11.7.2019   

EN

Official Journal of the European Union

L 186/122


DIRECTIVE (EU) 2019/1153 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 20 June 2019

laying down rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences, and repealing Council Decision 2000/642/JHA

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 87(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

After consulting the Committee of the Regions,

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

(1)

Facilitating the use of financial information is necessary to prevent, detect, investigate or prosecute serious crime.

(2)

In order to enhance security, improve prosecution of financial crimes, combat money laundering and prevent tax crimes in the Member States and across the Union, it is necessary to improve access to information by Financial Intelligence Units (‘FIUs’) and public authorities responsible for the prevention, detection, investigation or prosecution of serious crime, to enhance their ability to conduct financial investigations and to improve cooperation between them.

(3)

Pursuant to Article 4(3) of the Treaty on European Union (TEU), the Union and the Member States are to assist each other. They should also commit to cooperate in a loyal and expeditious manner.

(4)

In its communication of 2 February 2016 on an ‘Action Plan to strengthen the fight against terrorist financing’, the Commission committed to explore the possibility of a distinct self-standing legal instrument to broaden the access to centralised bank and payment account registers by Member States’ authorities, including by authorities competent for the prevention, detection, investigation or prosecution of criminal offences, by Asset Recovery Offices, by tax authorities and by anti-corruption authorities. Moreover, that Action Plan also called for a mapping of obstacles to the access to, exchange and use of information as well as to operational cooperation between FIUs.

(5)

Combating serious crime, including financial fraud and money laundering, remains a priority for the Union.

(6)

Directive (EU) 2015/849 of the European Parliament and of the Council (3) requires Member States to put in place centralised bank account registries or data retrieval systems allowing the timely identification of the persons holding bank and payment accounts and safe-deposit boxes.

(7)

Pursuant to Directive (EU) 2015/849, the information held in such centralised bank account registries is to be directly accessible to FIUs and also accessible to national authorities competent for the prevention of money laundering, the associated predicate offences and terrorist financing.

(8)

Immediate and direct access to the information held in centralised bank account registries is often indispensable for the success of a criminal investigation or for the timely identification, tracing and freezing of related assets in view of their confiscation. Direct access is the most immediate type of access to the information held in centralised bank account registries. This Directive should therefore lay down rules granting direct access to information held in centralised bank account registries to designated Member States’ authorities competent for the prevention, detection, investigation or prosecution of criminal offences. Where a Member State provides access to bank account information through a central electronic data retrieval system, that Member State should ensure that the authority operating the retrieval system reports search results in an immediate and unfiltered way to the designated competent authorities. This Directive should not affect channels for exchanging information between competent authorities or their powers to obtain information from obliged entities, under Union or national law. Any access to information held in centralised registries by the national authorities for purposes other than those of this Directive or with respect to criminal offences other than those covered by this Directive falls outside the scope thereof.

(9)

Given that in each Member State there are numerous authorities or bodies which are competent for the prevention, detection, investigation or prosecution of criminal offences, and in order to ensure proportionate access to financial and other information under this Directive, Member States should be required to designate which authorities or bodies are empowered to have access to the centralised bank account registries and which are able to request information from FIUs for the purposes of this Directive. When implementing this Directive, Member States should take into account the nature, organisational status, tasks and prerogatives of such authorities and bodies as established by their national law, including existing mechanisms for the protection of financial systems against money laundering and terrorist financing.

(10)

Asset Recovery Offices should be designated from amongst the competent authorities and have direct access to the information held in centralised bank account registries when preventing, detecting or investigating a specific serious criminal offence or supporting a specific criminal investigation, including the identification, tracing and freezing of assets.

(11)

To the extent that tax authorities and anti-corruption agencies are competent for the prevention, detection, investigation or prosecution of criminal offences under national law, they should also be considered authorities that can be designated for the purposes of this Directive. Administrative investigations other than those conducted by the FIUs in the context of preventing, detecting and effectively combatting money laundering and terrorist financing should not be covered by this Directive.

(12)

The perpetrators of criminal offences, in particular criminal groups and terrorists, often operate across different Member States and their assets, including bank accounts, are often located in other Member States. Given the cross-border dimension of serious crimes, including terrorism, and of the related financial activities, it is often necessary for competent authorities carrying out criminal investigations in one Member State to access information on bank accounts held in other Member States.

(13)

The information acquired by competent authorities from national centralised bank account registries can be exchanged with competent authorities located in another Member State, in accordance with Council Framework Decision 2006/960/JHA (4), Directive 2014/41/EU of the European Parliament and the Council (5) and with applicable data protection rules.

(14)

Directive (EU) 2015/849 has substantially enhanced the Union legal framework that governs the activity and cooperation of FIUs, including the assessment by the Commission of the possibility of establishing a coordination and support mechanism. The legal status of FIUs varies across Member States from an administrative or a law enforcement status to hybrid ones. The powers of FIUs include the right to access the financial, administrative and law enforcement information that they require to prevent, detect and combat money laundering, the associated predicate offences and terrorist financing. Nevertheless, Union law does not lay down all specific tools and mechanisms that FIUs should have at their disposal in order to access such information and accomplish their tasks. Since Member States are entirely responsible for setting up and deciding on the organisational nature of FIUs, different FIUs have varying degrees of access to regulatory databases, which leads to an insufficient exchange of information between law enforcement or prosecution services and FIUs.

(15)

In order to enhance legal certainty and operational effectiveness, this Directive should lay down rules to strengthen the FIUs’ ability to share financial information and financial analysis with the designated competent authorities in their Member State for all serious criminal offences. More precisely, FIUs should be required to cooperate with the designated competent authorities of their Member States and be able to reply, in a timely manner, to reasoned requests for financial information or financial analysis by those designated competent authorities, where that financial information or financial analysis is necessary, on a case-by-case basis and when such requests are motivated by concerns relating to the prevention, detection, investigation or prosecution of serious criminal offences, subject to the exemptions provided for in Article 32(5) of Directive (EU) 2015/849. That requirement should not preclude the autonomy of the FIUs under Directive (EU) 2015/849. In particular, in cases where the information requested originates from the FIU of another Member State, any restrictions and conditions imposed by that FIU for the use of that information should be complied with. Any use for purposes beyond those originally approved should be made subject to the prior consent of that FIU. FIUs should appropriately explain any refusal to reply to a request for information or analysis. This Directive should not affect the operational independence and autonomy of the FIUs under Directive (EU) 2015/849, including the autonomy of the FIUs to spontaneously disseminate information on their own initiative for the purposes of this Directive.

(16)

This Directive should also set out a clearly defined legal framework to enable FIUs to request relevant data stored by designated competent authorities in their Member State in order to enable them to prevent, detect and combat money laundering, the associated predicate offences and terrorist financing effectively.

(17)

FIUs should endeavour to exchange financial information or financial analysis promptly in exceptional and urgent cases, where such information or analysis is related to terrorism or organised crime associated with terrorism.

(18)

Such exchange should not hamper a FIU’s active role under Directive (EU) 2015/849 in disseminating its analysis to other FIUs where that analysis reveals facts, conduct or suspicion of money laundering and terrorist financing of direct interest to those other FIUs. Financial analysis covers operational analysis which focuses on individual cases and specific targets or on appropriate selected information, depending on the type and volume of the disclosures received and the expected use of the information after dissemination, as well as strategic analysis addressing money laundering and terrorist financing trends and patterns. However, this Directive should be without prejudice to the organisational status and role conferred to FIUs under the national law of Member States.

(19)

Given the sensitivity of financial data that should be analysed by FIUs and the necessary data protection safeguards, this Directive should specifically set out the type and scope of information that can be exchanged between FIUs, between FIUs and designated competent authorities and between designated competent authorities of different Member States. This Directive should not change currently agreed methods of data collection. However, Member States should be able to decide to broaden the scope of financial information and bank account information that can be exchanged between the FIUs and designated competent authorities. Member States should also be able to facilitate access by designated competent authorities to financial information and bank account information for the prevention, detection, investigation or prosecution of criminal offences other than serious criminal offences. This Directive should not derogate from the applicable data protection rules.

(20)

Under the specific competences and tasks of the Agency for Law Enforcement Cooperation (‘Europol’) established by Regulation (EU) 2016/794 of the European Parliament and of the Council (6), as laid down in that Regulation, Europol provides support to cross-border investigations by Member States’ into the money laundering activities of transnational criminal organisations. In that context, Europol should notify the Member States of any information and connections between criminal offences concerning those Member States. According to that Regulation, the Europol national units are the liaison bodies between Europol and the Member States’ authorities that are competent to investigate criminal offences. To provide Europol with the information necessary to carry out its tasks, each Member State should allow its FIU to reply to requests for financial information and financial analysis made by Europol through the Europol national unit of that Member State or, where appropriate, by direct contacts. Member States should also provide that their Europol national unit and, where appropriate, their designated competent authorities, are entitled to reply to requests for information on bank accounts by Europol. Requests made by Europol should be duly justified. They should be made on a case-by case basis, within the limits of Europol’s responsibilities and for the performance of its tasks. The operational independence and autonomy of FIUs should not be jeopardised and the decision whether to provide the requested information or analysis should remain with the FIUs. In order to ensure quick and effective cooperation, FIUs should reply to requests by Europol in a timely manner. In accordance with Regulation (EU) 2016/794, Europol should continue its current practice of providing feedback to the Member States about the use made of the information or analysis provided under this Directive.

(21)

This Directive should also take into consideration the fact that, where applicable, in accordance with Article 43 of Council Regulation (EU) 2017/1939 (7), the European Delegated Prosecutors of the European Public Prosecution Office (EPPO) are empowered to obtain any relevant information stored in national criminal investigation and law enforcement databases, as well as other relevant registers of public authorities, including centralised bank account registries and data retrieval systems, under the same conditions as those that apply under national law in similar cases.

(22)

To strengthen the cooperation between FIUs, the Commission should carry out an impact assessment in the near future to evaluate the possibility and appropriateness of establishing a coordination and support mechanism, such as an ‘EU FIU’.

(23)

To achieve the appropriate balance between efficiency and a high level of data protection, Member States should be required to ensure that the processing of sensitive financial information that could reveal sensitive data concerning a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or of data concerning a natural person’s health, sex life or sexual orientation should be allowed only by specifically authorised persons and in accordance with the applicable data protection rules.

(24)

This Directive respects fundamental rights and observes the principles recognised by Article 6 TEU and by the Charter of Fundamental Rights of the European Union, in particular the right to respect for one’s private and family life, the right to the protection of personal data, the prohibition of discrimination, the freedom to conduct a business, the right to an effective remedy and to a fair trial, the presumption of innocence and the right of defence and the principles of the legality and proportionality of criminal offences and penalties, as well as the fundamental rights and principles provided for in international law and international agreements to which the Union or all the Member States are party, including the European Convention for the Protection of Human Rights and Fundamental Freedoms, and in Member States’ constitutions, in their respective fields of application.

(25)

It is essential to ensure that processing of personal data under this Directive fully respects the right to protection of personal data. Any such processing is subject to Regulation (EU) 2016/679 (8) and to Directive (EU) 2016/680 (9) of the European Parliament and of the Council, in their respective scope of application. As far as the access of Asset Recovery Offices to centralised bank account registries and data retrieval systems is concerned, Directive (EU) 2016/680 applies while Article 5(2) of Council Decision 2007/845/JHA (10) does not apply. As far as Europol is concerned, Regulation (EU) 2016/794 applies. Specific and additional safeguards and conditions for ensuring the protection of personal data should be laid down in this Directive in respect of mechanisms to ensure the processing of sensitive data and records of information requests.

(26)

Any personal data obtained under this Directive should only be processed in accordance with the applicable data protection rules by competent authorities where it is necessary and proportionate for the purposes of the prevention, detection, investigation or prosecution of serious crime.

(27)

Furthermore, in order to respect the right to the protection of personal data and the right to privacy, and to limit the impact of access to the information contained in centralised bank account registries and data retrieval systems, it is essential to provide for conditions limiting such access. In particular, Member States should ensure that appropriate data protection policies and measures apply to access to personal data by competent authorities for the purposes of this Directive. Only authorised staff should have access to information containing personal data which can be obtained from the centralised bank account registries or through authentication processes. Staff granted access to such sensitive data should receive training on security practices with regard to the exchange and handling of the data.

(28)

The transfer of financial data to third countries and international partners for the purposes of this Directive should only be allowed under the conditions laid down in Chapter V of Regulation (EU) 2016/679 or Chapter V of Directive (EU) 2016/680.

(29)

The Commission should report on the implementation of this Directive three years after its date of transposition, and every three years thereafter. In accordance with the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (11) the Commission should also carry out an evaluation of this Directive on the basis of information collected through specific monitoring arrangements in order to assess the actual effects of the Directive and the need for any further action.

(30)

This Directive aims to ensure that rules are adopted to provide Union citizens with a higher level of security by preventing and combating crime, pursuant to Article 67 of the Treaty on the Functioning of the European Union (TFEU). Due to their transnational nature, terrorist and criminal threats affect the Union as a whole and require a Union-wide response. Criminals could exploit, and would benefit from, the lack of an efficient use of bank account information and financial information in a Member State, which could in turn have consequences in another Member State.

(31)

Since the objective of this Directive, namely to improve access to information by FIUs and public authorities responsible for the prevention, detection, investigation or prosecution of serious crime, to enhance their ability to conduct financial investigations and to improve cooperation between them, cannot be sufficiently achieved by the Member States, but can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Directive does not go beyond what is necessary in order to achieve this objective.

(32)

In order to ensure uniform conditions for the implementation of this Directive regarding the authorisation of Member States to provisionally apply or to conclude agreements with third countries that are contracting parties of the European Economic Area, on matters falling within the scope of Chapter II of this Directive, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (12).

(33)

Council Decision 2000/642/JHA should be repealed since its subject matter is regulated by other Union acts and it is no longer needed.

(34)

In accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TF EU, United Kingdom and Ireland have notified their wish to take part in the adoption and application of this Directive.

(35)

In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Directive and is not bound by it or subject to its application.

(36)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (13) and delivered an opinion on 10 September 2018,

HAVE ADOPTED THIS DIRECTIVE:

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

1.   This Directive lays down measures to facilitate access to and the use of financial information and bank account information by competent authorities for the prevention, detection, investigation or prosecution of serious criminal offences. It also lays down measures to facilitate access to law enforcement information by Financial Intelligence Units (‘FIUs’) for the prevention and combating of money laundering, associate predicate offences and terrorist financing and measures to facilitate cooperation between FIUs.

2.   This Directive is without prejudice to:

(a)

Directive (EU) 2015/849 and the related provisions of national law, including the organisational status conferred on FIUs under national law as well as their operational independence and autonomy;

(b)

channels for the exchange of information between competent authorities or the powers of competent authorities under Union or national law to obtain information from obliged entities;

(c)

Regulation (EU) 2016/794;

(d)

the obligations resulting from Union instruments on mutual legal assistance or on mutual recognition of decisions regarding criminal matters and from Framework Decision 2006/960/JHA.

Article 2

Definitions

For the purposes of this Directive, the following definitions apply:

(1)

‘centralised bank account registries’ means the centralised automated mechanisms, such as central registries or central electronic data retrieval systems, put in place in accordance with Article 32a(1) of Directive (EU) 2015/849;

(2)

‘Asset Recovery Offices’ means the national offices set up or designated by each Member State pursuant to Decision 2007/845/JHA;

(3)

‘Financial Intelligence Unit (“FIU”)’ means an FIU as established pursuant to Article 32 of Directive (EU) 2015/849;

(4)

‘obliged entities’ means the entities set out in Article 2(1) of Directive (EU) 2015/849;

(5)

‘financial information’ means any type of information or data, such as data on financial assets, movements of funds or financial business relationships, which is already held by FIUs to prevent, detect and effectively combat money laundering and terrorist financing;

(6)

‘law enforcement information’ means:

(i)

any type of information or data which is already held by competent authorities in the context of preventing, detecting, investigating or prosecuting criminal offences;

(ii)

any type of information or data which is held by public authorities or by private entities in the context of preventing, detecting, investigating or prosecuting criminal offences and which is available to competent authorities without the taking of coercive measures under national law;

such information can be, inter alia, criminal records, information on investigations, information on the freezing or seizure of assets or on other investigative or provisional measures and information on convictions and on confiscations;

(7)

‘bank account information’ means the following information on bank and payment accounts and safe-deposit boxes contained in the centralised bank account registries:

(i)

as regards the customer-account holder and any person purporting to act on behalf of the customer: the name, complemented by either the other identification data required under the national provisions transposing point (a) of Article 13(1) of Directive (EU) 2015/849 or a unique identification number;

(ii)

as regards the beneficial owner of the customer-account holder: the name, complemented by either the other identification data required under the national provisions transposing point (b) of Article 13(1) of Directive (EU) 2015/849 or a unique identification number;

(iii)

as regards the bank or payment account: the IBAN number and the date of account opening and closing;

(iv)

as regards the safe-deposit box: the name of the lessee, complemented by the other identification data required under the national provisions transposing Article 13(1) of Directive (EU) 2015/849 or a unique identification number, and the duration of the lease period;

(8)

‘money laundering’ means the conduct defined in Article 3 of Directive (EU) 2018/1673 of the European Parliament and of the Council (14);

(9)

‘associated predicate offences’ means the offences referred to in point (1) of Article 2 of Directive (EU) 2018/1673;

(10)

‘terrorist financing’ means the conduct defined in Article 11 of Directive (EU) 2017/541 of the European Parliament and of the Council (15);

(11)

‘financial analysis’ means the results of operational and strategic analysis that has already been carried out by the FIUs in the performance of their tasks, pursuant to Directive (EU) 2015/849;

(12)

‘serious criminal offences’ means the forms of crime listed in Annex I to Regulation (EU) 2016/794.

Article 3

Designation of competent authorities

1.   Each Member State shall designate, among its authorities competent for the prevention, detection, investigation or prosecution of criminal offences, the competent authorities empowered to access and search its national centralised bank account registry. Those competent authorities shall include at least the Asset Recovery Offices.

2.   Each Member State shall designate, among its authorities competent for the prevention, detection, investigation or prosecution of criminal offences, the competent authorities that can request and receive financial information or financial analysis from the FIU.

3.   Each Member State shall notify the Commission of its competent authorities designated pursuant to paragraphs 1 and 2 by 2 December 2021, and shall notify the Commission of any amendment thereto. The Commission shall publish the notifications in the Official Journal of the European Union.

CHAPTER II

ACCESS BY COMPETENT AUTHORITIES TO BANK ACCOUNT INFORMATION

Article 4

Access to and searches of bank account information by competent authorities

1.   Member States shall ensure that the competent national authorities designated pursuant to Article 3(1) have the power to access and search, directly and immediately, bank account information when necessary for the performance of their tasks for the purposes of preventing, detecting, investigating or prosecuting a serious criminal offence or supporting a criminal investigation concerning a serious criminal offence, including the identification, tracing and freezing of the assets related to such investigation. Access and searches shall be considered to be direct and immediate, inter alia, where the national authorities operating the central bank account registries transmit the bank account information expeditiously by an automated mechanism to competent authorities, provided that no intermediary institution is able to interfere with the requested data or the information to be provided.

2.   The additional information that Member States consider essential and include in the centralised bank account registries pursuant to Article 32a(4) of Directive (EU) 2015/849 shall not be accessible and searchable by competent authorities pursuant to this Directive.

Article 5

Conditions for access and for searches by competent authorities

1.   Access to and searches of bank account information in accordance with Article 4 shall be performed only on a case-by-case basis by the staff of each competent authority that have been specifically designated and authorised to perform those tasks.

2.   Member States shall ensure that staff of the designated competent authorities maintain high professional standards of confidentiality and data protection, that they are of high integrity and are appropriately skilled.

3.   Member States shall ensure that technical and organisational measures are in place to ensure the security of the data to high technological standards for the purposes of the exercise by competent authorities of the power to access and search bank account information in accordance with Article 4.

Article 6

Monitoring access and searches by competent authorities

1.   Member States shall provide that the authorities operating the centralised bank account registries ensure that logs are kept each time designated competent authorities access and search bank account information. The logs shall include, in particular, the following:

(a)

the national file reference;

(b)

the date and time of the query or search;

(c)

the type of data used to launch the query or search;

(d)

the unique identifier of the results;

(e)

the name of the designated competent authority consulting the registry;

(f)

the unique user identifier of the official who made the query or performed the search and, where applicable, of the official who ordered the query or search and, as far as possible, the unique user identifier of the recipient of the results of the query or search.

2.   The data protection officers for the centralised bank account registries shall check the logs regularly. The logs shall be made available, on request, to the competent supervisory authority established in accordance with Article 41 of Directive (EU) 2016/680.

3.   The logs shall be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, and for ensuring data security. They shall be protected by appropriate measures against unauthorised access and shall be erased five years after their creation, unless they are required for monitoring procedures that are ongoing.

4.   Member States shall ensure that authorities operating centralised bank account registries take appropriate measures so that staff are aware of applicable Union and national law, including the applicable data protection rules. Such measures shall include specialised training programmes.

CHAPTER III

EXCHANGE OF INFORMATION BETWEEN COMPETENT AUTHORITIES AND FIUS, AND BETWEEN FIUS

Article 7

Requests for information by competent authorities to an FIU

1.   Subject to national procedural safeguards, each Member State shall ensure that its national FIU is required to cooperate with its designated competent authorities referred to in Article 3(2) and to be able to reply, in a timely manner, to reasoned requests for financial information or financial analysis by those designated competent authorities in their respective Member State, where that financial information or financial analysis is necessary on a case-by-case basis and where the request is motivated by concerns relating to the prevention, detection, investigation or prosecution of serious criminal offences.

2.   Where there are objective grounds for assuming that the provision of such information would have a negative impact on ongoing investigations or analyses, or, in exceptional circumstances, where disclosure of the information would be clearly disproportionate to the legitimate interests of a natural or legal person or irrelevant with regard to the purposes for which it has been requested, the FIU shall be under no obligation to comply with the request for information.

3.   Any use for purposes beyond those originally approved shall be made subject to the prior consent of that FIU. FIUs shall appropriately explain any refusal to reply to a request made under paragraph 1.

4.   The decision on conducting the dissemination of information shall remain with the FIU.

5.   The designated competent authorities may process the financial information and financial analysis received from the FIU for the specific purposes of preventing, detecting, investigating or prosecuting serious criminal offences other than the purposes for which personal data are collected in accordance with Article 4(2) of Directive (EU) 2016/680.

Article 8

Requests of information by an FIU to competent authorities

Subject to national procedural safeguards and in addition to the access to information by FIUs as provided for in Article 32(4) of Directive (EU) 2015/849, each Member State shall ensure that its designated competent authorities are required to reply in a timely manner to requests for law enforcement information made by the national FIU on a case-by-case basis, where the information is necessary for the prevention, detection and combating of money laundering, associate predicate offences and terrorist financing.

Article 9

Exchange of information between FIUs of different Member States

1.   Member States shall ensure that in exceptional and urgent cases, their FIUs are entitled to exchange financial information or financial analysis that may be relevant for the processing or analysis of information related to terrorism or organised crime associated with terrorism.

2.   Member States shall ensure that in the cases referred to in paragraph 1 and subject to their operational limitations, FIUs endeavour to exchange such information promptly.

Article 10

Exchange of information between competent authorities of different Member States

1.   Subject to national procedural safeguards, each Member State shall ensure that its competent authorities designated pursuant to Article 3(2) are able to exchange financial information or financial analysis obtained from the FIU of their Member State, upon request and on a case-by-case basis, with a designated competent authority in another Member State, where that financial information or financial analysis is necessary for the prevention, detection and combating of money laundering, associate predicate offences and terrorist financing.

Each Member State shall ensure that its designated competent authorities use the financial information or financial analysis exchanged pursuant to this Article only for the purpose for which it was sought or provided.

Each Member State shall ensure that any dissemination of financial information or financial analysis obtained by its designated competent authorities from the FIU of that Member State to any other authority, agency or department or any use of that information for purposes other than those originally approved is made subject to the prior consent of the FIU providing the information.

2.   Member States shall ensure that a request made pursuant to this Article and its response are transmitted using dedicated secure electronic communications ensuring a high level of data security.

CHAPTER IV

EXCHANGE OF INFORMATION WITH EUROPOL

Article 11

Provision of bank account information to Europol

Each Member State shall ensure that its competent authorities are entitled to reply, through the Europol national unit or, if allowed by that Member State, by direct contacts with Europol, to duly justified requests related to bank account information made by Europol on a case-by-case basis within the limits of its responsibilities and for the performance of its tasks. Article 7(6) and (7) of Regulation (EU) 2016/794 apply.

Article 12

Exchange of information between Europol and FIUs

1.   Each Member State shall ensure that its FIU is entitled to reply to duly justified requests made by Europol through the Europol national unit or, if allowed by that Member State, by direct contacts between the FIU and Europol. Such requests shall be related to financial information and financial analysis and made on a case-by-case basis within the limits of the responsibilities of Europol and for the performance of its tasks.

2.   Article 32(5) of Directive (EU) 2015/849 and Article 7(6) and (7) of Regulation (EU) 2016/794 apply to the exchanges made pursuant to this Article.

3.   Member States shall ensure that any failure to comply with a request is appropriately explained.

Article 13

Detailed arrangements for the exchange of information

1.   Member States shall ensure that the exchanges of information pursuant to Articles 11 and 12 of this Directive take place in accordance with Regulation (EU) 2016/794 electronically through:

(a)

SIENA or its successor, in the language applicable to SIENA; or

(b)

where applicable, FIU.Net or its successor.

2.   Member States shall ensure that the exchange of information under Article 12 is carried out in a timely manner and that in that regard the requests for information made by Europol are treated as if they originate from another FIU.

Article 14

Data protection requirements

1.   The processing of personal data related to bank account information, financial information and financial analysis referred to in Articles 11 and 12 of this Directive shall be performed in accordance with Article 18 of Regulation (EU) 2016/794 and only by the staff of Europol who have been specifically designated and authorised to perform those tasks.

2.   Europol shall inform the data protection officer appointed in accordance with Article 41 of Regulation (EU) 2016/794 of each exchange of information pursuant to Articles 11, 12 and 13 of this Directive.

CHAPTER V

ADDITIONAL PROVISIONS RELATED TO THE PROCESSING OF PERSONAL DATA

Article 15

Scope

This Chapter applies only to designated competent authorities and FIUs in respect of the exchange of information pursuant to Chapter III and in respect of the exchange of financial information and financial analysis involving the Europol national units pursuant to Chapter IV.

Article 16

Processing of sensitive personal data

1.   The processing of personal data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership or of data concerning a natural person’s health, sex life or sexual orientation shall only be allowed subject to appropriate safeguards for the rights and freedoms of the data subject, in accordance with the applicable data protection rules.

2.   Only staff who have been specifically trained and who have been specifically authorised by the controller may access and process the data referred to in paragraph 1 under the guidance of the data protection officer.

Article 17

Records of information requests

Member States shall ensure that records are kept relating to requests for information pursuant to this Directive. Those records shall contain at least the following information:

(a)

the name and contact details of the organisation and of the staff member requesting the information and, as far as possible, of the recipient of the results of the query or search;

(b)

the reference to the national case in relation to which the information is requested;

(c)

the subject matter of the requests; and

(d)

any executing measures of such requests.

The records shall be kept for a period of five years after their creation and shall be used solely for the purpose of checking the lawfulness of the processing of personal data. The authorities concerned shall make all records available to the national supervisory authority upon its request.

Article 18

Restrictions to data subjects’ rights

Member States may adopt legislative measures restricting, in whole or in part, data subjects’ right of access to personal data relating to them processed under this Directive, in accordance with Article 23(1) of Regulation (EU) 2016/679 or with Article 15(1) of Directive (EU) 2016/680, as applicable.

CHAPTER VI

FINAL PROVISIONS

Article 19

Monitoring

1.   Member States shall review the effectiveness of their systems to combat serious criminal offences by maintaining comprehensive statistics.

2.   By 1 February 2020, the Commission shall establish a detailed programme for monitoring the outputs, results and impact of this Directive.

That programme shall set out the means by which, and the intervals at which, the data and other necessary evidence will be collected. It shall specify the action to be taken by the Commission and by the Member States in collecting and analysing the data and other evidence.

Member States shall provide the Commission with the data and other evidence necessary for the monitoring.

3.   In any event, the statistics referred to in paragraph 1 shall include the following information:

(a)

the number of searches carried out by designated competent authorities in accordance with Article 4;

(b)

data measuring the volume of requests issued by each authority under this Directive, the follow-up given to those requests, the number of cases investigated, the number of persons prosecuted and the number of persons convicted for serious criminal offences, where such information is available;

(c)

data measuring the time it takes an authority to respond to a request after the receipt of the request;

(d)

if available, data measuring the cost of human or IT resources that are dedicated to domestic and cross-border requests falling under this Directive.

4.   Member States shall organise the production and gathering of the statistics and shall transmit the statistics referred to in paragraph 3 to the Commission on an annual basis.

Article 20

Relationship to other instruments

1.   This Directive shall not preclude Member States from maintaining or concluding bilateral or multilateral agreements or arrangements between themselves on the exchange of information between competent authorities, insofar as such agreements or arrangements are compatible with Union law, in particular with this Directive.

2.   This Directive is without prejudice to any obligations and commitments of Member States or of the Union under existing bilateral or multilateral agreements with third countries.

3.   Without prejudice to the division of competences between the Union and the Member States, in accordance with Union law, Member States shall notify the Commission of their intention to enter into negotiations on, and to conclude, agreements between Member States and third countries that are contracting parties of the European Economic Area on matters falling within the scope of Chapter II of this Directive.

If, within two months of receipt of notification of a Member State’s intention to enter into the negotiations referred to in the first subparagraph, the Commission concludes that the negotiations are likely to undermine relevant Union policies or to lead to an agreement which is incompatible with Union law, it shall inform the Member State accordingly.

Member States shall keep the Commission regularly informed of any such negotiations and, where appropriate, invite the Commission to participate as an observer.

Member States shall be authorised to apply provisionally or to conclude agreements referred to in the first subparagraph, provided that they are compatible with Union law and do not harm the object and purpose of the relevant policies of the Union. The Commission shall adopt such authorisation decisions by implementing acts. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 22.

Article 21

Evaluation

1.   By 2 August 2024, and every three years thereafter, the Commission shall draw up a report on the implementation of this Directive and submit it to the European Parliament and to the Council. The report shall be made public.

2.   In accordance with Article 65(2) of Directive (EU) 2015/849, the Commission shall assess the obstacles to and opportunities for enhancing cooperation between FIUs in the Union, including the possibility and appropriateness of establishing a coordination and support mechanism.

3.   By 2 August 2024, the Commission shall issue a report to the European Parliament and to the Council to assess the need for, and proportionality of, extending the definition of financial information to any type of information or data which are held by public authorities or by obliged entities and which are available to FIUs without the taking of coercive measures under national law, and shall present a legislative proposal, if appropriate.

4.   By 2 August 2024, the Commission shall carry out an assessment of the opportunities and challenges regarding an extension of the exchange of financial information or financial analysis between FIUs within the Union to cover exchanges relating to serious criminal offences other than terrorism or organised crime associated with terrorism.

5.   No sooner than 2 August 2027, the Commission shall carry out an evaluation of this Directive and present a report on the main findings to the European Parliament and the Council. The report shall also include an evaluation of how fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union have been respected.

6.   For the purposes of paragraphs 1 to 4 of this Article, Member States shall provide the Commission with necessary information. The Commission shall take into account the statistics submitted by Member States under Article 19 and may request additional information from Member States and supervisory authorities.

Article 22

Committee procedure

1.   The Commission shall be assisted by a committee. This committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.   Where reference is made to this paragraph, Article 4 of Regulation (EU) No 182/2011 shall apply.

Article 23

Transposition

Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 1 August 2021. They shall immediately inform the Commission thereof.

When Member States adopt those provisions, they shall contain a reference to this Directive or shall be accompanied by such a reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States.

Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.

Article 24

Repeal of Decision 2000/642/JHA

Decision 2000/642/JHA is repealed with effect from 1 August 2021.

Article 25

Entry into force

This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Article 26

Addressees

This Directive is addressed to the Member States in accordance with the Treaties.

Done at Brussels, 20 June 2019.

For the European Parliament

The President

A. TAJANI

For the Council

The President

G. CIAMBA


(1)   OJ C 367, 10.10.2018, p. 84.

(2)  Position of the European Parliament of 17 April 2019 (not yet published in the Official Journal) and decision of the Council of 14 June 2019.

(3)  Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).

(4)  Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union (OJ L 386, 29.12.2006, p. 89).

(5)  Directive 2014/41/EU of the European Parliament and the Council of 3 April 2014 regarding the European Investigation Order in criminal matters (OJ L 130, 1.5.2014, p. 1).

(6)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).

(7)  Council Regulation (EU) 2017/1939 of 12 October 2017, implementing enhanced cooperation on the establishment of the European Public Prosecution Office (‘the EPPO’) (OJ L 283, 31.10.2017, p. 1).

(8)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(9)  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).

(10)  Council Decision 2007/845/JHA of 6 December 2007 concerning cooperation between Asset Recovery Offices of the Member States in the field of tracing and identification of proceeds from, or other property related to, crime (OJ L 332, 18.12.2007, p. 103).

(11)  Interinstitutional Agreement between the European Parliament, the Council of the European Union and the European Commission of 13 April 2016 on Better Law-Making (OJ L 123, 12.5.2016, p. 1).

(12)  Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

(13)  Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

(14)  Directive (EU) 2018/1673 of the European Parliament and of the Council of 23 October 2018 on combating money laundering by criminal law (OJ L 284, 12.11.2018, p. 22).

(15)  Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).