Striking the right balance between the obligations imposed by anti-money laundering (AML) rules and those imposed by data protection ones is not an easy task. Though natural and legal persons are often aware as to what their obligations are in terms of both sets of rules, defining the fine line between the two is often perceived as a grey area giving rise to lack of harmonisation in Europe and a possible exposure to penalties.

Anti-money laundering rules require subject persons to both identify and verify their client as well as to conduct ongoing moni­toring in order to ensure that the transactions being conducted by any client are not the result of money laundering or the financing of terrorism. This entails the subject person requesting and retaining a substantial amount of personal information about clients, which in turn could give rise to personal data protection concerns.

In terms of data protection law, any information relating to an identified or identifiable na­tural living person, including names, dates of birth, e-mail addresses and telephone numbers, is to be considered as personal data. Any processing of such data must therefore be done in accordance with data protection law. The latter stipulates that any such data must be retained for the least time possible.

The European Data Protection Supervisor (EDPS), which is the EU’s data protection watchdog, has taken the bull by its horns. The European Commission has very recently published an action plan for a comprehensive EU policy on preventing money laundering and terrorism financing, setting a route map for the achievement of its objectives in this area. The EDPS, while acknowledging the importance of ensuring harmonisation in this field, issued its own Opinion assessing the data protection implications of the initiatives laid out in the Commission’s Action Plan.

The lack of legal certainty in this area must be clearly addressed

The EDPS is emphasising that any further legislative measures in the field of anti-money laundering must seek to safeguard the balance between the interference with the fundamental rights of privacy and personal data protection and the measures that are necessary to effectively achieve the general interest goals on AML/CFT. The lack of legal certainty in this area must be clearly addressed. According to the EDPS, proportionality is the name of the game.

Appropriate safeguards must be put in place to guarantee compliance with the principles of data minimisation, purpose limitation and data protection-by-design, as well as the right of individuals to be informed when their data is collected and the purpose for which the data will be processed.

The EDPS’s main concern relates to AML/CFT rules relating to the interconnection of central bank account mechanisms and beneficial ownership registers. Such initiatives, while clearly essential in ensuring that no illegal transaction escapes the net, undoubtedly give rise to data protection concerns.

Any supervision being done at EU level in so far as compliance with AML/CFT rules is concerned must also be in full compliance with data protection law, the EDPS insists. This is so, particularly in so far as information sharing and international transfer of data are concerned. The EDPS also recommends that the proposal establishing the mechanism for the support and coordination of FIUs clarifies the conditions for access to and sharing of information on financial transactions by FIUs.

Furthermore, processing ope­ra­tions concerning information on possible offences arising from financial transactions should remain within the boundaries of competent authorities and not be shared with private entities.

The aspects tackled in this opinion may serve as pointers for the European Commission in so far as the adoption of future legislation in the field of AML/CFT is concerned. The Commission also remains obliged to consult the EDPS on any legislative proposals that may be proposed with­in the framework of the action plan where there is an impact on the right to the protection of personal data.

Subject persons faced with the obligation to comply with both AML/CFT and data protection rules are often left in a quandary as to how to go about it. Legal certainty in this area would ensure a level playing field across Europe while giving subject persons the necessary peace of mind that they are acting in full compliance of both sets of rules, without the risk of being exposed to substantial penalties.

Mariosa Vella Cardona, M’Jur, LL.D., is a freelance legal consultant.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.