European banking industry representatives are calling for more legal guidance on how banks should interpret data protection rules in their anti-money-laundering work.
The agency responsible for the implementation of EU's anti-money-laundering, or AML, directive has said the data protection directive does not fall within its remit and cannot provide such guidance.
The General Data Protection Regulation, or GDPR, which came into force across Europe in May 2018, is creating some uncertainty for banks when implementing efforts to combat financial crime, according to Roger Kaiser, senior policy adviser on fiscal and AML at the European Banking Federation, an industry body representing 3,500 European banks and 32 national banking associations.
"There are situations in which the processing of personal data could be highly beneficial for AML purposes. However, it's unclear how to apply the rules of the GDPR," he said Feb. 18 at a webinar hosted by S&P Global Market Intelligence.
GDPR limits how organizations can use and reuse personal data, while also restricting how long they may retain that data. The processing of personal data, meanwhile, is often crucial in banks' AML activities.
As such there can be "tensions" between the objectives of GDPR and AML, Kaiser said.
The EU's data protection watchdog's decision to ban Europol from hosting FIU.net, a computer network for member states' agencies that fight financial crime, illustrates the tension. The European Data Protection Supervisor, the body charged with enforcing GDPR, said Europol had been in breach of EU rules when handling data gathered on individuals who were not suspects in financial investigations.
Wim Mijs, CEO of the European Banking Federation, said he was "shocked" to read the decision.
"We have the GDPR in Europe and it is a great regulation that protects the privacy of citizens. But when it leads to the protection of criminal networks, something is wrong. In my view, the GDPR gives the opportunity to do good law enforcement and exchange of information, but it's lacking," he said at an event in Brussels on Feb. 19.
Denmark's Money-Laundering Task Force, following a year's work by experts, lawyers and representatives from the largest banks in Denmark, has found that balancing GDPR and AML is one of the "inherent dilemmas" that banks face in their role as gatekeepers against money laundering.
For example, a shared IT system, which is highlighted by the task force as a crucial means to make AML controls more efficient, will come with "regulatory challenges," the task force said.
Implementing EU data protection rules too rigidly could hamper banks' abilities to efficiently combat money laundering, Linda Nielsen, the task force's chair, told Market Intelligence.
The task force was established in 2018 in light of revelations that Danske Bank A/S, Denmark's biggest financial institution, had been involved in a vast dirty money scandal in the Baltics. Banks elsewhere in Europe have also been drawn into what has become known as the "Global Laundromat," including Deutsche Bank AG, HSBC Holdings PLC, Barclays PLC, Lloyds Banking Group PLC, Royal Bank of Scotland Group Plc, ING Groep NV, Crédit Agricole SA, Swedbank AB (publ) and Nordea Bank Abp.
Emmanuel Plasschaert, a Brussels-based lawyer at Crowell & Moring specializing in GDPR and AML, said in an interview that while there "may be some frictions" between the two sets of regulation, generally banks have flexibility under GDPR to process data in their anti-money laundering efforts.
He said GDPR allows for the processing of data when "necessary for compliance with a legal obligation" such as know your customer and other AML-related regulation.
But banks, in their work to detect money laundering, also process data that is "not strictly required by legal obligations," Kaiser said, adding that it is in such situations that it is unclear what is permitted under GDPR.
He called for "inclusive and pragmatic guidance on how to interpret the GDPR in an AML context," which he said should be developed together with the European Banking Authority, the agency responsible for ensuring consistent and effective application of the EU's AML directive.
Nielsen called for more political guidance as to how banks should balance the two considerations.
"This should be a political debate, around where to set the boundary — how much do we want to protect data, for whom and under which terms — so that it is not the individual bank employee who has to make those decisions," she said in an interview.
The EBA confirmed that entities processing data on the basis of the EU's AML directive must be compliant with specific conditions stipulated by GDPR.
However, it said "GDPR itself does not fall into the scope of action of the EBA, which is why we do not interpret the provisions contained in this particular directive."