Since data privacy and protection (DPP) first appeared in drafts of the Fourth Anti-Money Laundering (4AMLD) over ten years ago, the recent EUCJ decision invalidating the Fifth Anti-Money Laundering's (5AMLD) access rights for beneficial ownership registries provides an opportunity for some historical context research with an eye toward the future.
As the EU's anti-financial crime legislation has developed, data privacy authorities (DPAs) have promoted their mandates on data governance.
The EUCJ expanded GDPR rights for gender and name identification in August 2022 after determining that these two typical pieces of KYC data were an indirect way to determine sexual orientation; The European Data Protection Supervisor (EDPS) provided recommendations (and some warnings) regarding special categories of personal data, outsourcing relationships, data providers, access rights, and data quality for beneficial ownership registries in its comments on the drafts of the AMLA and AMLR in May 2021, September 2021, and May 2022. The EDPS ordered Europol to erase information unrelated to investigations in 2021, and in 2022 it sued the European Commission to stop a mandate for Europol to analyze data.
Although the AML/DPP overlap has been acknowledged by financial crime compliance (FCC) leaders on a strategic level, most notably in the FATF's 2017 Information Sharing and 2021 Data Pooling Guidance, these most recent developments should prompt both groups to think about these intersections in more tactical detail.
There will undoubtedly be more after the EU AMLA and AMLR are introduced.
Let us start by thinking about the consequences of the EUCJ ruling.
The 5AMLD mandated that Member States create "a clear rule of public access" to "any member of the general public," but different Member States had differing ideas of what those clear rules entailed.
Unrestricted public access is currently prohibited by the judgement, however it has no effect on the EU's authorities' or obliged parties' access rights, and other access rights may still be granted based on genuine interest.
In order to obtain a copy of their personal information and any connected data that may be in the registry, individuals can exercise their right under GDPR Article 15 if they are worried about fraudulent registrations.
The use of open access accounts by foreign governments or businesses may have the biggest influence, but if they have the money they can use data providers or pursue legitimate interests.
Journalists, NGOs, and civil society organizations are not specifically addressed in AMLD 4 or 5.
The EDPS AMLR opinion concurs with the EUCJ in saying that civil society NGOs, the media, and investigative journalism should be included since their work "draws attention to the general public to phenomena that might be relevant for AML/CFT enforcement."
The right to "processing for journalistic purposes and the purposes of academic, artistic or literary expression" is covered by GDPR in a similar manner in Article 85, which may provide legal justification for their inclusion in AMLR. As a result, it appears that the DPP and FCC are strongly in favor of ensuring that the press and civil action organizations have access.
Operationally, it is less clear if the public blackouts have affected data flows to obligated entities and authorities that use data vendors, who due to the independence and interoperability challenges between national registries, provide an essential service in aggregating, standardizing, and linking global registry data in products for use in compliance workstreams. Some registries have gone offline to review how to comply with the judgment.
Although it has limited capabilities, the EU's Beneficial ownership registers interconnection system (BORIS) is intended to address the interoperability and linkage issues. However, it might play a bigger part in the future.
Beneficial ownership registries are crucial tools to identify ownership and influence for US OFAC, UK, and EU listed entities, and they are helpful in uncovering complex corporate structures and possible Sanctions evasion. However, data flow disruptions pose an immediate risk to Sanctions compliance.
Putting aside worries about access limitations, issues with registration data quality hint at more serious difficulties in areas where the FCC and DPP communities have common interests.
Currently, obligated entities—rather than the member states' registries—are in charge of data verification. Although the 4/5AMLD and the AMLR draft call for current, accurate, and pertinent data, there is minimal enforcement of this requirement and little punishment for submitting inaccurate information or failing to update data.
For the FCC, poor data costs resources, generates false positives and false negatives that are challenging to identify and correct, distorts AI and ML systems, and eventually necessitates that customers supply original documents in order to properly satisfy BO requirements. The EDPS demanded data specifications and legal duties to ensure adequateness, correctness, and timeliness in its 2022 letter on AMLR.
If implemented, a requirement to deliver accurate and timely information might aid FCC initiatives.
Although the EUCJ has limited public access rights, compliance and transparency in the battle against financial crime are still possible.
It is necessary for FCC leaders to look beyond systemic frameworks and into the tactical and operational specifics where DPP and FCC will finally cohabit due to the EU's AML regime's rapid expansion, court decisions upholding DPP principles, and DPP leaders demanding enforcement and legal rights.
By fLEXI tEAM