Over the last couple of years, combating money laundering and terrorist financing (AML/CFT) has been at the focus of attention. Multiple banks were hit by substantial fines, with their directors even being threatened with criminal prosecution on account of their overly lax compliance policy. Throughout the financial world, monitoring and auditing policies were tightened. But there is a point where AML/CFT compliance trajectory hits the wall that is called privacy.
Many years ago, European privacy watchdog EDPB and its predecessor the Article 29 Working Party already started raising the alarm over the privacy risks of AML/CFT compliance.[1] They stressed that personal data being processed as part of AML/CFT measures imposed as obligations should always have a clear legal basis and that violations of these obligations should always be dealt with in a balanced way.
On 12 May 2022, in response to new legislative proposals to strengthen the EU's AML/CFT rules of 21 July 2021,[2] the EDPB published a letter to express its concerns to the European Council, the European Parliament and the European Commission.
The proposed legislation
At the heart of the new legislative proposals is the creation of a new AML/CFT authority, AMLA. The proposals also provide for a new regulation that will contain rules on customer due diligence and UBOs, already known as the Private Sector Regulation. A third proposal provides for the introduction of a new directive to replace Directive 2015/849/EC, while there will also be a revision of Regulation 2015/847 on information accompanying transfers of funds (“WTR2”), to make it possible to trace transfers of crypto-assets.
The concerns raised by the EDPB
The EDPB highlights the issue that entities subject to the legislation are able to draw intimate inferences about individuals and that the proposals could have serious repercussions. These repercussions might lead to the exclusion of natural persons from banking or other services.
In the view of the EDPB, the new legislative proposals need substantial amendments to ensure better consistency between the AML/CFT legislation and the principles of the GDPR as laid down in Article 5, with the accuracy principle and the data minimisation principle receiving specific mention.
The EDBP would like the proposals to provide for additional safeguards in relation to the processing of sensitive data and demands more clarity as to the sources that are used by entities for gathering information as part of AML/CFT compliance activities (such as “watchlists” containing data about politically exposed persons).
In that context, the EDPB proposes the following safeguards to be introduced to ensure legal certainty and the rights to privacy of data subjects.
- Consultation of the EDPB in the context of the drafting and adoption of regulatory technical standards (“RTS”), guidelines and recommendations
The new legislative proposals provide for the issuance of new guidelines by the AMLA, among other authorities. The EDPB considers its involvement in the development of the envisaged guidelines, including the RTS, to be essential.
- The need to better specify the conditions and limits to the processing of special categories of personal data
Article 55 of the proposal for the Private Sector Regulation lays down that obliged entities may process special categories of personal data if this processing is ‘strictly necessary’ for AML/CFT purposes. The EDPB considers the wording of Article 55 to be insufficiently specific. In addition, the text should define explicitly the special categories of personal data and the relevance of their processing. The proposal fails to make clear why, for example, data concerning an individual's health would be necessary for the purpose of an AML/CFT assessment. According to the EDPB, it should be specified that the assessment made by entities subject to AML/CFT requirements must not be solely based on the processing of special categories of personal data.
Article 55(3) of the proposed Private Sector Regulation lays down that entities may process not only data relating to criminal convictions but also “allegations”. The EDPB considers the processing of such data to present a high level of risk, for the text of the proposed article appears to lay down that such allegations could include unsubstantiated ones. The impact on the person or persons concerned could be significant, whereas there may be little or no substance at all to the allegation. The EDPB recommends that Article 55 specifies that allegations or judicial proceedings should not have the same impact on the risk assessment of a person as a criminal conviction.
- The need to provide additional provisions in relation to the sources of information
Article 55 of the proposal for the Private Sector Regulation also lays down that special categories of personal data may be processed provided that “the data originate from reliable sources, are accurate and up-to-date”. The EDPB does not see why this obligation should apply exclusively to special categories of data only.
In today's practice, a key source of data are so-called “watchlists”, which are offered by specialist service providers. While the EDPB acknowledges the need for entities to rely on this kind of services for the effective implementation of their AML/CFT obligations, it considers problematic the fact that the providers of these watchlists are acting as data controllers and processing special categories of personal data without sufficient legal basis. For this reason, the EDPB advocates the inclusion in the legislative proposals of specific rules in this regard.
Conclusion
All things considered, it is clear that striking the right balance between the interests of effective AML/CFT and the protection of privacy of data subjects continues to be a tightrope act for the European legislators. And, by extension, for any organisation that has to comply with the requirements of the Dutch AML/CFT legislation. Any measure that could be considered “optimal compliance” from an AML/CFT perspective may for the same intents and purposes be considered a “measure too far” from a privacy compliance perspective. Finding that compliance sweet spot calls for continuous consideration and attention.
If you have any questions about this topic, feel free to contact Martin Hemmer.
[1] The first warning went out in 2011: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp186_en.pdf; EDPB Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing, 15 December 2020; EDPB letter to the European Commission on the protection of personal data in the AML-CFT legislative proposals, 19 May 2021; EDPS Opinion 12/2021 on the anti-money laundering and countering the financing of terrorism (AML/CFT) package of legislative proposals.
[2] Anti-money laundering and countering the financing of terrorism legislative package | European Commission (europa.eu)
Over the last couple of years, combating money laundering and terrorist financing (AML/CFT) has been at the focus of attention. Multiple banks were hit by substantial fines, with their directors even being threatened with criminal prosecution on account of their overly lax compliance policy. Throughout the financial world, monitoring and auditing policies were tightened. But there is a point where AML/CFT compliance trajectory hits the wall that is called privacy.
Many years ago, European privacy watchdog EDPB and its predecessor the Article 29 Working Party already started raising the alarm over the privacy risks of AML/CFT compliance.[1] They stressed that personal data being processed as part of AML/CFT measures imposed as obligations should always have a clear legal basis and that violations of these obligations should always be dealt with in a balanced way.
On 12 May 2022, in response to new legislative proposals to strengthen the EU's AML/CFT rules of 21 July 2021,[2] the EDPB published a letter to express its concerns to the European Council, the European Parliament and the European Commission.
The proposed legislation
At the heart of the new legislative proposals is the creation of a new AML/CFT authority, AMLA. The proposals also provide for a new regulation that will contain rules on customer due diligence and UBOs, already known as the Private Sector Regulation. A third proposal provides for the introduction of a new directive to replace Directive 2015/849/EC, while there will also be a revision of Regulation 2015/847 on information accompanying transfers of funds (“WTR2”), to make it possible to trace transfers of crypto-assets.
The concerns raised by the EDPB
The EDPB highlights the issue that entities subject to the legislation are able to draw intimate inferences about individuals and that the proposals could have serious repercussions. These repercussions might lead to the exclusion of natural persons from banking or other services.
In the view of the EDPB, the new legislative proposals need substantial amendments to ensure better consistency between the AML/CFT legislation and the principles of the GDPR as laid down in Article 5, with the accuracy principle and the data minimisation principle receiving specific mention.
The EDBP would like the proposals to provide for additional safeguards in relation to the processing of sensitive data and demands more clarity as to the sources that are used by entities for gathering information as part of AML/CFT compliance activities (such as “watchlists” containing data about politically exposed persons).
In that context, the EDPB proposes the following safeguards to be introduced to ensure legal certainty and the rights to privacy of data subjects.
- Consultation of the EDPB in the context of the drafting and adoption of regulatory technical standards (“RTS”), guidelines and recommendations
The new legislative proposals provide for the issuance of new guidelines by the AMLA, among other authorities. The EDPB considers its involvement in the development of the envisaged guidelines, including the RTS, to be essential.
- The need to better specify the conditions and limits to the processing of special categories of personal data
Article 55 of the proposal for the Private Sector Regulation lays down that obliged entities may process special categories of personal data if this processing is ‘strictly necessary’ for AML/CFT purposes. The EDPB considers the wording of Article 55 to be insufficiently specific. In addition, the text should define explicitly the special categories of personal data and the relevance of their processing. The proposal fails to make clear why, for example, data concerning an individual's health would be necessary for the purpose of an AML/CFT assessment. According to the EDPB, it should be specified that the assessment made by entities subject to AML/CFT requirements must not be solely based on the processing of special categories of personal data.
Article 55(3) of the proposed Private Sector Regulation lays down that entities may process not only data relating to criminal convictions but also “allegations”. The EDPB considers the processing of such data to present a high level of risk, for the text of the proposed article appears to lay down that such allegations could include unsubstantiated ones. The impact on the person or persons concerned could be significant, whereas there may be little or no substance at all to the allegation. The EDPB recommends that Article 55 specifies that allegations or judicial proceedings should not have the same impact on the risk assessment of a person as a criminal conviction.
- The need to provide additional provisions in relation to the sources of information
Article 55 of the proposal for the Private Sector Regulation also lays down that special categories of personal data may be processed provided that “the data originate from reliable sources, are accurate and up-to-date”. The EDPB does not see why this obligation should apply exclusively to special categories of data only.
In today's practice, a key source of data are so-called “watchlists”, which are offered by specialist service providers. While the EDPB acknowledges the need for entities to rely on this kind of services for the effective implementation of their AML/CFT obligations, it considers problematic the fact that the providers of these watchlists are acting as data controllers and processing special categories of personal data without sufficient legal basis. For this reason, the EDPB advocates the inclusion in the legislative proposals of specific rules in this regard.
Conclusion
All things considered, it is clear that striking the right balance between the interests of effective AML/CFT and the protection of privacy of data subjects continues to be a tightrope act for the European legislators. And, by extension, for any organisation that has to comply with the requirements of the Dutch AML/CFT legislation. Any measure that could be considered “optimal compliance” from an AML/CFT perspective may for the same intents and purposes be considered a “measure too far” from a privacy compliance perspective. Finding that compliance sweet spot calls for continuous consideration and attention.
If you have any questions about this topic, feel free to contact Martin Hemmer.
[1] The first warning went out in 2011: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp186_en.pdf; EDPB Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing, 15 December 2020; EDPB letter to the European Commission on the protection of personal data in the AML-CFT legislative proposals, 19 May 2021; EDPS Opinion 12/2021 on the anti-money laundering and countering the financing of terrorism (AML/CFT) package of legislative proposals.
[2] Anti-money laundering and countering the financing of terrorism legislative package | European Commission (europa.eu)