The current effort to turn the 4th anti-money laundering Directive to a Regulation and establish an EU Anti-Money Laundering Authority is finally addressing the long-neglected issue of how to implement data privacy and protection (DPP) in compliance.
The European Data Protection Supervisor (EDPS) has been actively involved in the legislative process, providing recommendations in May 2021 and September 2021, some of which were included in recent drafts.
In May 2022 the Supervisor pushed three foundational topics to the forefront that represent attainable shared interests across AML/CFT and DPP– formalised consultations for regulatory technical standards, more safeguards for special categories of personal data, and regulation for data providers.
Regulatory Technical Standards (RTS)
The EU Authority is tasked with establishing RTS including identifying information to be used in SDD, CDD, EDD, UBO, and transaction monitoring processes, within 2 years after adoption with updates as necessary.
Clear RTS data categories to fight money laundering (ML) and terrorism finance (TF) advance mutual interests.
Designated categories more accurately identify suspicious activities, trigger reporting and data-sharing in private-private and public-private partnerships, reduce false positives and negatives, lower costs and workloads, tune risk patterns across lines of business, help avoid regulatory infractions, and (hopefully) increase the detection and prosecution of illicit activities.
Data Protection Authorities (DPAs) and data protection law, support those goals with tools for data governance and management because good RTS data categories produce robust methodologies to ensure that innocent individuals are not impacted unfairly by financial institution or authorities’ decisioning.
To this end, the Supervisor noted that there was no requirement for the AMLA to cooperate with the EDPS in RTS setting (only for guidelines and requirements) and requested specific data provisions be included directly in AMLA legislation rather than RTS or guidance.
While formalised consultations would break down educational and policy-making silos, placing data standards within legislation may limit participation from other stakeholders and hamper the EU’s ability to quickly adapt to emerging financial products and markets or non-EU regulatory changes that impact risk views.
Common data categories should be a living document, evolving in consultation with all groups including industry associations, national FIUs and authorities, to ensure flexibility and a clearer comprehension of end-to-end impacts.
Sensitive Personal Data & Criminal Convictions and Offenses
RTS data categories, which reflect AML requirements, include knowing if entities have been involved in regulatory infractions or activity relating to ML/TF predicate offenses including corruption, bribery, trafficking, and insider trading.
GDPR Article 9 governs sensitive data which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, and sex life or sexual orientation.
Article 10 requires safeguards for processing information pertaining to criminal offenses and convictions and that “Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
The EDPS wants AMLR Article 55’s allowance of “strictly necessary” sensitive and criminal data processing defined to ML/TF purposes, but the letter seems to suggest that obligated entities are already processing Article 9 data that is not “necessary relevant” to ML/TF, specifically calling out “biometric data for the purpose of uniquely identify a natural person” and “sex life or sexual orientation”.
FATF recommendations and 4AMLD require the identification of spouses and close associates of Politically Exposed Persons (PEPs) as these relationships are kleptocratic avenues for money laundering.
A PEP’s sexual orientation could easily be derived from a same sex spouse. Similarly, biometric data could be derived from picture identification such as a passport.
For criminal data, the EDPS previously requested “…procedures in place that allow the distinction, in the processing of such data, between allegations, investigations, proceedings and convictions, taking into account the fundamental right to a fair trial, the right of defence and the presumption of innocence.”
The Wolfsberg Group Secretariat’s May 2022 guidance on Negative News screening, and European Parliament’s draft AMLR amendments have adopted this view.
In the latest letter, the EDPS urges legislators to define or delete the term “allegations” due to the uncertainty of the sources of claims, which is tied to the Supervisor’s concerns about data credibility and safeguards that are required to process Article 10 data.
However, GDPR does not define what constitutes criminal data (e.g. an official court document, or media reporting on an investigation or court case?), leaving interpretations to Member States.
Article 10 definition clarifications and guidelines on safeguards as they pertain to data used for AML/CFT would be helpful.
Furthermore, legislators could include an explicit allowance for obligated entities to conduct Negative News screening for ML/TF predicate offenses, which is widely employed in compliance processes but not uniformly addressed in 4AMLD or Member State regulations.
Data Sources & Data Vendors
Lastly, the EDPS reiterated the importance of data providers of Negative News and watchlist databases upon which public and private groups rely to carry out AML/CFT obligations.
However, the Supervisor highlighted the industry’s legal ambiguity, data standards, and Article 9 and 10 safeguards.
Although data providers are obligated under GDPR, they are not explicitly noted in 4AMLD or AMLR, and their legal basis for processing lay in their clientele’s Article 6 EU and Member State law obligations, with use cases often defined by the client.
Without specific AML/CFT governance, the EDPS warned that “national supervisory authorities have the task to enforce data protection law” for Article 9 and 10 cases involving data providers.
Nationally focused enforcement would exacerbate Member State differences in data processing for AML purposes or spur more challenges from law firms representing EU individuals within these databases, who must be screened under FATF and EU rules, that may result in vendors deleting information to avoid litigation.
Data providers, legislators, and especially the public and private sectors that rely on them must work together to ensure these services remain available and that they deliver accurate, current, and fit for purpose data – a core of both AML/CFT and DPA interests.
The Supervisor wants vendors included in AMLR or part of a new legislative effort, and invites the industry to play a central role in establishing these regulatory parameters through Codes of Conduct (CoC) for EU certification.
If legislators decide to act on EDPS recommendations, industry-led CoC cooperation will enable data providers to showcase their unique expertise and set data processing standards that accurately reflect their clientele’s regulatory and operational needs and the challenges presented by transnational financial crime and multi-jurisdictional compliance requirements.
Many of the EDPS’s recommendations align with AML/CFT interests, but there are nuances that need attention.
The AMLA and AMLR negotiations offer an opportunity to bridge siloed views within the anti-financial crime and data protection communities if leaders actively engage in dialogue.
Dr. Michelle Frasher, PhD, CAMS is a leading expert on the intersection of financial crime compliance and data privacy and protection.
An experienced leader in the RegTech data industry, she is currently Sr. Director, Financial Crime Compliance Practice at Moody’s Analytics, a member of the Research Advisory Board of the International Association of Privacy Professionals (IAPP), and an External Consultant for the ICA.
Her analysis of EDPS commentaries can be found here. The opinions expressed by the author are her own and do not reflect the views of past or present employers.
Share this on:
Follow us on: