EDPS's AML package: Opportunity to "bridge siloed views" between AFC and data protection communities

The current effort to convert the 4th anti-money laundering Directive into a Regulation and create an EU Anti-Money Laundering Authority is finally addressing the long-overlooked issue of how to comply with data privacy and protection (DPP).

The European Data Protection Supervisor (EDPS) has been an active participant in the legislative process, making recommendations in May 2021 and September 2021, some of which have been incorporated into recent drafts.

The Supervisor pushed three foundational topics to the forefront in May 2022, representing attainable shared interests across AML/CFT and DPP: formalized consultations for regulatory technical standards, more safeguards for special categories of personal data, and data provider regulation.

Regulatory Technical Standards (RTS)

Within two years of adoption, the EU Authority is tasked with establishing RTS, including identifying information to be used in SDD, CDD, EDD, UBO, and transaction monitoring processes, with updates as needed.

Designated categories help identify suspicious activities more accurately, trigger reporting and data sharing in private-public and public-private partnerships, reduce false positives and negatives, reduce costs and workloads, tune risk patterns across lines of business, avoid regulatory infractions, and (hopefully) increase the detection and prosecution of illicit activities.

Because good RTS data categories produce robust methodologies to ensure that innocent individuals are not impacted unfairly by financial institution or authority decisioning, data protection authorities (DPAs) and data protection law support those goals with tools for data governance and management.

To this end, the Supervisor pointed out that the AMLA was not required to work with the EDPS in the development of RTS (only guidelines and requirements) and requested that specific data provisions be included directly in AMLA legislation rather than through RTS or guidance.

While formalized consultations would break down educational and policy-making silos, enshrining data standards in legislation could limit participation from other stakeholders and limit the EU's ability to quickly adapt to new financial products and markets, as well as non-EU regulatory changes that affect risk perceptions.

To ensure flexibility and a clearer understanding of end-to-end impacts, common data categories should be a living document that evolves in consultation with all groups, including industry associations, national FIUs, and authorities.

Criminal Convictions and Offenses & Sensitive Personal Data

Knowing if entities have been involved in regulatory infractions or activity relating to ML/TF predicate offenses such as corruption, bribery, trafficking, and insider trading are among the RTS data categories that reflect AML requirements.

Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, and sex life or sexual orientation are all covered by GDPR Article 9.

Article 10 requires safeguards for processing information pertaining to criminal offenses and convictions and states that "any comprehensive register of criminal convictions shall be kept only under the control of official authority."

The EDPS wants AMLR Article 55 to allow "strictly necessary" sensitive and criminal data processing for ML/TF purposes, but the letter appears to imply that obligated entities are already processing Article 9 data that is not "necessary relevant" to ML/TF, citing "biometric data for the purpose of uniquely identify a natural person" and "sex life or sexual orientation" as examples.

A same-sex spouse could easily determine a PEP's sexual orientation. Biometric data could also be extracted from photo identification, such as a passport.

The EDPS previously requested for criminal data "procedures in place that allow the distinction, in the processing of such data, between allegations, investigations, proceedings, and convictions, taking into account the fundamental right to a fair trial, the right of defence, and the presumption of innocence." 

This viewpoint is shared by the Wolfsberg Group Secretariat's May 2022 guidance on negative news screening, as well as the European Parliament's draft AMLR amendments.

The EDPS is urging legislators to define or eliminate the term "allegations" due to the ambiguity of claim sources, which is linked to the Supervisor's concerns about data credibility and safeguards required to process Article 10 data.

However, the GDPR does not define what constitutes criminal data (for example, an official court document or media coverage of an investigation or court case? ), leaving Member States to make their own interpretations.

Definition clarifications and guidelines on safeguards for data used for AML/CFT in Article 10 would be beneficial.

Legislators could also include an explicit allowance for obligated entities to conduct Negative News screening for ML/TF predicate offenses, which is widely used in compliance processes but is not addressed uniformly in 4AMLD or Member State regulations.