It has been over a decade since data privacy and protection (DPP) appeared in drafts of the 4th Anti-Money Laundering (4AMLD), and the recent EUCJ decision that invalidate 5AMLD’s public access rights for beneficial ownership registries presents an opportunity for some contextual analysis with an eye to the future.
Data privacy authorities (DPAs) have championed their mandates on data governance as the EU’s anti-financial crime regime has evolved.
In August 2022, the EUCJ extended GDPR protections for gender and name identification ruling that it was an indirect means of identifying sexual orientation, both common KYC data points; The European Data Protection Supervisor’s (EDPS) May 2021, September 2021, and May 2022 commentary on AMLA and AMLR drafts included recommendations (and some warnings) about special categories of personal data, outsourcing relationships, data providers, access rights and data quality for beneficial ownership registries; In 2021, the EDPS ordered Europol to delete data that was not connected to investigations, and in 2022 sued the European Commission to stop a Europol data processing mandate.
Financial crime compliance (FCC) leaders have recognised the AML/DPP overlap on a strategic level, most notably in FATF’s 2017 Information Sharing and 2021 Data Pooling Guidance, but these latest developments should encourage both groups to consider these intersections in more tactical detail.
With the introduction of the EU AMLA and AMLR there is surely more to come.
First, let’s consider the implications of the EUCJ decision.
5AMLD required Member States to establish “a clear rule of public access” to “any member of the general public”, but Member States interpreted what clear rules entitled in different ways.
The ruling now halts unencumbered public access, but it does not affect access rights for authorities or obligated entities in the EU and leaves legitimate interest as a possibility for other access rights.
Individuals concerned about fraudulent registrations can claim their rights under GDPR Article 15 to request a copy of their personal and related data that may be in the registry.
The greatest impact may be felt by foreign authorities or companies who use open access accounts, but legitimate interest may be an option, or they can use data providers, providing they have the budget.
Civil society, journalists, and NGO groups are not explicitly mentioned in 4 or 5 AMLD.
However, the EUCJ does highlight their importance to the public interest, a sentiment echoed by the EDPS AMLR opinion to include civil society NGOs, the press, and investigative journalism because their work draws “attention to the general public to phenomena that might be relevant for AML/CFT enforcement”.
Similarly, GDPR addresses the right to “processing for journalistic purposes and the purposes of academic, artistic or literary expression” in Article 85, which may offer legal support for their inclusion in AMLR. Thus, there appears to be substantial support from DPP and FCC to ensure access for press and civil action groups.
Operationally, as some registries have gone offline to review how to comply with the judgment, it is less clear if the public-facing blackouts have affected data flows to obligated entities and authorities that use data vendors, that because of the independence and interoperability challenges between national registries, provide an essential service in aggregating, standardising, and linking global registry data in products for use in compliance workstreams.
The EU’s Beneficial ownership registers interconnection system (BORIS) is designed to fix the interoperability and linkage difficulties, but it does not have full capabilities. It may however serve a greater role in the future.
Yet, data flow disruptions pose an immediate risk to Sanctions compliance where beneficial ownership registries are essential tools to identify ownership and influence for US OFAC, UK, and EU listed entities, and helpful in uncovering complex corporate structures and possible Sanctions evasion.
Concerns about access restrictions aside, questions around registry data quality foretell of more serious challenges, where there is a mutual interest between the FCC and DPP communities.
The responsibility for data verification currently falls on obligated entities rather than the Member States registries. 4/5AMLD and the AMLR draft require relevant, accurate, and current data, but there is little enforcement and few consequences for providing false information or failing to update data.
For FCC, bad data wastes resources, produces false positives and false negatives that are difficult and time consuming to clear, skews AI and ML algorithms, and ultimately requires clients to deliver original documentation to adequately fulfil BO requirements. In its 2022 letter on AMLR, the EDPS requested data specifications and legal obligations to ensure adequacy, accuracy, and timeliness.
A mandate to provide accurate and timely information, if enforced, could benefit FCC efforts.
The EUCJ restriction on public access rights does not completely shut the door on compliance and transparency in the fight against financial crime.
However, the rapid evolution of the EU’s AML regime, court rulings that uphold DPP principles, and DPP leaders asserting enforcement and legal rights, necessitates that FCC leaders must go beyond systemic frameworks and dive into the tactical and operational details where DPP and FCC ultimately coexist.
Dr. Michelle Frasher, PhD, CAMS has been a consultant on the intersection of financial crime compliance and data privacy and protection for 15 years. She is an experienced leader in the RegTech data industry, the Co-Chair of the Data Privacy Experts Group of the Global Coalition to Fight Financial Crime (GCFFC), was a US-EU Fulbright-Schuman Scholar to Belgium and Malta on counter-terrorism data flows, and a member of the Research Advisory Board of the International Association of Privacy Professionals (IAPP). The opinions expressed by the author are her own.