The current effort to convert the 4th anti-money laundering Directive into a Regulation and create an EU Anti-Money Laundering Authority is finally addressing the long-overlooked issue of how to comply with data privacy and protection (DPP).
The European Data Protection Supervisor (EDPS) has been an active participant in the legislative process, making recommendations in May 2021 and September 2021, some of which have been incorporated into recent drafts.
The Supervisor pushed three foundational topics to the forefront in May 2022, representing attainable shared interests across AML/CFT and DPP: formalized consultations for regulatory technical standards, more safeguards for special categories of personal data, and data provider regulation.
Regulatory Technical Standards (RTS)
Within two years of adoption, the EU Authority is tasked with establishing RTS, including identifying information to be used in SDD, CDD, EDD, UBO, and transaction monitoring processes, with updates as needed.
Designated categories help identify suspicious activities more accurately, trigger reporting and data sharing in private-public and public-private partnerships, reduce false positives and negatives, reduce costs and workloads, tune risk patterns across lines of business, avoid regulatory infractions, and (hopefully) increase the detection and prosecution of illicit activities.
Because good RTS data categories produce robust methodologies to ensure that innocent individuals are not impacted unfairly by financial institution or authority decisioning, data protection authorities (DPAs) and data protection law support those goals with tools for data governance and management.
To this end, the Supervisor pointed out that the AMLA was not required to work with the EDPS in the development of RTS (only guidelines and requirements) and requested that specific data provisions be included directly in AMLA legislation rather than through RTS or guidance.
While formalized consultations would break down educational and policy-making silos, enshrining data standards in legislation could limit participation from other stakeholders and limit the EU's ability to quickly adapt to new financial products and markets, as well as non-EU regulatory changes that affect risk perceptions.
To ensure flexibility and a clearer understanding of end-to-end impacts, common data categories should be a living document that evolves in consultation with all groups, including industry associations, national FIUs, and authorities.
Criminal Convictions and Offenses & Sensitive Personal Data
Knowing if entities have been involved in regulatory infractions or activity relating to ML/TF predicate offenses such as corruption, bribery, trafficking, and insider trading are among the RTS data categories that reflect AML requirements.
Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, and sex life or sexual orientation are all covered by GDPR Article 9.
Article 10 requires safeguards for processing information pertaining to criminal offenses and convictions and states that "any comprehensive register of criminal convictions shall be kept only under the control of official authority."
The EDPS wants AMLR Article 55 to allow "strictly necessary" sensitive and criminal data processing for ML/TF purposes, but the letter appears to imply that obligated entities are already processing Article 9 data that is not "necessary relevant" to ML/TF, citing "biometric data for the purpose of uniquely identify a natural person" and "sex life or sexual orientation" as examples.
A same-sex spouse could easily determine a PEP's sexual orientation. Biometric data could also be extracted from photo identification, such as a passport.
The EDPS previously requested for criminal data "procedures in place that allow the distinction, in the processing of such data, between allegations, investigations, proceedings, and convictions, taking into account the fundamental right to a fair trial, the right of defence, and the presumption of innocence."
This viewpoint is shared by the Wolfsberg Group Secretariat's May 2022 guidance on negative news screening, as well as the European Parliament's draft AMLR amendments.
The EDPS is urging legislators to define or eliminate the term "allegations" due to the ambiguity of claim sources, which is linked to the Supervisor's concerns about data credibility and safeguards required to process Article 10 data.
However, the GDPR does not define what constitutes criminal data (for example, an official court document or media coverage of an investigation or court case? ), leaving Member States to make their own interpretations.
Definition clarifications and guidelines on safeguards for data used for AML/CFT in Article 10 would be beneficial.
Legislators could also include an explicit allowance for obligated entities to conduct Negative News screening for ML/TF predicate offenses, which is widely used in compliance processes but is not addressed uniformly in 4AMLD or Member State regulations.
Data Vendors & Data Sources
Finally, the EDPS emphasized the importance of data providers of Negative News and watchlist databases, which are used by both public and private organizations to comply with AML/CFT obligations.
The Supervisor, on the other hand, emphasized the industry's legal ambiguity, data standards, and Article 9 and 10 protections.
Although data providers are required by GDPR, they are not specifically mentioned in 4AMLD or AMLR, and their legal basis for processing was based on their clients' Article 6 EU and Member State law obligations, with use cases frequently defined by the client.
The EDPS warned that "nnational supervisory authorities have the task to enforce data protection law" in Article 9 and 10 cases involving data providers if there is no specific AML/CFT governance.
Nationally focused enforcement would exacerbate Member State differences in data processing for AML purposes, or provoke more challenges from law firms representing EU individuals in these databases, who must be screened under FATF and EU rules, which could lead to vendors deleting information to avoid litigation.
The Supervisor wants vendors to be included in AMLR or a new legislative effort, and he wants the industry to play a key role in defining these regulatory parameters through EU certification Codes of Conduct (CoC).
If legislators follow the EDPS recommendations, industry-led CoC cooperation will allow data providers to demonstrate their unique expertise and set data processing standards that accurately reflect their clientele's regulatory and operational needs, as well as the challenges posed by transnational financial crime and multi-jurisdictional compliance requirements.
Many of the EDPS's recommendations are in line with AML/CFT goals, but there are some nuances to be aware of.
If leaders actively engage in dialogue, the AMLA and AMLR negotiations offer an opportunity to bridge siloed views within the anti-financial crime and data protection communities.
By fLEXI tEAM