The Fourth AML Directive and the EU’s Approach to Data Protection: A Precautionary Warning

Let us get one thing straight: The Fourth Anti-Money Laundering (AML) Directive is a directive whereas the General Data Protection Regulation (Data Regulation) is a regulation. The difference between these two is crucial. The Fourth AML Directive allows member states to implement the Fourth AML Directive requirements into national laws. This means that, at a minimum, the requirements of the Fourth AML Directive must be kept, but it does not stop nation states from introducing more stringent requirements. For example, the Dutch Central Bank’s approach for the Third AML Directive was often seen as going over and above EU requirements, whereas the Irish Central Bank’s approach was seen to meet the requirements of the Third AML Directive.

On the other hand, Data Regulation does not allow member states to transpose the requirements into national law, instead it applies within the EU on a unified basis. This means no alternations, however slight, can be made by member states and the law must be directly implemented into the national law of a member state. As a result, the law in Ireland will be similar to the law in the Netherlands, Luxembourg, France, etc.

The Fourth AML Directive must be transposed into member states' national law by June 2017 and the Data Regulation will likely come into force in early 2018. Therefore, the timeline for both must be taken into account when preparing your organization for compliance with the Fourth AML Directive. If both are not considered, you will risk wasting efforts and commercial resources, which may bring forth criticism from both your organization and regulators alike.

You do not want to place your organization in a position where it may face penalties/sanctions as a result of failing to comply with the Fourth AML Directive and in a separate instance to the Data Regulation. In addition, by following the security requirements and data protection principles of the forthcoming Data Regulation you should ideally be able to prevent a data leak at least to the size and scope of what occurred in the recent Panama Papers leak. This is simply because at the heart of AML is handling personal and oftentimes sensitive data. As AML and compliance professionals, we must stop focusing simply on a singular facet of AML, and instead see it as multifaceted. This will assist us in thinking outside the box and help us come up with creative solutions to common problems.

EU—The Right to Remain Silent on AML and Data Protection

The European Data Protection Supervisor (EDPS) provided its opinion regarding the drafting stages of the Fourth AML Directive. Within the EDPS opinion it was clear that the Fourth AML Directive was welcomed; however, warnings were provided. For example, two of the warnings were that the changes in the AML Directive would result in increased amounts of data being collected for AML and that anti-terrorist purposes would increase the possible negative consequences for data subjects. These warnings and commentary by the EDPS highlight the many ways AML and data protection have a symbiotic relationship.

One particular point raised by the EDPS is the fact that the Financial Action Task Force (FATF) is an international body and not actually an EU body.1 In this regard, much of FATF's recommendations did not take into account the high standards of data protection that is in place within the EU. Thus, if you are working within an international organization that has some sort of base within the EU, your approach to AML should take into account the EU data protection requirements at least for AML matters relating to EU data subjects. Furthermore, EU citizens' right to the protection of his/her personal data is safeguarded in Article 16 of the Treaty on the Functioning of the EU and in Article 8 of the Charter of Fundamental Rights of the EU. This is in addition to the current EU directive on Data Protection and the forthcoming Data Regulation.

The EDPS further highlighted that the Fourth AML Directive did not provide clarity in terms of how EU Data Protection rules apply to the collection and processing of personal data for AML purposes.

As it stands, when EU formally adopted the Fourth AML Directive it did not add much clarity and subsequently left nation states with the difficult task of determining how best to transpose the AML Directive into national law while bearing in mind the general data protection principles of the EU and the forthcoming Data Protection Regulation. The best way for organizations to prepare for compliance with the Fourth AML Directive is to look at the requirements of the Data Regulation, since it will apply on a unified basis with the EU.

Policies and Procedures—Data Protection

One way the AML Directive aims to strike a balance between these two correlated principles is by introducing the requirement that organizations must ensure and facilitate robust AML controls in line with the rules of European data protection law.

One way to approach this issue, is to ensure that organizations that are part of a group implement group-wide policies and procedures, which should include the rules surrounding EU's approach to data protection and highlight the details required for sharing information within the group for AML and counter-terrorist financing (CTF) purposes. These policies shall be implemented effectively at the level of branches and majority-owned subsidiaries in member states and third countries.

As a point of clarity, this is only required when your organization is considered a regulated business under the AML Directive. A regulated business may refer to a number of factors, but one of the crucial points of determining whether you fall within the definition emerges from the fact that you are provided a license and must attest to either or both a governmental department or a regulatory agency such as the Central Bank of Ireland, if located in Ireland.

This approach also ensures that regulated businesses that have branches or majority-owned subsidiaries located in third countries where AML and CTF requirements are less onerous than those of the member state make certain that their branches and subsidiaries comply with the AML Directive, and while doing so, take into account the EU's approach to data protection. This must be done to the extent that it can be permitted by the third country's laws.

Record Keeping

The Fourth AML Directive requires that personal data be deleted after the expiry of a minimum retention period of five years—this is still in line with the existing requirements of the Third AML Directive. This time limit is based on the EU Data Protection Directive, which provides that any information that relates to an "identified or identifiable natural person" must be deleted (this includes any backed up information) unless national law allows for such retention. Even in instances where national law allows for the retention of such information, the retention is not indefinite. Under the Fourth AML Directive, further retention may only be granted, if necessary, for prevention, detection or investigation of money laundering or terrorist financing. Personal data can be retained for a longer period (which is an additional period of five years) if provided for under local legislation. After this time, the personal data must be deleted.

There are arguments that the data retention period does not help in the fight against terrorism since 10 years is not a significant amount of time in itself as many terrorist cells and groups remain dormant until a certain time in the future before they act. As a result, member states of the EU should be permitted to expand the data retention period limit to more than 10 years. However, this is easier said than done. As a member state of the EU, states must abide by its various laws and regulations, since one of the core aims of the EU is to unify Europe. Allowing divergences in some instances to suit member states' individual interests may result in disparity in the laws within the EU and this may affect the free movement of goods and services within the EU negatively. In addition, the data retention period cannot be extended as EU member states have signed up to the Charter of Fundamental Rights of the EU which provides the right to privacy of EU citizens. However, this is an extensive debate and is outside the scope of the present article.

While the U.K.'s referendum has determined that the U.K. would like to leave the EU, it is important to note that the referendum is not legally binding on the U.K. government and following the results to leave the EU, the U.K. government will need to decide the course of action the U.K. needs to take. The Prime Minister has announced his resignation, the leader of the opposition is facing a motion of no confidence and there is speculation of a snap election later in the year. The Prime Minister has not invoked Article 50 of the Treaty of Lisbon, which is the official method of starting the exit process, and has instead left this to his successor. In addition, no country has ever left the EU before so while in theory the process is supposed to be completed in two years if/when it starts nobody knows for sure.

Uncertainty and risk around doing business in the U.K. has undeniable increased and will not be resolved in the foreseeable future; however, for now it is business as normal. In any event, leading analysts have highlighted that in order for the U.K. to keep its competitive advantage and access the free movement of goods and services within the EU it will need to comply with key EU laws and this is the position regarding the AML Directive and the Data Regulation.

Coming back to the current issue, the secure deletion of personal data after the expiration of the retention period is something that is often overlooked by many AML/CTF professionals and with the onset of the Data Regulation, failure to comply with the general data protection requirement of retaining data only for as long as required for a particular purpose, will be considered a breach. The purpose here is for AML/CTF reasons. Thus, if the Fourth AML Directive requires a maximum of 10 years as the retention period you should ensure that the maximum retention period is not breached as you will be in clear violation of both laws and expose your organization to criticism and in some instances penalties.

UBO Central Registers

One key change introduced by the Fourth AML Directive is the creation of central registers of ultimate beneficial owners (UBOs). This is one of the most anticipated provisions of the Fourth AML Directive as it is likely to reduce the time spent in complying information regarding the UBO. In order to meet this requirement, organizations will have to "disclose the full legal name, month and year of birth, nationality, country of residence, as well as nature and extent of interests of their beneficial owners to a central database in the [m]ember [s]tates. The initial ownership threshold for reporting is 25 [percent]."2

As mentioned earlier, it appears the EU has decided again to take the right to remain silent on the fine print of how organizations must alter its practices in order to comply with this requirement while bearing in mind the EU data protection requirements. What is required from organizations and member states is to ensure that data "'can be accessed in a timely manner,' meaning that investigators will probably be spared from sifting through badly scanned copies of company records."3

Another point of contention regarding the registers and data protection is the fact that the registers will be public. Therefore, personal information will be freely available for all to see. Critics cited data protection and privacy concerns as arguments against open registers. In order to reach a compromise regarding this point, the Fourth AML Directive—in an attempt to prevent misuse—has restricted access to UBO information to public parties that can show they have "a 'legitimate interest' in the matter and may be subjected to online registration and administrative fees."4 It remains to be seen how this will be enforced into practice.

"The EU press release lists 'investigative journalists and other concerned citizens' as [an] example of parties with legitimate interest, indicating a rather broad understanding of the term" and in the same instances the information can be restricted where a data subject raises legitimate claims "if this would expose the beneficial owner to the risk of fraud, kidnapping, blackmail, violence or intimidation" and this in and of itself is also quite broad. Thus, "it remains to be seen how open this data will be. [U]ltimately, 'legitimate interest' but also 'legitimate claims' for data privacy and security concerns will be defined by individual member states—and not [the EU]."5

It is important to stress here that if your organization operates or is part of a trust, then you are not required to provide information on UBOs as part of a public register. While this may be true, as a trust provider you must still obtain information regarding the settlor, "the trustee, the protector (if any), the beneficiaries and any other natural person exercising effective control over the trust" as this "may be accessed by competent authorities and financial intelligence units."6

Simplified Due Diligence

As a short background to the simplified customer due diligence (CDD), currently designated persons are permitted to apply simplified CDD where the client/customer falls within certain categories (e.g., where the customer is a credit or financial institution or a company listed on a regulated market as defined in the Act). Many criticized that it appeared that many designated persons simply sought to rely on this automatically without sufficiently examining the appropriateness of applying the exemption in order to quickly onboard the client/customer and reduce both time and costs associated with compliance.

Under the Fourth AML Directive, there has been a removal of specific aspects of the simplified CDD process. For example, under the Fourth AML Directive, before a client/customer can be considered to fall within the simplified CDD, they will be required to carry out a risk assessment which should highlight the reason for determination.

This will now require further inspection which can include the examination of an individual's passport and financial details in order to complete the risk report. In addition, this may very likely result in disproportionate data processing/checking by financial institutions. Another point regarding the alternation of the existing simplified CDD process could also result in an increase in red tape and compliance activity required. This is only going to further increase the cost of ensuring your organization is compliant to the Fourth AML Directive.

This simplified CDD will also raise a number of data protection issues. For example, one of the general principles of the current EU Data Protection Directive and the forthcoming Data Regulation requires personal data to only be obtained for a particular purpose and must not be excessive. Therefore, if you are of the view that simplified CDD does apply in a particular circumstance, you must make sure that the personal data you do obtain is not excessive and is only obtained in order to meet the requirements of simplified CDD per the requirements of the Fourth AML Directive. This is something you should highlight within your risk assessment relating to the particular entity/person. This is an area which should be addressed in your organization's AML policies and procedures.

A delicate balance based on an educated judgment must be found between addressing the risks of AML and CTF with the protection of an individual's personal data and right to privacy. A recent example of this debate within the U.S. can be seen in the FBI vs Apple debate, where Apple refused on a number of grounds (including the privacy argument) that they could not assist the FBI with unlocking the phone of a terrorist. Apple raised the argument that if it developed a master security unlock key which would unlock the iPhone of a terrorist in question it could essentially mean that the FBI will have a key to unlock all Apple devices given that Apple would not have developed a restriction mechanism for the master security unlock key. However, the debate around privacy and AML/ CTF matters arising within this case quickly died down as FBI managed to get access to the phone in then end and both parties entered into private discussions.7

Conclusion

The Fourth AML Directive takes into account FATF requirements, yet its success will depend on the consistent interpretation and implementation across EU member states. Furthermore, if the ruling of the European Court of Justice, regarding the invalidity of the Safe Harbour, has shown anything it is that the judicial system of the EU is not afraid to dismiss an international legal and regulatory tool as a result of data protection breaches or the potential for data protection breaches.

Public lists of shareholder information, including beneficial owners, will certainly assist in detecting suspicious financial activity and therefore prevent terrorist financing and other crimes emerging from money laundering activities. While there is the exception of withholding certain information from the public lists on the basis of "legitimate interest" no adequate indication has been provided as to how this will actually apply in practice.

As Mother Teresa once said: "Yesterday is gone. Tomorrow has not yet come. We have only today. Let us begin."

Thus, let us begin to look closely at these two related and conflicting principles. Only then can we ensure proper governance of both AML and data protection requirements.

Sana Khan, barrister-at-law, Arista Networks Inc., County Clare, Ireland, sanakhanbl@gmail.com

  1. Opinion of the European Data Protection Supervisor, on a proposal for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, and a proposal for a Regulation of the European Parliament and of the Council on information on the payer accompanying transfers of funds, Brussels, 4 July, 2013 at 3.
  2. "EU Regulatory Update: The 12 Things You Need to Know About the Fourth Anti-Money Laundering Directive," Arachnys, February 12, 2015, http://blog.arachnys.com/2015-02-12-eu-regulatory-update
  3. Ibid.
  4. Ibid.
  5. Ibid.
  6. "Client Update: Fourth Anti-Money Laundering Directive Comes into Force," Debevoise & Plimpton, August 3, 2015, http://www.debevoise.com/~/media/files/insights/publications/2015/08/updated_fourth_anti_money_laundering.pdf
  7. Arjun Kharpal, "Apple vs FBI: All you need to know," CNBC, , March 29, 2016, http://www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html

Leave a Reply