstances, in the staff list unit which is responsible for data entry in the Register. The owner is told surname, name and contact information of person (persons) holding (holding) the corresponding positions, and also any changes in the specified data.

15. Receivers of data of the Register are:

1) law enforcement, judicial and other competent authorities which obtain from reporting units information on activities and transactions, suspicious in sense of money laundering, the crimes connected with it and financings of terrorism, and also other relevant information collected according to provisions of the Law No. 308/2017 on the prevention and anti-money laundering and terrorism financing;

2) reporting units which obtain information on procedure for the reporting and correctness of introduction of data in the Register;

3) bodies with functions of supervision of reporting units and other competent authorities obtaining information on the risks connected with money laundering and financing of terrorism, new tendencies and tipologiya in the field of money laundering and financing of terrorism, the violations established in competences, and the existing gaps in regulations in the part concerning the prevention of risks of money laundering and financing of terrorism;

4) competent authorities of other countries (jurisdictions), and also the international organizations in the field of the prevention and anti-money laundering and financing of terrorism according to provisions of the Law No. 308/2017 on the prevention and anti-money laundering and terrorism financing.

16. The consumer is physical or legal entity of the private or public law who has the right according to the legislation to information access with limited availability. The rights and obligations of person who requested about receipt of information from the Register are established according to the legislation on information access, the legislation on personal data protection, the Law No. 308/2017 on the prevention and anti-money laundering and terrorism financing, and also this Provision.

17. The user is physical or legal entity of the private or public law which is authorized by the legislation to have full or partial public or internal access to System.

18. The user reports to the owner about the problems connected with information access, containing in System.

19. User:

1) also confidentiality of the information checked or processed in System ensures safety;

2) uses data from System according to their purpose and appointment.

III. Structure and functions of system

20. Information in the Register is kept in state language.

21. Registration of information in the Register is performed:

1) by data storage, transferred in electronic documents;

2) in real time - the registrar directly in System, by means of customized software application;

3) by scanning by the registrar of the documents which arrived on papers.

22. The owner performs updating, amendment or change of data on object in the Register.

23. Data are stored in the Register according to conditions, the stipulated in Article 9 Laws No. 308/2017 on the prevention and anti-money laundering and terrorism financing.

24. The exception of data on object of the Register is performed by the owner according to the conditions provided by part (5) article 20 of the Law No. 71/2007 on registers. After removal of object from the Register assignment of its identifier is forbidden to other object.

25. Treat the main functions of System:

1) creation of effective system of exchange of information between Service according to the prevention and anti-money laundering and reporting units, bodies with functions of supervision of reporting units, law enforcement, judicial authorities and other competent authorities at the national and international levels;

2) creation of system of operational receipt of information necessary for the prevention and anti-money laundering and terrorism financing, from all possible sources at the national and international levels;

3) bystry information processing about the financial and economic relations, necessary for prevention and anti-money laundering and terrorism financing;

4) organization of document flow and accounting of Service for the prevention and money laundering;

5) the organization of functioning of the analytical and statistical contour providing information analysis and risks assessment of money laundering and financing of terrorism;

6) the organization of information support and informing persons and the organizations according to their competence in connection with the prevention and anti-money laundering;

7) safety and information security which is performed at all stages of accumulating, storage and use of the state information resources relating to the sphere of functioning of System;

8) quality assurance of information by creation and maintenance of the components of the quality system based on procedural approach.

26. Collected information is registered in the Register of transactions.

27. The functional space of System represents set of the functions realized by the separate automated and/or automatic subsystems which interact among themselves.

28. Levels of infrastructure of System are established according to Item 21 of the Technical concept of the Automated information and communication system for the prevention and the anti-money laundering approved by the Order of the Government No. 14/2019.

IV. Information space and information subjects of the register

29. The data containing in the Register are subject to development and classification according to provisions of regulations, the approved regulations and standards, technical specifications of the information systems and resources used for automatic control of cases.

30. In the Register the following basic documents are used:

1) basic documents:

a) the incoming documents registered in the Register about doubtful activities or transactions, suspicious in sense of money laundering, crimes connected with it and financing of terrorism;

b) documentary materials and information on the prevention and anti-money laundering and terrorism financing;

c) the special form from reporting units;

d) research opinions;

e) report on financial investigation;

f) the requests addressed to competent authorities, law enforcement agencies, bodies with functions of supervision and to reporting units;

g) the requests addressed to the international organizations;

h) replies to the requests of the international organizations;

i) the documents connected using interim measures;

j) requests and permissions to disclosure and information transfer;

k) information documents and references;

l) information documents;

m) closing statements;

n) reports of strategic analysis;

o) analytical and statistical documents;

p) the documents connected with risks assessment;

q) the documents connected with supervising activities;

r) decisions on authorization;

s) the documents and materials of information nature published by Service according to the prevention and anti-money laundering;

2) basic technological documents in System:

a) the administrative, regulating, procedural and technological documents;

b) profiles of users;

c) records of log files - the register of actions, requests and interaction of users with System;

d) certificates of users and other information on documentation of users.

31. Basic information subjects of the Register are:

1) research opinion;

2) report on financial investigation;

3) distribution of materials and information;

4) reply to the request about distribution of materials and information;

5) the requests addressed to reporting units;

6) the answer from reporting units;

7) EGMONT request outgoing;

8) reply of EGMONT outgoing;

9) EGMONT request entering;

10) the reply of EGMONT entering;

11) decision on application of interim measures;

12) decision on cancellation of interim measures;

13) request of permission to distribution outgoing;

14) the answer about permission to distribution entering;

15) request of permission to distribution entering;

16) the answer about permission to distribution outgoing;

17) general informing;

18) closing statement;

19) report on initiation of strategic analysis;

20) report on supervision of compliance;

21) decision on authorization;

22) special form.

32. Identification of information objects:

1) identifiers of the information objects specified in subitems of 3)-16) and 21) Item 31, are established by the Order of the director of Service of the prevention and anti-money laundering No. 10/2018 on approval of the Instruction on maintaining the Register of accounting of correspondence;

2) identifiers of the information objects specified in subitems 1) 2), 17) of Item 31, are established by the Order of the director of Service of the prevention and anti-money laundering No. 5/2018 on processing, the analysis, distribution and archiving of information on doubtful activities and transactions;

3) identifiers of information object from the subitem 22) of Item 31 are established by the Order of the director of Service of the prevention and anti-money laundering No. 18/2018 on provision of the activity reporting or the transactions falling under operation of the Law No. 308/2017.

V. Legal regime of use of data of the register

33. Users have access rights to information from the Register according to the powers and posts, and also legal regime of the checked information. The information access layer for each of participants corresponds to the position held by it and/or profile of access.

34. Access to information resources of the Register is segmented for internal users of System and external users.

35. The owner and the holder are internal users of System.

36. The owner has full access to data of the Register for rendering services in administration, including for the adaptive and improving maintenance of System.

37. Registrars and consumers with access rights, according to the legislation, are external users of System.

38. Use of the data from the Register for the purpose of contradicting the legislation is forbidden.

39. The data obtained from the Register cannot be transferred to the third parties if the legislation or international agreements which party the Republic of Moldova is, provide other.

40. Access to data from the Register depends on role of the user. So, the registrar has technical access to data from the Register that assumes data entry. Other external users have information access to data from the Register that assumes viewing of data only in individual format for each user separately.

41. The consumer of data from the Register has no right to make changes to the obtained data, and in case of their use shall specify source.

42. The right of access to System is not permanent, it can be suspended or withdrawn on the conditions provided in Item 43. Input and/or change of data in System from others name or from others profile of the user as it is considered unauthorized access is strictly forbidden. Users shall be convinced of confidentiality of profile and the digital signature.

43. Response/suspension of right of access to System is performed in case of establishment by the owner of violation of information security or according to the requirement/petition of the registrar addressed to the owner in one of the following situations:

1) termination/suspension of office/employment relationships of the user or registrar;

2) change of office/employment relationships if new powers do not assume access to data from the Register;

3) in other cases, within legislation provisions.

44. The planned scheduled maintenance for complex program and the hardware is performed according to the notification directed to owners to registrars in writing or to the e-mail address, according to the plan, approved with the responsible person at least in two working days prior to works with indication of, on circumstances, the term of their completion if it is possible. Unplanned scheduled maintenance is carried out, upon the demand of users, after preliminary approval of the owner in case of failure or inadequate work of complex program and the hardware.

45. The data obtained from the Register cannot be transferred to the third parties without prior consent of Service according to the prevention and anti-money laundering if only the legislation or international agreements which party the Republic of Moldova is, do not provide other.

VI. Mutual compatibility with other information systems

46. For providing the operational and automatic analysis of information content of System with reliable information interaction and synchronization of data with other information systems, including by means of government platform of interoperability (MConnect), with automatic import of data for check and/or filling of the information content of System can be performed.

47. The system provides interaction and data exchange with the following automated information resources:

1) the Automated information system "State Register of the Population";

2) the Automated information system "State Register of Legal Units";

3) the Automated information system "Inventory of Real Estate";

4) the Automated information system "State Register of Vehicles";

5) Information system of the State Tax Administration;

6) the Integrated information system of Boundary police;

7) the Customs integrated information system;

8) The automated information system "Register of Criminalistic and Criminological Information";

9) the Automated information system of accounting of offenses, cases on offenses and persons who made offenses;

10) the Automated information system "State Register of the Road Accidents";

11) the Automated information system "The Register of Detainees, Arrested and the Condemned Persons";

12) the Automated information system "Criminal prosecution: E-Dosar";

13) the Automated management information system and issues of allowing documents;

14) other automated information systems which are necessary for implementation and development of System.

48. The system uses the following government electronic services of platform:

1) the government electronic service of authentication and access control (MPass) specified in Item 2 of the Regulations on government electronic service of authentication and access control (MPass) approved by the Order of the Government No. 1090/2013;

2) the integrated government electronic service of the digital signature (MSign) determined in Item 2 of the Regulations on the integrated government electronic service of the digital signature (MSign) approved by the Order of the Government No. 405/2014;

3) the government electronic service of recording (MLog) specified in Item 2 of the Regulations on government electronic service of recording (MLog) approved by the Order of the Government No. 708/2014.

VII. Safety and integrity of information containing in the register

49. Measures for protection and data security provision from the Register are component of works on creation, development and operation of System and are updated by all subjects of the Register.

50. Objects of ensuring protection and data security from System all complex of means program and the hardware, information processes providing realization is considered:

1) databases, information systems, operating systems, database management systems, systems of accounting and other appendices providing functioning of System;

2) telecommunication systems, networks, servers, computers and other technical means of data processing.

51. Access to System is provided through government service of authentication and access control (MPass), and information exchange - through platform of interoperability (MConnect).

52. Access to information which is stored in the Register is provided at the different levels of the authorized access for each user.

53. Data protection from the Register is performed by the following methods:

1) the prevention of deliberate and/or inadvertent actions of users which can lead to destruction or misstatement of data;

2) exception of unauthorized access to data of the Register that is provided by means of special technical and software;

3) the prevention of destruction or change glitched or in work of technical and program complex by means of special remedies, including anti-virus programs by creation of the control system behind safety of the software and implementation of periodic backup;

4) the control of process of operation by means of the recording mechanism exercised by the owner.

54. During maintaining the Register safety of personal data according to the Law No. 133/2011 on personal data protection is ensured, and also:

1) all necessary organizational and technical measures for personal data protection from accidental or illegal destruction, accidental loss or unauthorized disclosure, change, access or any other unauthorized form of processing are taken (in particular, measures for ensuring access to personal data only of those persons which are authorized to have access to them are taken);

2) it is checked whether personal data are exact and if it is necessary, updated, with acceptance of all reasonable measures for ensuring removal or correction of inexact or incomplete data, proceeding from the purposes for which such data were collected or afterwards are processed;

3) only strictly necessary, adequate and relevant personal data which are not excessive concerning the purposes for which they gathered are processed or afterwards are processed. Proceeding from the purposes of processing and the status of the involved persons, also the depersonalized data can be used;

4) generation and storage of records about security audit of transactions on processing of personal data according to Chapter VIII of Safety requirements of personal data in case of their processing in information systems of the personal data approved by the Order of the Government No. 1123/2010 are provided. Records of audit of transactions and their results are in access of the National center for personal data protection which receives them in the order for investigation of potential violations of the mode of processing/personal data protection;

Responsible persons without delay report 5) in case of the incidents connected with safety in System about it to management of Service according to the prevention and anti-money laundering, take necessary measures for liquidation of incident and report about it in the National center for personal data protection within 72 hours from the moment of emergence of incident.

55. Information exchange is performed by means of means program and the hardware only on safe channels and with ensuring integrity and data security.

56. Internal users designate the person submitting directly to the head of organization and who is responsible for accomplishment and control of observance of provisions of regulations of information security and access to the personal data processed in System. The responsible person quarterly studies information on access to System for check of justification of the purpose declared when implementing access to such information.

57. Regulations of information security are brought to the attention of all internal users under the signature. Each internal user shall know regulations of information security and the procedure which he shall observe in strict accordance with security policy.

58. Internal users provide training of workers in methods and procedures of suppression of information dangers.

VIII. Control and responsibility

59. The owner Reestra and registrars shall prevent unauthorized access to data Reestra, their illegal use, distribution, change or destruction.

60. For the purpose of ensuring effective and smooth functioning of the Register access to data is provided on permanent basis.

61. The register is registered in the Register of the state information resources and information systems and in the Register of accounting of controllers of personal data.

62. Responsibility for the organization of functioning of the Register is born by its owner.

63. Subjects in the field of creation, operation and use of content of the Register shall process information containing personal data according to provisions of regulations in the field of personal data protection.

64. All subjects of the Register, and also persons who applied for information containing personal data bear responsibility according to the legislation for processing, disclosure and transfer of information to the third parties from system contrary to legislation provisions.

65. Subjects which powers include maintaining the Register, data entry, provision of information and ensuring work of the Register bear the personal liability according to the legislation for completeness, reliability, accuracy and integrity of information, and also for its storage and use.

66. For the purpose of ensuring effective and continued operation of System information data exchange of System is provided in the continuous mode.

67. Storage of the Register:

1) the owner provides storage of the Register before decision making about its liquidation. In case of liquidation of the Register all data containing in it are transferred to storage to archive according to the legislation;

2) the documents forming the basis for data entry in the Register are stored during the term established in rules of maintaining the Register if the legislation does not provide other;

3) after storage duration of documents they can be liquidated if the legislation does not provide other.

68. The owner generates no more once in 30 days backup copies of the database of the Register.

69. In case of the incidents connected with safety, the owner undertakes necessary measures for detection of source of incident, analyzes it, removes the causes of the incident, connected with safety, and reports about it in the National center for personal data protection.

70. The owner annually till January 31 represents to the National center for personal data protection the summary report on the incidents connected with safety in the Register.

71. Control of legality of transactions on processing of the personal data performed within the Register is made according to provisions of the Law No. 133/2011 on personal data protection. Within checks all necessary support is provided and the information access, check, necessary for object, is provided.

72. The owner stops functioning of System according to the petition of the responsible person for ensuring functionality of information system and information resources at the local level in case of one of the following situations:

1) during scheduled maintenance of complex program and the hardware of System;

2) in case of violation of requirements of security system of information if it constitutes danger to functioning of System;

3) in case of technical issues in functioning of complex program and the hardware of System;

4) according to the written requirement of the owner.

 

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info