Editor's note: This is the second article in a two-part series on the European Union's anti-money laundering regulation.
Part One of this article explained how the European Union’s 2015 fourth anti-money laundering directive (2015/849 or 4AMLD) required financial institutions to apply data protection safeguards to their anti-money laundering/countering the financial terrorism compliance programs, but the guidance never materialized. In 2021, the Commission introduced 2021/0240 (COD) to establish an EU Anti-Money Laundering Authority and 2021/0239 (COD) an Anti-Money Laundering Regulation that, once again, presents opportunities for cooperation between financial crime compliance and data protection and privacy leaders.
While many of the European Data Protection Supervisor’s recommendations aligned with financial crime compliance attitudes, we summarize aspects of the opinion that pose challenges to AMLR, including 1) beneficial ownership registries; and 2) financial intelligence units.
Beneficial Ownership Registries
4AMLD, and later 5AMLD (2018/843), required member states to create national beneficial ownership registries to allow obligated entities to identify natural persons who ultimately own or control an entity including “senior managing officials,” trustees and others to prevent corporations being used to hide illicit activity. Legitimate use for data collection was cited for “money laundering, terrorist financing, and the associated predicate offences, such as corruption, tax crimes and fraud” but exemptions were allowed “where such access would expose the beneficial owner to the risk of fraud, kidnapping, blackmail, violence or intimidation, or where the beneficial owner is a minor or otherwise incapable.”
As the registries have come online (not all member states have complied), there have been legal challenges on the legitimacy of data collection, its efficacy to the cause, and the impact on individuals. In the Netherlands, privacy advocates attempted to shut down the Dutch registry citing lack of effectiveness and disproportionate risks to individual rights. The Court did not invalidate the AMLD; however, it saw that the registries collected data beyond the initial mandate and the case has forced national authorities to reexamine their data management. This is not the end of the issue, though, as a Luxembourg case that asked similar questions will be heard by the European Union Court of Justice in 2022.
Regardless of outcomes, these cases may impact AMLR’s BO provisions. The EDPS has not challenged the legality of the EU’s AML regime but focused on ensuring BO data is fit for purpose and advocating for proof of efficacy. As it had in 2013, the 2021 opinion requested data specifications with legal obligations to ensure adequacy, accuracy, and timeliness and added reporting on the use and effectiveness of money laundering/terrorism financing aims. Since covered entities or their representatives are obligated to report to registries, a mandate to provide accurate and timely information, if enforced, would certainly be helpful to financial crime compliance efforts that depend on this information.
Yet, even with tighter requirements, access rights will remain a contested privacy issue. Some member states limit admission to authorities and obligated entities, others require a resident tax ID number, and some are publicly accessible. The EDPS supported for access to a “closed list of competent authorities and self-regulatory bodies and of the categories of obligated entities,” without exceptions; and specific safeguards for civil society including nongovernmental organizations, the press, and investigative journalism because their work draws “attention to the general public to phenomena that might be relevant for AML/CFT enforcement,” but the motivations were of “general interest” rather than holding the legal responsibility for investigation and enforcement.
These recommendations seem sensible considering the roles of private and public financial crime compliance groups and the data governance laws that delineate them. In practice, they may pose difficulties for authorities, obligated entities and civil watchdogs. National registries are independently created and managed, and the differences in site functionality limits their utility in mapping corporate and natural person relationships within and across jurisdictions. Some sites allow single entity look ups through corporate tax ID numbers, others require a match to a corporate name (although AMLD requires obligated entities to know natural person beneficiaries), some only list entities in the native language, and few sites offer downloadable files for batch screening.
While an EU AMLA seeks to create a single rulebook, the Beneficial Ownership Registers Interconnection System project seeks to link them through the EU e-Justice Portal. Users will access BORIS through a single sign-on authentication at the national level that would also facilitate payments for use in some cases. Although it is unclear how the integration will make it easier to view connections across registries, it will likely not offer analysis beyond the EU. Currently, private data providers and nonprofits fill this gap by collecting registry and other open-source data into curated datasets. The datasets enable financial crime compliance practitioners to view complex global corporate structures impossible to see with a single lookup tool or solely an EU view which is essential to comply with AML, U.S. Office of Foreign Assets Control, U.K. Office of Financial Sanctions Implementation, and EU sanctions requirements that disallow dealings with companies with aggregate ownership or deliver benefits to economically sanctioned entities..
The gap between due diligence risk requirements, national registries and BORIS may signal trouble for FI financial crime compliance. Restrictions on civil society groups could curtail research essential to understanding illicit (and legitimate) economies or highlight regulatory gaps. Finally, because many obligated entities utilize aggregated data products, efficacy could be determined solely by direct access to national sites. This information and a consideration of how many times BO data was reported to authorities in SARs and how many of those reports led to enforcement or prosecutions for ML/TF crimes would also have to be considered. Perhaps unknowingly, this recommendation circles back to the supervisor’s wish to include data suppliers under AMLR.
Data & FIUs
It is helpful to view the EDPS opinion on FIU data in the context of recent oversight actions. In 2019, the supervisor imposed a ban on Europol’s technical management of FIU.net, a decentralized information-sharing network for EU FIUs, since the Europol regulation limits processing to police data and suspects. As the definition of a suspect varies according to member state law, the Europol Cooperation Board could not “consistently ensure that Europol is legally competent” to process suspicious transaction data through FIU.net. “To comply with the (Europol) rules, individuals involved in suspicious transactions would have to be considered as suspects. FIUs, however, act before the start of any criminal proceeding or investigation has begun.” In January 2022, the EDPS also ordered Europol to delete data collected by member state authorities pertaining to “individuals with no established link to a criminal activity (Data Subject Categorisation).”
National FIUs receive suspicion-based (e.g., Suspicious Activity Report, Suspicious Transaction Report, Unusual Transaction Report), and threshold-based (e.g., Currency Transaction Reports from FIs for further analysis. Since the reports may signal illicit activity based on an obligated entity’s risk assessment, this information alone is not a determination of illegal behavior — that decision is left to authorities. However, some FIUs cannot make that determination, and the FIU type complicates the information they can legally use: 1) Administrative — receipt, analysis and dissemination of reports without investigative or prosecutorial duties; 2) Law Enforcement — part of an existing agency with enforcement powers; 3) Judicial — prosecutors jurisdiction with investigatory bodies; and 4) Hybrid — combination of above.
An administrative FIU does not enjoy the same legal right to hold potentially or actual criminal data as FIUs with investigatory and prosecutorial powers. The EDPS opinion, which reflected its recent actions with Europol, was concerned that FIUs should have access to “any type of information” from private and public authorities and requested a reassessment of the “necessity and proportionality” of access rights as well as express language limiting usage to AML/CFT purposes. The supervisor requested additional guidelines on FIU.net data sharing, to be housed under the EU AMLA, to establish “rules on cooperation between competent oversight authorities and on relevant databases and infrastructure for the exchange of information, notably FIU.net.”
Additionally, the opinion requests that FIUs or authorities only embark on investigative rather than intelligence-led analysis, reasoning that Article 51 of the proposal for a Directive to repeal 4AMLD “seems to refer … to a data mining technique for the identification of subjects of (merely) potential interests.” The comment suggests that reports are supplemental to an investigation already in progress. While many cases are led by active investigations, intelligence-led insights, specifically combining data from multiple avenues to illuminate unknown connections is critical as FIs rarely share insights across their own lines of business, affiliates or foreign branches. For example, national FIUs may receive separate reports from FIs in their jurisdiction from several different branches and LOBs on the same individual. The reported transactions may appear legitimate on their own, but without examining the relationships across reports, or with data held by authorities, investigators may not be able to recognize or map illicit actions to initiate a formal inquiry.
This should not be interpreted as a reason to issue authorities a data blank check. There is a hazard of gold-plating and mission creep in risk-based methodologies that sometimes justifies data retention for “what if” scenarios. However, the situation can be mitigated with guidelines that set adaptable data collection and analysis frameworks using indicators and typologies (that already exist) to identify fit-for-purpose data aligned to AML/CFT use cases. In February 2022, the EDPS, European Commission, and Council of the European Union advanced these efforts with a political agreement on Europol data supervision that sets rules for processing large datasets, cooperation with private parties and non-EU countries, Parliamentary oversight and technological innovation. The regulation opens a long-overdue dialogue, and if taken in concert with private sector guidelines on risk-based assessments, these actions may contribute to more robust legal and operational framework to govern public-private information sharing partnerships in a way that balances AML and individual rights.
Conclusions
The AML regime’s risk-based methodology relies on private sector data and criminal information held by public authorities to prevent, detect and prosecute illicit finance and political violence, illustrating conflicts between laws that govern public and private data, how public/private AML/CFT roles and functions overlap, and the trials in accommodating risk-based and rule-based legislation at the same time. The AMLR has the potential to bridge longstanding financial crime compliance and data protection operational and governance gaps, but only if leaders actively engage in dialogue about data management with financial crime leaders and close involvement from the private sector.
Dr. Michelle Frasher, PhD, CAMS is a Certified Anti-Money Laundering Specialist and was a 2014 Fulbright-Schuman Research Scholar to Belgium and Malta researching transatlantic data transfers concerning counter-terrorism financing. She is currently a practitioner in the FCC RegTech data space and researches and writes about financial crime, data, privacy, and national security. The opinions expressed in this article are her own.
Photo by lilzidesigns on Unsplash