EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52014XX0204(01)

Executive summary of the Opinion of the European Data Protection Supervisor on a proposal for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, and a proposal for a Regulation of the European Parliament and of the Council on information on the payer accompanying transfers of funds

OJ C 32, 4.2.2014, p. 9–12 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)



Official Journal of the European Union

C 32/9

Executive summary of the Opinion of the European Data Protection Supervisor on a proposal for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, and a proposal for a Regulation of the European Parliament and of the Council on information on the payer accompanying transfers of funds

(The full text of this Opinion can be found in English, French and German on the EDPS website (

2014/C 32/06

1.   Introduction

1.1.   Consultation of the EDPS


On 5 February 2013, the Commission adopted two proposals: one for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing (1) (the proposed Directive), and one for a Regulation of the European Parliament and of the Council on information on the payer accompanying transfers of funds (2) (the proposed Regulation), hereinafter jointly referred to as ‘the Proposals’. The Proposals were sent to the EDPS for consultation on 12 February 2013.


The EDPS welcomes the fact that he is consulted by the Commission and that a reference to the consultation is included in the preambles of the Proposals.


Before the adoption of the Proposals, the EDPS was given the possibility to provide informal comments to the Commission. Some of these comments have been taken into account.

1.2.   Objectives and scope of the Proposals


Money laundering means, broadly speaking the conversion of the proceeds of criminal activity into apparently clean funds, usually via the financial system (3). This is done by disguising the sources of the money, changing its form, or moving the funds to a place where they are less likely to attract attention. Terrorist financing is the provision or collection of funds, by any means, directly or indirectly, with the intention that they should be used or in the knowledge that they are to be used in order to carry out terrorist offences (4).


At EU level, legislation has been introduced with the aim to prevent money laundering and terrorist financing as from 1991. These offences are considered as a threat to the integrity and stability of the financial sector and, more in general, as a threat to the internal market. The legal basis for the Proposals is Article 114 of TFEU.


The EU rules designed to prevent money laundering are to a large extent based on standards adopted by the Financial Action Task Force (FATF) (5). The Proposals aim at implementing in the EU the revised anti-money laundering international standards introduced by the FATF in February 2012. The current directive, the so-called Third Anti-Money Laundering (AML) Directive (6), has been in force since 2005. It provides a European framework around the international FATF standards.


The Third AML Directive applies to the financial sector (credit institutions, financial institutions) as well as to professionals such as lawyers, notaries, accountants, real estate agents, casinos and company service providers. Its scope also encompasses all providers of goods, when payments are made in cash in excess of EUR 15 000. All these addressees are considered ‘obliged entities’. The Directive requires these obliged entities to identify and verify the identity of customers (so-called customer due diligence, hereinafter ‘CDD’) and beneficial owners, and to monitor the financial transactions of the customers. It then includes obligations to report suspicions of money laundering or terrorist financing to the relevant Financial Intelligence Units (FIUs), as well as other accompanying obligations. The Directive also introduces additional requirements and safeguards (such as the requirement to conduct enhanced customer due diligence) for situations of higher risk.


The proposed Directive extends the scope of the current framework and aims at strengthening these obligations, for instance by including providers of gambling services and dealers in goods in the obliged entities, with a threshold of EUR 7 500, requires extended beneficial ownership information, tightens the requirements on ‘politically exposed persons’ and introduces requirements for scrutiny of family and close associates of all politically exposed persons. The list of predicate (7) offences for money laundering has been expanded to include tax crimes related to direct taxes and indirect taxes.


The proposed Regulation replaces Regulation (EC) No 1781/2006 on information on the payer accompanying transfers of funds (hereinafter also referred to as the ‘Funds Transfers Regulation’) which has the aim to improve traceability of payments. The Funds Transfers Regulation complements the other AML measures by ensuring that basic information on the payer of transfers of funds is immediately available to law enforcement and/or prosecutorial authorities to assist them in detecting, investigating, prosecuting terrorists or other criminals and tracing the assets of terrorists.

4.   Conclusions


The EDPS recognises the importance of anti-money laundering policies for the economic and financial reputation of Member States. However, he underlines that the legitimate aim of achieving transparency of payments sources, funds deposits and transfers for purpose of countering terrorism and money laundering has to be pursued while ensuring compliance with data protection requirements.


The following issues should be addressed in both Proposals:

an explicit reference to applicable EU data protection law should be inserted in both Proposals in a substantive and dedicated provision, mentioning in particular Directive 95/46/EC and the national laws implementing Directive 95/46/EC, and Regulation (EC) No 45/2001 as concerns the processing of personal data by EU institutions and bodies; this provision should also clearly state that the Proposals are without prejudice to the applicable data protection laws; the reference in recital 33 to Council Framework Decision 2008/977/JHA of 27 November 2008 should be deleted;

a definition of ‘competent authorities’ and ‘FIUs’ should be added in the proposed Directive; this definition should guarantee that ‘competent authorities’ are not to be considered as ‘competent authorities’ within the meaning of Article 2(h) of the Framework Decision 2008/977/JHA.

it should be clarified in recital 32 that the legal ground for the processing would be the necessity to comply with a legal obligation by the obliged entities, competent authorities and FIUs (Article 7(c) of Directive 95/46/EC);

it should be recalled that the sole purpose of the processing must be the prevention of money laundering and terrorist financing, and that data must not be further processed for incompatible purposes;

the specific prohibition to process data for commercial purposes, which is currently mentioned in recital 31 of the proposed Directive and recital 7 of the proposed Regulation, should be laid down in a substantive provision;

a dedicated recital should be added to clarify that the fight against tax evasion is only inserted as predicate offences;

as to international transfers, dedicated substantive provisions on the transfers of personal data should be added, which provides for an appropriate legal basis for the intra-group/PSP to PSP transfers that would respect the text and interpretation of Article 26 of Directive 95/46/EC, as supported by the Article 29 Working Party of European data protection authorities. The EDPS recommends that the proportionality of requiring the mass transfer of personal and sensitive information to foreign countries for the purpose of fighting AML/TF is re-assessed and that a more proportionate approach is favoured;

regarding the publication of sanctions, the EDPS recommends evaluating alternative and less intrusive options to the general publication obligation and, in any case, specifying in the proposed Directive:

the purpose of such a publication if it was to be maintained;

the personal data that should be published;

that data subjects are to be informed before the publication of the decision and are guaranteed rights to appeal this decision before the publication is carried out;

that data subjects have the right to object under Article 14 of Directive 95/46/EC on compelling legitimate grounds;

additional limitations relating to the publication online;

as to data retention, a substantive provision should be added that sets forth a maximum retention period that must be respected by Member States, with additional specifications.


In respect of the proposed Directive, the EDPS further recommends to:

add a specific provision to recall the principle of providing data subjects with information about the processing of their personal data (in accordance with Articles 10 and 11 of Directive 95/46/EC) and to specify who will be responsible for such data subjects' information;

respect the proportionality principle when limiting data subjects' rights and, as a consequence, add a specific provision to specify the conditions under which the data subjects' rights may be limited;

clearly state whether or not risk assessments carried out by the designated authority and by obliged entities may involve the processing of personal data; if so, the proposed Directive should require the introduction of the necessary data protection safeguards;

add a precise list of the information that should and should not be taken into account in carrying out the Customer Due Diligence; clarify whether or not sensitive data within the meaning of Article 8(1) of Directive 95/46/EC should be collected for this purpose; if such a processing were to be necessary, Member States should ensure that it is carried out under the control of an official authority and that suitable specific safeguards are provided under national law;

amend Article 21 to limit more clearly the situations in which the risks are so substantial that they justify enhanced due diligence and to provide for procedural safeguards against abuse;

amend Article 42 to include a reference to confidentiality, which should be respected by all employees involved in the CDD procedures;

list in a substantive provision the types of identification data to be collected on the beneficial owner, also when no trust is involved.


In respect of the proposed Regulation, the EDPS further recommends to:

refrain from using the national identity number as a reference without specific restrictions and/or safeguards, but to use the transaction number instead;

recall the importance of respecting the principle of data accuracy, set forth in Article 6(d) of Directive 95/46/EC, in the context of AML procedures;

add a provision stating that ‘the information should only be accessible to designated persons or classes of persons’;

add a provision regarding the respect of confidentiality and data protection obligations by employees dealing with personal information on the payer and the payee;

clarify in Article 15 that no other external authorities or parties that have no interest in combating money laundering or terrorist financing should access the data stored;

complete Article 21 by specifying to which authority the breaches of the Regulation will be reported and by requiring that appropriate technical and organisational measures are implemented to protect data against accidental or unlawful destruction, accidental loss, alteration, or unlawful disclosure.

Done at Brussels, 4 July 2013.


Assistant European Data Protection Supervisor

(1)  COM(2013) 45 final.

(2)  COM(2013) 44 final.

(3)  See Article 1(2) of the proposed Directive.

(4)  See Article 1(4) of the proposed Directive.

(5)  FATF is the global standard-setter for measures to combat money laundering, terrorist financing, and (most recently) the financing of proliferation. It is an intergovernmental body with 36 members, and with the participation of over 180 countries. The European Commission is one of the founding members of the FATF. Fifteen EU Member States are FATF members in their own right.

(6)  Directive 2005/60/EC of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing.

(7)  A predicate offence is any criminal offence whose proceeds are used to commit another offence: in this context, for instance, criminal activity predicate to money laundering can be fraud, corruption, drug dealing and other serious crimes.