On September 24th 2021, the European Data Protection Supervisor (“EDPS”) published its Opinion 12/2021 on the European Commission new Anti-money laundering and countering the financing of terrorism legislative package.
With so much at stake for financial institutions and where failure to comply with the EU GDPR can lead to fines of up to 20 € million or 4% of annual global turnover (whichever is higher), correct application and understanding of both AML/CTF and GDPR frameworks are paramount to a healthy and streamlined business model.
The new AML/CFT legislative package in a nutshell
Whilst seeking to strengthen the current rules on money laundering and terrorism financing, the new regulations raise interesting and valuable insights into a relationship that financial institutions often find difficult to navigate. Two of the main goals of the package are therefore to “close loopholes used by criminals to launder illicit proceeds or finance terrorist activities through the financial system” and to implement and harmonise “supervisory activities at EU level.”
The new package consists of four legislative proposals:
- At the heart of the legislative package, a regulation establishing a new EU AML/CFT Authority: the AMLA. The new central authority will be coordinating authorities at the national level and will be supporting Financial Intelligence Units (FIUs) around the identification of illicit financial flows. The Commission wants AMLA to be operational in 2024.
- A Single EU Rulebook on AML/CFT containing directly applicable rules, particularly in the areas of customer due diligence and beneficial ownership.
- The 6th directive on AML/CFT (“AMLD6”) replacing Directive 2015/849/EU; and
- A revision of Regulation 2015/847/TEU (the 2015 Regulation on Transfers of Funds to trace transfers of crypto-assets).
Opinion 12/2021 of the EDPS
All in all, the Supervisor notes on the website that he welcomes the aims of the package and particularly the risk-based approach followed by the Commission in its proposals. Most importantly, it welcomes the creation of a new supervising authority (AMLA) and its subsequent harmonising and coordinating role.
However, the EDPS notes that a lack of clarity and definition may hinder the lawfulness of the measures. The EDPS also asks the Commission, inter alia, to specify the type of data that will be processed by the obliged entities and to implement clear-cut limits and conditions for the processing of personal data relating to criminal convictions and offences. It also notes that the processing of data relating to sexual orientation or ethnic origin should not be allowed. With regards to beneficial ownership registers and generalised access, the EDPS urges the Commission to reconsider its current stance on the matter and advises that “beneficial ownership information shall be accessed (…) only by competent authorities who are in charge of enforcing the law and by obliged entities when taking due diligence measures.” Because public access to such information presupposes a “different function/purpose”, a separate set of rules should also be implemented where beneficial ownership information by NGOs or journalists is accessed.
Irreconcilable differences or finding the right balance?
The AML/CFT-EU GDPR conundrum raises very particular legal challenges. It should be stressed however that the two frameworks should not be seen as irreconcilable but rather as made of two complementary measures. Even though both frameworks serve different purposes and use opposite approaches, the AML/CTF and GDPR are here to stay and both anti-money laundering regulations and personal data protection are equally important.
“I recognise the importance of combatting money laundering and the financing of terrorism. At the same time, it is also important that the measures envisaged to achieve this goal are fully in line with the EU’s data protection laws and principles. In particular, the processing of individuals’ personal data must remain limited to what is necessary and proportionate in light of the specific purpose(s) set out in the proposals. (Emphasis added)”
The fight against money laundering and terrorism financing is central to Europe’s political, financial stability and security and strong harmonized regulatory oversight and the future proposed AMLA may well close the current loopholes. At the same time, member states are under an obligation to uphold human rights norms and fundamental freedoms as enshrined under the EU Charter of Fundamental Rights, particularly Article 7 (right to respect for private and family life), Article 8 (right for the protection of personal data) and Article 16 (freedom to conduct a business).and the EU GDPR,
The United States, in the eyes of the European Commission, failed to strike the right balance between human rights and national security what led to the invalidation of the Privacy Shield framework in July 2020. the CJEU found that US law, Section 702 FISA and EO12333 do not allow essentially equivalent level of protection, because the US Attorney General and the Director of the National Intelligence can issue written directives compelling US electronic communication providers to assist with the collection of the Personal Data of a target under Section 702 FISA.
Whether striking the right balance between upholding individual rights and the safeguard of Europe’s financial system is possible, we will find out soon.
