Editor's note: This is the first article in a two-part series on the European Union's anti-money laundering regulation.
In 2015, the European Union’s fourth anti-money laundering directive (2015/849, or 4AMLD) required obligated entities (e.g., financial institutions) to apply data protection safeguards to their compliance programs. As the directive mandates FIs employ a risk-based assessment using numerous data variables to assess a client’s risk of money laundering, terrorism finance activity and the potential impact on individual rights in that process, data protection’s emphasis on accuracy, data minimalization and fit for purpose was a natural component in the exercise. However, since 4AMLD’s implementation, neither the directive nor financial crime compliance regulators nor data protection authorities provided guidance on what those safeguards might look like or how they should be applied, despite the Working Party 29’s detailed 2011 Opinion and Annex on the legislation.
In July 2021, the European Commission published two draft regulations: 2021/0240 (COD) for an EU anti-money laundering authority, and 2021/0239 (COD), an anti-money laundering regulation. The goals include establishing a single rule book and coordination of national regulatory authorities and financial intelligence units, the national bodies that facilitate investigations on suspected criminal activities reported by FIs. Building on 4AMLD and its amendments, the regulations contain sections devoted to data protection that cover compliance processes for private entities, EU bodies and public-private partnerships, but the details of those controls and safeguards will be outlined by the AMLA two years after the regulation goes into force.
Many of WP29's 2011 concerns resurfaced in the European Data Protection Supervisor’s May 2021 letter to the commission and again its September AMLR Opinion, with a renewed invitation for cooperation in several areas, including: 1) RBA risk variables and factors to guide decisions; 2) processing special categories of personal data; and 3) the regulation of outsourcing relationships.
Risk variables and risk factors
4AMLD (and its subsequent amendments) requires FIs to conduct a risk-based assessment to determine if a client poses a money laundering or terrorism finance risk at onboarding and throughout the business relationship. RBAs are unique to each FI as clients, products, services and jurisdictional variables vary, making the process part art and part science. FIs employ multiple data sources — information from the client, information from vendors, input from regulators and law enforcement, and insights from transaction and behavioral monitoring throughout the relationship. Thus, risk decisions involve a myriad of data points to determine whether to enter or continue a business relationship, accept a client with a high regulatory risk and place adequate controls to mitigate those exposures, and if a client’s actions warrant reporting to FIUs for further investigation through, for example, filing a Suspicious Activity Report to an FIU.
In 2011, WP29 recommended “systemic data collection not be seen as a purpose in itself but applied to the risk involved … (and) should always depend on a preestablished risk assessment that takes into account different factors such as the situation of the client, the nature of the transactions, the financial product or the financial flows involved.” In 2021, the EDPS again requested guidelines on RBA data elements at each stage of the process, clear and transparent criteria for escalations, and for “trigger events” that necessitate reporting. While definitive lists may not be possible because of the FI variables explained above, there is longstanding consensus in the financial crime compliance community that there is room for improvement.
As financial data is at once commercial and potentially criminal, financial crime compliance regulators and DPAs share an interest in providing clear RBA guidance to help FIs determine when a client relationship necessitates escalation or has reached a threshold of suspicion for reporting. Financial crime compliance regulators desire to identify illicit activity (FI compliance teams want to reduce workloads and costs and avoid regulatory infractions), and DPAs want to ensure that individuals who have not engaged in illicit behavior are not reported to authorities or impacted unfairly by an FI’s RBA decisioning.
To this end, AMLR Articles 8, 16 and Annex I, II, III outline preliminary indicative risk variables (e.g. the customer’s and customer’s beneficial owner “business or professional activity,” their reputation, jurisdictions in which they are based, main places of business, “relevant personal links,” product, level of assets and size of transactions, etc.) and low/high risk factors to consider (e.g., low: public companies, low life insurance premiums, third-country effective AML systems; high: cash-intensive businesses, private banking, products and transactions that favor anonymity). Article 50 requires FIU reporting when suspicion has been reached in accordance with these technical requirements.
The AMLA is tasked with publishing a comprehensive list two years after adoption with updates as needed. Although the Financial Action Task Force and other governmental bodies have published similar guidelines, if done with regular and ongoing coordination with DPAs, regulators, law enforcement and the private sector, the AMLA can set EU-wide data elements that may reduce uncertainty and produce stable but dynamic risk assessments that lead better reporting while balancing individual rights.
Sensitive personal data and criminal convictions and offenses
A foundational component of RBA, FIs must know if clients are on government sanctions or regulatory lists or if they are involved in activity relating to money laundering or terrorism finance predicate offenses including corruption, bribery, trafficking and insider trading. Such information falls under the EU General Data Protection Regulation Articles 9 and 10. In 2011 WP29 warned against “goldplating” and mission creep regarding the processing of sensitive and criminal data, a concern repeated in 2021 where the EDPS asked for “clear limits” on sensitive data usage and a restriction on sexual orientation and ethnic data.
AMLR Article 55 allows sensitive and criminal data processing if it is “strictly necessary” to prevent and is related to money laundering or terrorism finance predicate offenses, the customer is notified that this data may be processed, the data is accurate and current, handled according to GDPR Article 32 regarding confidentiality, and that obliged entities “have procedures in place that allow the distinction, in the processing of such data, between allegations, investigations, proceedings and convictions, taking into account the fundamental right to a fair trial, the right of defense and the presumption of innocence.”
This language asks FIs to consider the legal process in handling criminal offense data in risk assessments, but the EDPS’s restriction on sexual orientation and ethnicity is less direct. For example, FATF requires FIs to identify family members (e.g., spouses) and close associates of Politically Exposed Persons including “(known) (sexual) partners outside the family unit (e.g., girlfriends, boyfriends, mistresses)” as these relationships and their accounts are typical kleptocratic avenues for laundering money. Sexual orientation could easily be derived from this information. Similarly, ethnicity in identification documents with place of birth or citizenship may also be discovered.
Outsourcing relationships
Finally, the EDPS requests an expansion of AMLR’s “outsourcing” definition to include data vendors whose services are integral to an FI’s RBA. Related to the sensitive and criminal data topic above, obligated entities must take “reasonable” efforts to validate client information and screen upon onboarding and throughout the relationship for conditions including money laundering or terrorism finance predicate offenses, government sanctions and regulatory lists, or if they hold “prominent public positions’ as PEPs, or are related or have business relationships to individuals who occupy these positions. Without these services, FIs would be forced to collect this data on their own and incur costs that would render compliance impossible.
4AMLD referenced obligated entities pursuing “outsourcing relationships” by contract but did not define what these relationships may involve. AMLR Articles 40 and 41 narrow the scope and define them as arrangements where “customer due diligence” is performed under contract by “an agent or external service provider” since it is common practice for some FIs to use vendors and direct them to perform some or all compliance functions.
Financial crime compliance regulators include data providers in their audits of FI compliance programs. FIs are held accountable for any deficiencies, but these vendors are not explicitly covered in 4AMLD or AMLR; they service data in accordance with client demand. However, data providers are regulated under GDPR, and the legal basis for their processing lay in their clientele’s Article 6 EU and Member State law obligations, however defined. In a concern for data accuracy and quality, with an aim to set scope and standards for collection aligned with AML, the EDPS requests the creation of “a specific legal framework … and to clarify the responsibilities between obliged entities and the watchlists providers regarding GDPR obligations, to provide guarantees especially regarding the compilation of sensitive data, as well as to regulate the consultation of those lists by obliged entities and specify how data subject rights are response in this context.”
Conclusions
Initially seen as another regulatory burden on an already cumbersome process, attitudes towards data protection in the financial services are slowly changing. In the past 10 years, FIs have embraced enterprise RBA, national authorities support public-private information sharing partnerships and international governance bodies such as the FATF have become advocates for financial crime compliance/data protection synergy. The value of data protection as a means of improving program efficiencies and providing targeted data to counter illicit networks is making its way into the financial crime compliance lexicon, but DPAs need to be equally engaged.
The AMLR has the potential to bridge a longstanding financial crime compliance and data protection operational gap, but only if leaders actively engage in technical dialogue with close involvement from obligated entities and their support systems.
Michelle Frasher, PhD, CAMS is a Certified Anti-Money Laundering Specialist and was a 2014 Fulbright-Schuman Research Scholar to Belgium and Malta. She writes about financial crime, data, privacy, and national security. Previous communication had incorrectly identified her professional affiliation. The opinions expressed in her articles are her own.
Photo by Markus Spiske on Unsplash