|
29.12.2021 |
EN |
Official Journal of the European Union |
C 524/10 |
Summary of the Opinion of the European Data Protection Supervisor on the anti-money laundering and countering the financing of terrorism (AML/CFT) package of legislative proposals
(The full text of this Opinion can be found in English, French and German on the EDPS Internet: www.edps.europa.eu)
(2021/C 524/03)
The European Commission adopted on 20 July 2021 a package of legislative proposals aiming to strengthen the EU’s anti-money laundering and countering the financing of terrorism (AML/CFT) rules (the ‘AML legislative package’), consisting of: a Proposal for a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing; a Proposal for a Directive of the European Parliament and of the Council on the mechanisms for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and repealing Directive (EU) 2015/849; a Proposal for a Regulation of the European Parliament and of the Council establishing the European Authority for Countering Money Laundering and Financing of Terrorism, amending Regulations (EU) No 1093/2010, (EU) 1094/2010 and (EU) 1095/2010; and a Proposal for a Regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-assets.
The EDPS welcomes the objectives pursued by the AML legislative package, namely to increase the effectiveness of anti-money laundering and countering the financing of terrorism in particular via greater harmonization of the applicable rules and enhanced supervision at the EU level (including the establishment of the European Authority for Countering Money Laundering and Financing of Terrorism, ‘AMLA’).
The EDPS highlights that the risk-based approach to the monitoring of the use of the financial system for money laundering, which is at the core of the AML legislative package, while welcome, needs further specifications and clarifications.
Against this background, to ensure compliance with the principles of necessity and proportionality, as well as to enhance legal certainty for obliged entities on their duties, the EDPS makes a number of remarks and recommendations, in particular:
The AML legislative package should identify the categories of personal data to be processed by the obliged entities to fulfil the AML/CFT obligations, instead of systematically leaving this specification to regulatory technical standards, as well as better describe conditions and limits for the processing of special categories of personal data and of personal data relating to criminal convictions and offences.
The AML legislative package should specify in particular which types of special categories of personal data should be processed by the obliged entities, taking into account the necessity and proportionality principles, having regard to the different activities and measures to be taken (identification, customer due diligence, reporting to FIUs), and to the specific purpose pursued (namely anti-money laundering or countering the financing of terrorism). In particular, the EDPS considers that the processing of personal data related to sexual orientation or ethnic origin should not be allowed.
Concerning beneficial ownership registers, the EDPS:
|
— |
welcomes the obligation for Member States to notify the Commission the closed list of competent authorities and self-regulatory bodies and of the categories of obliged entities that are granted access to the beneficial ownership registers. However, the EDPS invites the legislator to specify that access to beneficial ownership registers, by tax authorities as well as by self-regulatory bodies, should be limited to the purpose of the fight against money-laundering and financing of terrorism and thus authorized only for this purpose; |
|
— |
in relation to access by ‘any member of the general public’ to the beneficial ownership registers, the EDPS reiterates his earlier position that the necessity and proportionality of such generalised access for the purposes of prevention of money laundering and terrorism financing has not been clearly established so far. In principle, such access should be limited to competent authorities who are in charge of enforcing the law and to obliged entities when taking customer due diligence measures. The EDPS is of the view that access to beneficial ownership information motivated by other objectives of general interest (such as enhancing transparency) should rather be considered as right to obtain information. Such public access would require a separate necessity and proportionality assessment, and be subject to a separate set of rules laying down the necessary safeguards. Hence, the EDPS recommends the legislator to assess the necessity and proportionality of such a ‘general access’ and, on the basis of this assessment, if considered appropriate, to lay down a specific legal framework in this regard, distinct from the one related to access by competent authorities; |
Moreover, the EDPS strongly recommends adding, among the risks to be considered by Member States when establishing the criteria for granting exemptions to access to beneficial ownership information, an express reference to the risks to the protection of the personal data of the individuals concerned.
The EDPS also recommends providing in the AML legislative package for a reporting mechanism on the use of the beneficial ownership registers in the fight against money laundering and the financing of terrorism, in order to gather fact-based evidence as to the effectiveness of the system, as well as support possible future legislative initiatives.
Moreover, the EDPS notes the extensive access powers conferred to FIUs and invites the legislator to reassess the necessity and proportionality of these access rights, in relation in particular to the ‘law enforcement information’ listed under Article 18(1)(c) of the Proposal for a Directive.Having regard to the system for the exchange of information between FIUs, the FIU.net, the EDPS recommends that the Proposal for a Regulation establishing AMLA is amended to clearly define the roles of all involved stakeholders (AMLA, FIUs) from a data protection perspective in relation to this communication channel, as this impacts on the applicable data protection framework and has implications for the supervision model.
Having regard to sources of information for CDD, including ‘watch lists’, the AML legislative package should clarify in particular in which cases obliged entities should have recourse to such lists. In this respect, the EDPS invites the legislator to consider whether such access should only take place in case of high risk of money laundering or financing of terrorism.
Furthermore, in order to foster the adoption of codes of conducts and certifications to be adhered to by providers of databases and watch lists used for AML/CTF purposes, the EDPS invites the legislator to include in the AML legislative package a reference to codes of conduct under Article 40 GDPR and to certifications under Article 42 GDPR, to be developed taking into account the specific needs in this sector.
1. Background
|
1. |
The European Commission adopted on 20 July 2021 a Proposal for a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (‘the Proposal for a Regulation’) (1); a Proposal for a Directive of the European Parliament and of the Council on the mechanisms for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and repealing Directive (EU) 2015/849 (‘the “Proposal for a Directive’) (2); a Proposal for a Regulation of the European Parliament and of the Council establishing the European Authority for Countering Money Laundering and Financing of Terrorism, amending Regulations (EU) No 1093/2010 (EU) 1094/2010 and (EU) 1095/2010 (‘the Proposal for a Regulation establishing AMLA’) (3); and a Proposal for a Regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-assets (‘the Proposal for a Regulation on crypto-assets’) (4). Hereinafter, we also refer to the four draft Proposals as ‘the AML legislative package’. |
|
2. |
The AML legislative package is proposed pursuant to the Action Plan for a comprehensive Union policy on preventing money laundering and terrorism financing of 7 May 2020 (5). The EDPS has issued the Opinion on the Action Plan on 23 July 2020 (6). |
|
3. |
The objectives of the Action Plan, as referred to in particular in the Regulation (7), are:
|
|
4. |
The AML legislative package, including the Proposal for a Regulation incorporating elements (provisions) of Directive (EU) 2018/843 (8), is an ambitious legislative initiative aiming at increasing the effectiveness of the fight against money laundering. It aims to do so in particular through the centralisation of enforcement, including the newly established European Authority for Countering Money Laundering and Financing of Terrorism (‘AMLA’), a standardisation of the obligations for obliged entities, streamlining a supra-national and national risk-based approach, as well as laying down rules on cooperation between competent oversight authorities and on relevant databases and infrastructure for the exchange of information, notably FIU.net, to be hosted and managed by AMLA. |
|
5. |
On 21 July 2021, the European Commission requested the EDPS to issue an opinion on the Proposal, in accordance with Article 42(1) of Regulation (EU) 2018/1725. These comments are limited to the provisions of the Proposal that are most relevant from a data protection perspective. |
4. Conclusions
In light of the above, the EDPS:
|
— |
welcomes the AML legislative package’s aims to increase the effectiveness of anti-money laundering and countering the financing of terrorism in particular via greater harmonization of the applicable rules and enhanced supervision at the EU level (including the establishment of the European Authority for Countering Money Laundering and Financing of Terrorism, AMLA); |
|
— |
and welcomes the risk-based approach followed to prevent the use of the financial system for money laundering, which is at the core of the AML legislative package; |
However, to ensure compliance with the data protection principles of necessity and proportionality, as well as with applicable Union and Member State data protection law, the EDPS observes and recommends in particular the following:
|
— |
the AML legislative package (notably, the Proposal for a Regulation) should identify the categories of personal data to be processed by the obliged entities to fulfil the AML/CFT obligations; |
|
— |
in particular, the Proposal for a Regulation should provide clear indications on conditions and limits for the processing of special categories of personal data and of personal data relating to criminal convictions and offences; |
|
— |
concerning special categories of personal data, the AML legislative package should specify in particular which type of data (within the broader category of special categories of personal data under Article 9 of the GDPR) should be processed by the obliged entities, and at what exact stage of the process, for the purpose of anti-money laundering and countering the financing of terrorism. In this regard, the EDPS considers that the processing of personal data related to sexual orientation or ethnic origin should not be allowed; |
|
— |
concerning beneficial ownership registers, the EDPS:
|
|
— |
having regard to the processing of personal data relating to criminal convictions and offences, the reference to ‘allegations’ (in addition to ‘investigations’, ‘proceedings’ and ‘convictions’) in Article 55(3)(b) of the Proposal for a Regulation is vague and should therefore be deleted or specified; |
|
— |
remarks the extensive access powers conferred to FIUs under Article 18 of the Proposal for a Directive, and hence invites the legislator to reassess the necessity and proportionality of these access rights, in relation in particular to the ‘law enforcement information’ listed under Article 18(1)(c). In the same vein, the EDPS recommends to clearly and exhaustively delineate the categories of personal data to which FIUs may have access pursuant to Article 18(1)(a) (‘financial information’) and Article 18(1)(b) (‘administrative information’); |
|
— |
reiterates that a legal configuration of the powers and activities of FIUs as ‘investigation-based’, rather than ‘intelligence-based’, would be more in line with the data protection principles of proportionality and purpose limitation, and thus recommends deleting wording in recital 51 of the Directive related to the detection of ‘subjects of interest’; |
|
— |
having regard to FIU.net, recommends that the Proposal for a Regulation establishing AMLA, or at least an implementing technical standard to be adopted by the Commission pursuant to Article 24(3) of the Proposal for a Directive, clearly provides for the roles of all involved stakeholders (AMLA, FIUs) from a data protection perspective, as this impacts on the applicable data protection framework and on the supervision model; |
|
— |
having regard to the central AML/CFT database, the EDPS recommends specifying a storage limitation period for the personal data contained therein, in particular due to the collection by FIUs and transmission to the central AML/CFT database of ‘results from supervisory inspections of files concerning Politically Exposed Persons their family members and associates’; |
|
— |
having regard to the sources of information for CDD, including ‘watch lists’, the AML legislative package should clarify in particular in which cases obliged entities should have recourse to such lists. In this respect, the EDPS invites the legislator to consider whether such access should only take place in case of high risk of money laundering or financing of terrorism. Moreover, a recital could specify that obliged entities should duly verify information from watch lists, having regard in particular to their reliability and accuracy. |
|
— |
furthermore, in order to foster the adoption of codes of conducts and certifications to be adhered to by providers of databases and watch lists used for AML/CTF purposes, the EDPS invites the legislator to include in the AML legislative package a reference to codes of conduct under Article 40 GDPR and to certifications under Article 42 GDPR, to be developed taking into account the specific needs in this sector; |
|
— |
Article 32(3) of the Proposal for a Regulation provides that AMLA shall issue guidelines on the criteria for the identification of persons falling under the definition of persons known to be a close associate [of ‘politically exposed person’]. In this regard, the EDPS considers that the category of ‘persons known to be close associate’ should be specified in the Proposal for a Regulation itself, rather than (only) by AMLA’s guidance; |
|
— |
the EDPS recommends specifying the categories of employees falling under the ‘integrity screening’ required under Article 11 of the Proposal for a Regulation; |
|
— |
the EDPS recommends including, in a more explicit way, among the criteria for consideration of the competent authority when publishing administrative sanctions and measures, the risks to the protection of the personal data of the individuals concerned; |
|
— |
finally, the EDPS recommends some changes (additions and deletions) to the wording of articles and recitals of the AML legislative package referring to the GDPR and the EUDPR. |
Brussels, 22 September 2021
Wojciech Rafał WIEWIÓROWSKI
(1) COM(2021) 420 final.
(2) COM (2021) 423 final.
(3) COM(2021) 421 final.
(4) COM(421) 422 final. The EDPS notes in this regard that the Proposal for Regulation expands to crypto-assets traceability requirements for the purpose of AML/CFT; the obligation for the crypto-asset service provider to provide the information under Articles 14-18; the inclusion of crypto-asset service providers under Article 20, Data protection, and 21, Record retention. The EDPS has recently issued his Opinion on crypto-assets, EDPS Opinion on the Proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937, on 24 June 2021.
The Opinion is available at: https://edps.europa.eu/data-protection/our-work/publications/opinions/edps-opinion-proposal-regulation-markets-crypto_en
(5) Communication on an action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (C(2020)2800 final).
(6) Opinion 5/2020 on the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing, available at: https://edps.europa.eu/sites/default/files/publication/20-07-23_edps_aml_opinion_en.pdf
(7) See at page 1 of the Explanatory Memorandum.
(8) Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (OJ L 156, 19.6.2018, p. 43).
(9) See paragraphs 61 and 62 of the EDPS Opinion 1/2017: ‘As seen in the introduction to this Opinion, the AML Directive reserves the investigation and enforcement of criminal activities to the public competent authorities. In this respect, private parties active in the financial markets are merely requested to provide information to the competent authorities in charge. Under no circumstance, a private subject or entity is, either formally or informally, directly or indirectly, entrusted with an enforcement role.’ 62. ‘It can be acknowledged that NGOs working on financial crimes and abuses, the press and investigative journalism de facto contribute to drawing attention of the authorities to phenomena that may be relevant for criminal enforcement. If this is the case, however, the legislator should conceive the access to beneficiary information as a component of the right to obtain and to provide information, by citizens and the press respectively. This would assign a new purpose to public access, with the consequence that the proportionality of such rule would be assessed against that right and not against policy purposes (e.g. fight against terrorism or tax evasion) that cannot be associated to private action.’
We also recall, on this point, the jurisprudence of the Court of Justice in the case Österreichischer Rundfunk, where the Court held that it was necessary to examine whether the policy objective served by publicity ‘could not have been attained equally effectively by transmitting the information as to names to the monitoring bodies alone’ [para. 88, emphasis added, Judgment of the Court of 20 May 2003. Rechnungshof (C-465/00) v Österreichischer Rundfunk and Others and Christa Neukomm (C-138/01) and Joseph Lauermann (C-139/01) v Österreichischer Rundfunk, ECLI:EU:C:2003:294]. This question should be carefully considered when assessing the proportionality of measures consisting of public access to personal information.