top of page

Data watchdog warns against EU proposals for banks to exchange STRs and due diligence information

In order to combat money laundering and financial crime, the EU's data protection watchdog has sent a warning shot across the bow of plans by the EU government for banks to share data with one another.

Plans for Public Private Partnerships (PPPs) to share data between institutions, according to the European Data Protection Board (EDBP), are allegedly in violation of the GDPR.

It wants FIUs to keep serving as the data's conduit while also preventing Private to Private (P2P) information sharing.

It also thinks that suggestions by countries operating under the auspices of the European Council to permit banks to share information may unintentionally betray consumers' political and religious affinities. According to the board, processing personal information for AML purposes is likely to result in processing personal information on politically exposed individuals and, consequently, about political attitudes.

At the level of the European Council, the countries advocated allowing EU banks to exchange additional information about suspicious transactions as well as some information gathered during due diligence. Data sharing would only be done to stop the funding of terrorism and money laundering.

The EDBP, however, believes that the Council resolution from December 2022 violates the GDPR.

Under some circumstances, the requirements would permit required entities, or where appropriate, public bodies, operating under PPP umbrellas, to exchange information with one another regarding "suspicious transactions" that are, will be, or have been reported, primarily to FIUs. It would also include any personal information gathered while carrying out their duties related to customer due diligence.

Governments also wanted obligated parties to share personal information they had gathered while carrying out their customer due diligence duties with one another, provided that the personal information in question involved "abnormalities or unusual circumstances indicating money laundering or terrorist financing."

However, these changes to the new AML regulation from the European Commission have angered EDBP members.

These clauses could lead to extremely large-scale processing by private entities, and they have now raised "serious concerns about the lawfulness, necessity, and proportionality of these provisions."

The warning is contained in a letter that EDBP chair Andrea Jelinek sent to MEPs, Member States, and the European Commission.

The letter emphasizes the "significant risks to privacy and data protection posed by some amendments introduced by the [European] Council," or, more precisely, Member States.

The data sharing level envisioned, according to the watchdog, would permit private organizations to "share personal data between each other for AML/CFT purposes concerning ‘suspicious transactions’ and data collected in the course of performing customer due diligence obligations."

According to the EDPB, proposals included in modifications to the European Commission's AML plan do not sufficiently describe the circumstances in which such processing is acceptable.

Considering that such processing could have a substantial impact on people, such as blacklisting and exclusion from financial services, the watchdog also believes that the revisions do not offer enough safeguards.

Therefore, the EDPB advises the co-legislators not to include these clauses in the Proposal's final version.

The data watchdog stated that it recognized the fight against terrorism and money laundering as a significant public interest that merited suitable policies and measures for success. "However, it reiterates the importance to strike a fair balance between this legislative objective and the interests underlying the

fundamental rights to privacy and to the protection of personal data," according to the letter

The warning letter to the European Parliament, the Council, and the European Commission about data sharing for anti-money laundering and countering the financing of terrorism (AML/CFT) objectives was accepted during the most recent EDPB plenary, which is when the letter was written.

Establishing public-private partnerships ("PPPs") with the goal of enabling private parties (i.e., the obliged entities) to monitor subjects (i.e., their customers), based on operational data supplied by law enforcement authorities, and possibly related to ongoing law enforcement investigations, would present significant data protection risks.

The EDPB specifically reminds the public that fighting crime is fundamentally a public duty and that assigning this task to private businesses or PPPs should be rigorously regulated and subject to close examination.

From the perspective of privacy and data protection, restricting the information flow from required entities to public authorities protects people. Therefore, "the processing operation concerning information on possible offences arising from the reported suspicious transactions should be, in principle, limited to public authorities, given their sensitive nature and their impact on the fundamental rights of the concerned individuals."

The EDPB further points out that the Council's proposed regulations would permit data sharing (or data pooling) amongst obliged institutions. (without the involvement of public authorities).

Each obliged entity will utilize the data obtained from the data sharing/pooling to carry out its AML/CFT obligations, including its duties relating to customer due diligence and the reporting of any suspicious transactions.

According to the watchdog, "This implies very large scale processing, resulting in mass surveillance by private entities, the proportionality of which is highly questionable."

"Lastly, the EDPB points out to the warning expressed by the Financial Action Task Force (FATF) that such data sharing may exacerbate the practice of de-risking, which could ultimately increase the risk of undue exclusion from banking services."

"Therefore, in practice, the impact of the data sharing/pooling could have serious legal consequences for the person concerned, such as difficulties

in opening or accessing a current account, in using means of payment, obtaining credit, etc. The significant risks and impacts that the Council’s mandate entails, as well as the lack of studies attesting to the effectiveness of these provisions, leads the EDPB to consider that the envisaged measures are not proportionate to the aims pursued," according to the letter.

The EDPB further points out that no impact assessment was conducted to show the actual value of data sharing, as suggested under the Council's mandate on combating money laundering and terrorist funding.

According to the group, "the necessity test" denotes the requirement for a comprehensive, rigorous, multidisciplinary, and fact-based assessment of the measure's suitability for the desired outcome.

Given that AML/CFT serves a public interest purpose, public authorities with AML/CFT expertise, at the very least the FIUs, should be involved in this evaluation. The EDPB further advises that a thorough evaluation of the effects of data pooling on the practice of "de-risking" and the quality of suspicious transaction reports be conducted in collaboration with the FIUs, according to the letter.

The group is also concerned that the Council's plan may expose bank clients' political and religious affiliations.

"Finally, it is worth noting that the data sharing provisions in the Council’s mandate might include the processing of special categories of personal data (such as personal data revealing religious belief and political opinions), the processing of which is limited to the application of strict exemptions under Article 9(2) GDPR. In this regard, it is important to note that the exemption pursuant to Article 9(2)(g)

GDPR, lifting the prohibition on processing of special categories of personal data under Article 9(1) GDPR, only applies where such processing is necessary for reasons of substantial public interest on the basis of EU or Member State law is “proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject."


1,027 views0 comments
bottom of page