Anti-Money Laundering (AML) Update
Since 10th January 2020, art market participants (AMPs) who sell works of art (in a single transaction or a series of transactions) over the threshold of 10,000 Euros (or its equivalent currency), must comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. For some transactions, auction houses are therefore required to carry out customer due diligence procedures to identify and verify the identity of buyers/sellers and the source of funds, prior to the completion of such transactions. This involves obtaining and verifying certain information on buyers/sellers, and where relevant, their beneficial owners, including: (a) proof of identity, such as a passport or driving licence scan; (b) proof of address, such as a scan of a utility bill dated within the last three months; and (c) screening to see if the individual is a politically exposed person (“PEP”) or connected to a sanctions list. If a buyer/seller is acting as agent on behalf of someone else, the AMP must also verify that they are authorised to act on behalf of the ultimate buyer/seller. Snoofa has incorporated these customer due diligence checks into the registration procedures of auction houses to whom Snoofa supplies auction management software, to ensure that auctions run smoothly and to minimise delays in bidding on works of art.
1. Who We Are and Key Terms
Snoofa Ltd (“Snoofa”) is a company registered in England and Wales with company number 11994411 and having its registered office at Elm House, Llancayo Court, Usk, Monmouthshire, United Kingdom, NP15 1HY.
“AML Obligations” means the obligations of art market participants under the AML Regulations to identify and verify the identity of buyers/sellers and the source of funds, prior to completing transactions of works of art (in a single transaction or a series of transactions) over the threshold of 10,000 Euros (or its equivalent currency);
“AML Regulations” means the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017;
“Auction House” means the auction house whose website you are accessing and with whom you are registering;
“GBG” means GB Group Plc a public limited company incorporated in England and Wales with company number 02415211 and having its registered address at the Foundation Herons Way, Chester Business Park, Chester, CH4 9GB, United Kingdom;
“KYC Documents” has the meaning set out in Clause 4;
“Personal Data” means data relating to natural persons who can be identified or who are identifiable, directly from the data in question or who can be indirectly identified from that data in combination with other data. This may include identifiers from the following categories of data:
- “Contact Data” includes data such as your delivery address, billing address, email address and telephone numbers;
- “Financial Data” means data relating to your payment (such as credit or debit card number, bank account information, purchase amount, date of purchase, payment method and in some cases, information about your purchases);
- “Identity Data” includes first name, last name, maiden name, username or similar identifier; and
- “Technical Data” includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you are using.
“Registration Fee” has the meaning set out in Clause 5;
“Sensitive Personal Data” means Personal Data that requires additional protection because it is sensitive. It may include identifiers from the following categories of data:
- “Criminal Offence Data” is Personal Data relating to criminal convictions and offences or related security measures and may include a wide range of information about criminal activity, allegations, investigations and proceedings; and
- “Special Category Data” includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
“Snoofa Software” means auction management software developed by Snoofa for auctions;
“Snoofa Policy” means this policy; and
“Stripe” means Stripe Payments UK Ltd, a private limited company incorporated in England and Wales with company number 08480771 and having its registered address at the 9th Floor, 107 Cheapside, London, EC2V 6DN, United Kingdom.
2. Snoofa Software
Snoofa provides Snoofa Software to the Auction House. The Snoofa Software includes an anti-money laundering solution to allow the Auction House to comply with its AML Obligations.
3. Snoofa Policy
This Snoofa Policy sets out (i) the terms of the customer due diligence checks which the Auction House will carry out as part of their AML Obligations, and (ii) how Snoofa, as a data processor processing some of your Personal Data on behalf of the Auction House, processes and protects your Personal Data as a buyer/seller across the multi-tiered registration procedure at the Auction House.
In order to register with the Auction House, you must confirm that you have read and agreed to this Snoofa Policy in addition to the Auction House’s standard terms & conditions and privacy notice (the latter sets out how the Auction House processes your Personal Data). You will be asked to confirm your agreement by ticking the “tickbox”. Please take the time to carefully read this Snoofa Policy, prior to registering with the Auction House. If you do not agree to this Snoofa Policy, you should not proceed to register with the Auction House.
4. How It Works
There are three distinct levels of registration on the Auction House’s platform, namely, ‘Uncertified’, ‘Basic Certification’ and ‘Advanced Certification’. Each registration level allows a specific level of access to the Auction House platform, and requires you to complete a different level of registration requirements.
- Uncertified: To first register on the Auction House platform, you must provide your name and email address and create a password. If you are Uncertified, you cannot participate in any auctions at the Auction House.
- Basic Certification: To participate in an auction either as a buyer or a seller, you must complete Basic Certification. To complete this level, you must provide: (i) your telephone number (ii) your billing address (iii) your delivery address; and you will also need to (iv) verify the email address you provided when you first registered. Each of these details will be verified, either by the Auction House directly or using third party software, or in the case of verifying your billing address, by Stripe. Basic Certification requires you to pay the Registration Fee (as set out in Clause 5). The Auction House may set a selling or spending limit in its discretion.
- Advanced Certification: Only once you have completed your Basic Certification, may you apply for Advanced Certification. Advanced Certification grants you access to all of the services offered by the Auction House and removes any selling and/or spending limit. In order to obtain Advanced Certification, you must provide (i) proof of your address (e.g. a utility bill dated in the last three months); (ii) proof of your identity (e.g. a copy of your passport or driving licence) (together “KYC Documents”). You will be directed to upload your KYC Documents as set out in Clause 8 and will be required to verify your identity by live photo (selfie) by following the instructions.
By providing any Personal Data, you warrant that such Personal Data is true, complete and up to date. Under the AML Regulations, providing false or misleading information (either knowingly or recklessly) is an offence and punishable by imprisonment and/or a fine and may result in you being barred from the Auction House.
Snoofa does not make decisions on registration levels and it is at the discretion of the Auction House as to whether it is satisfied that you have provided sufficient information to achieve a certain level of registration.
5. Registration Fee
In order to achieve Basic Certification, you will be charged a small fee which shall be no more than £3.99 + VAT (the “Registration Fee”) which covers the costs of verifying the details that you have submitted. The Registration Fee shall remain valid for a term of five years, provided the Auction House continues its Snoofa Software licence. In the event the Auction House terminates its Snoofa Software licence before the expiry of five years, the Auction House may require you to re-register with another software provider and you should discuss this with the Auction House directly.
Payment of the Registration Fee shall be processed through Stripe, subject to and in accordance with its terms, which can be found here. You should familiarise yourself with Stripe’s terms as Snoofa shall not be responsible for any loss or damage caused as a result of you using Stripe including but not limited to in the event that payment fails, is intercepted due to hacking or cyber-attack, or any loss of Personal Data or Financial Data provided to Stripe.
6. Processing by Snoofa
Snoofa may process Identity Data (specifically your name and username) and Contact Data (specifically, your email address, telephone number, and billing/invoice addresses) that you provide when you register on the Auction House’s platform for Uncertified and Basic Certification. Snoofa processes this Personal Data to enable you to register with the Auction House and to fulfil the contractual obligation with the Auction House under the Snoofa Software licence. Snoofa will not transfer your Personal Data outside of the UK.
Snoofa may also process additional data that you submit to Snoofa (for example, requests for customer support and technical assistance) and Technical Data that Snoofa automatically collects using cookies, server logs and other similar technologies. Where allowed under applicable law, Snoofa relies on its legitimate business interests to process these categories of Personal Data about you, but it will balance Snoofa’s legitimate interests against your interests and rights (for example, responding to inquiries, improving the Snoofa Software, and enabling network and information security).
Your KYC Documents, selfie, Financial Data and Sensitive Personal Data will be processed by the third parties set out in Clause 8 below. Although Snoofa will have access to this Personal Data by virtue of it being the main account holder with the third parties, Snoofa does not control the Personal Data that such third parties obtain, or the technology they use to do so. Nevertheless, Snoofa shall treat having “access” to this Personal Data through its main account as “data processing” under the 2018 Data Protection Act (DPA). Snoofa processes this Personal Data (which may include Financial Data, Identity Data, Contact Data) on the basis that it is necessary in order to fulfil Snoofa’s contract with the Auction House and to enable the Auction House to meet its AML Obligations. In addition, any Sensitive Personal Data that Snoofa processes as a result of having access to the KYC Documents, PEP and/or sanctions search by virtue of Snoofa being the main account holder with GBG is processed on the basis of your explicit consent under Article 9(2)(a) of the 2018 DPA. If you are not happy to provide your explicit consent, then please consult with the Auction House that you are engaging with. They may provide an alternative means to verify your identity. Snoofa also relies on the basis of “substantial public interest” and to combat terrorist financing, money laundering and fraud under Schedule 1 of the 2018 DPA to process Sensitive Personal Data, particularly any Criminal Offence Data.
7. Storage and Retention
Where Snoofa does process your Personal Data, it processes and protects your Personal Data through a variety of industry-standard access controls and only keeps it for as long as reasonably necessary to fulfil the purposes it was collected for including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. While Snoofa uses reasonable means to protect your Personal Data, data transmission over the internet cannot always be guaranteed to be 100% secure. Snoofa cannot and do not warrant the security of any Personal Data that you transmit, and all such transmissions are done at your own risk.
8. Third Parties and International Transfers
The Auction House is the data controller for the purpose of this Snoofa Policy. Controllers are the main decision-makers and exercise overall control over the purposes and means of processing your Personal Data. The Auction House is responsible for reviewing the results of the verification processes and your KYC Documents and deciding whether to approve the verification checks or not. The Auction House may ask you for further information to comply with its AML Obligations (for example to conduct enhanced due diligence on you) or otherwise in its discretion and will decide whether or not to transact with you. The Auction House will therefore control and process your Personal Data, which may include your Identity Data, Contact Data, Financial Data and Sensitive Personal Data, as well as any additional information that you provide, according to its privacy notice available on its website.
Depending on the level of registration, the Snoofa Software integrates with third party providers to carry out verification checks and process payment of the Registration Fee. You should read the privacy notices of each third party service provider to understand how your Personal Data is controlled, stored, shared and transferred (which may be outside the UK) as well as the reasons and lawful bases for processing certain categories of Personal Data. At the date of this Snoofa Policy, Snoofa uses the following third party providers:
- Stripe: You will be connected directly to Stripe, via an integration, to pay the Registration Fee. Stripe will process your Personal Data which may include your Financial Data, Identity Data and Contact Data that you provide according to its privacy notice set out here. Snoofa will have access to the Financial Data you provide to Stripe to pay the Registration Fee.
- GBG: To complete Advanced Certification, you will be connected to GBG to upload your KYC Documents. GBG will process your KYC Documents, which may include Identity Data, Contact Data, Financial Data, and Sensitive Personal Data, to match it against third party data suppliers, including checking PEPs and sanctions lists, and does so in line with its privacy notice set out here. Snoofa will have access to the KYC Documents and selfie that you provide to GBG as well as the results of the PEP and Sanction screening, including any consequential Sensitive Personal Data.
9. Your Rights
Your Personal Data is protected by legal rights, which include your rights to object to Snoofa’s processing of your Personal Data; request that your Personal Data is erased or corrected; request access to your Personal Data; right to restriction or objection to processing; and right to data portability.
For more information or to exercise your data protection rights regarding Snoofa’s processing, please contact Snoofa via email at email@example.com. Snoofa will try to respond to all legitimate requests within one month. If you are unhappy with any aspect of how Snoofa processes your Personal Data you can make a complaint to the Information Commissioner’s Office (ICO) here. In order to exercise your data protection rights against any of the third party service providers or the Auction House, you should use the contact details set out in their privacy notices, as Snoofa is unable to assist you with third parties.
10. Contact and Updates
Snoofa may revise this Snoofa Policy at any time. This Snoofa Policy was last updated on 16th May 2022. If you have questions or concerns about this Snoofa Policy, please email firstname.lastname@example.org.
A cookie is a small file of letters and numbers that is stored on your browser or the memory of your computer or device. Cookies contain information that is transferred to your computer’s memory and can help to distinguish you from other users and provide you with a good user experience.