The tension and the need for alignment between the data protection and AML/CFT framework has been pointed out by scholars and authorities since the first AMLD, over thirty years ago. Despite the criticism, none of the competent authorities has issued a pragmatic guidance aiming at consolidating the two regimes. This lack of regulatory clarity together with the fragmented implementation and interpretation of the AMLD across the EU are aggravating the challenges of the obliged entities. At the same time, the adoption of emerging technologies, such as AI for AML/CFT purposes, is further highlighting the need for harmonising the various conflicting obligations to avoid duplication and gold-plating practices. Following a doctrinal approach of primary sources, the present aims to contribute to the discussion towards a reconciliation between the data protection and AML/CFT framework from the perspective of the obliged entities, considering the recent regulatory developments, namely the AML Package and the AIA Proposal, the relevant case law of the EUCJ, and the current literature.
- Data protection
This is a preview of subscription content, access via your institution.
Tax calculation will be finalised at checkout
Purchases are for personal use onlyLearn about institutional subscriptions
Without prejudice to the data identified in relation to beneficiary owners in Article 30 AMLD (i.e. date of birth and contact details) and the information contained in central registries by the Member States, pursuant to Article 32a AMLD.
Interestingly so, aside from a general reference to complying with the data protection requirements, such as data localisation and security, FATF in its AML/CFT Guidance and Methodologies, when it comes to data protection it only expressly refers to the confidentiality and data protection obligations of competent authorities [18, p. 111; 19, p. 93].
Similar observation has been made by FATF in its Methodology for Assessing Technical Compliance with FATF Recommendations and the Effectiveness of AML/CFT Systems [18, p. 22].
C-311/18 - Facebook Ireland and Schrems, available https://curia.europa.eu/juris/liste.jsf?num=C-311/18.
The same conclusion is drawn by the EDPB regarding silent party data. In this regard, note that PSD2 states that data collected should only be used for the purpose of providing the requested services.
See Sect. 3 below.
See among others, Case C-136/17, C.G, CURIA - Documents (europa.eu).
Watchlists as refereed in the Letter of the EBPD [14, p. 5].
See Sect. 4 below.
Similarly, in the AML Proposal (Recital 62 and Article 40(1).
Article 29 Data Protection Working Party: Opinion 14/2011 on data protection issues related to the prevention on money laundering and terrorist financing, adopted on 13 June 2011 (2011)
Article 29 Data Protection Working Party: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, as last revised and adopted on 6 February 2018 (2018)
Article 29 Data Protection Working Party: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, adopted on 4 April 2017, as last revised and adopted on 4 October 2017 (2017)
Bertrand, A., Maxwell, W., Vamparys, X.: Are AI-based anti-money laundering (AML) systems compatible with european fundamental rights?. In: Telecom Paris Research Paper Series (2020). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3647420
Brewczynska, M.: Financial intelligence units: reflections on the applicable data protection legal framework. Comput. Law Secur. Rev. (2021). https://doi.org/10.1016/j.clsr.2021.105612
European Banking Authority: Final Report on EBA Guidelines on Outsourcing Arrangements (2019). https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1
European Banking Authority: Final Report on Guidelines on the characteristics of a Risk‐based Supervision under Article 48(10) of Directive (EU) 2015/849 (2021). https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2021/EBA-GL-2021-16%20GL%20on%20RBA%20to%20AML%20CFT/1025507/EBA%20Final%20Report%20on%20GL%20on%20RBA%20AML%20CFT.pdf
European Commission: Communication from the Commission on an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing (2020/C 164/06) (2021)
European Commission: Proposal for a Directive of the European Parliament and of the Council on the mechanisms to be put in place by the Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing COM (2021) 423 (2021)
European Commission: Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts, COM/2021/206 final (2021). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206
European Commission: Proposal for a Regulation of the European Parliament and of the Council on European Data Governance (Data Governance Act) COM (2020) 767 final (2020). file:///C:/Users/IMK/Downloads/090166e5d6411f89.pdf
European Commission: Proposal for a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing COM (2021) 420 final (2021)
European Data Protection Board: Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR, version 2.0, adopted, 15 October 2020 (2020). https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202006_psd2_afterpublicconsultation_en.pdf
Letter of Andrea Jelinek, Chair of the EDPB to Ms. Mairead McGuiness, European Commissioner for Financial services, financial stability and Capital Markets Union and Mr. Didier Reynders, European Commissioner for Justice, on 19 May 2021 (2021). https://edpb.europa.eu/system/files/2021-05/letter_to_ec_on_proposals_on_aml-cft_en.pdf
European Data Protection Board: Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing, adopted on 15 December 2020 (2020)
European Data Protection Supervisor: Opinion 12/2021 on the anti-money laundering and countering the financing of terrorism (AML/CFT) package of legislative proposals, 22 September 2021 (2021)
European Data Protection Supervisor: Opinion 5/2020 on the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (2020). https://edps.europa.eu/sites/edp/files/publication/20-07-23_edps_aml_opinion_en.pdf
Financial Action Task Force: International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation. (2012–2021). www.fatf-gafi.org/recommendations.html
Financial Action Task Force: Methodology for Assessing Technical Compliance with FATF Recommendations and the Effectiveness of AML/CFT Systems, adopted in February 2013, updated in November 2020 (2013). https://www.fatf-gafi.org/media/fatf/documents/methodology/FATF%20Methodology%2022%20Feb%202013.pdf
Koster, H.: Towards better implementation of the European Union’s anti-money laundering and countering the financing of terrorism framework. J. Money Laundering Control 23(2), 379–386 (2020). https://doi.org/10.1108/JMLC-09-2019-0073
Maglieri, G., Comandé, G.: Why a right to legibility of automated decision-making exists in the general data protection regulation. Int. Data Priv. Law 7(3), 243 (2017). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3088976
Maxwell, W.: The GDPR and private sector measures to detect criminal activity. Revue des Affaires européennes - Law & European Affairs (2021). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3964066
Milaj, J., Kaiser, C.: Retention of data in the new anti-money laundering directive—‘need to know’ versus ‘nice to know’. Int. Data Priv. Law 7(2), 115–125 (2017). https://doi.org/10.1093/idpl/ipx002
Quintel, T.: Follow the Moneym if you can: possible solutions for enhanced FIU cooperation under improved data protection rules. Law Working Paper Series, Paper number 2019–001 (2019). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3318299
Wachter, S., Brent M., Floridi, L.: Why a right to explanation of automated decision-making does not exist in the general data protection regulation. Int. Data Priv. Law 7(3), 47 (2017). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2903469
Editors and Affiliations
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Kindylidi, I. (2022). The Data Protection Implications of the EU AML Framework: A Critical Overview & the Case of AI. In: Gryszczyńska, A., Polański, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds) Privacy Technologies and Policy. APF 2022. Lecture Notes in Computer Science(), vol 13279. Springer, Cham. https://doi.org/10.1007/978-3-031-07315-1_3
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07314-4
Online ISBN: 978-3-031-07315-1