The EBA will start collecting information on natural persons through its AML/CFT database, EuReCA

Starting from May 2024, supervisors across the European Union (EU) will be able to report names of natural persons to EuReCA, the EU central database on anti-money laundering (AML) and countering the financing of terrorism (CFT) of the European Banking Authority (EBA). Through EuReCA, the EBA has been able to contribute to making supervision more informed, targeted and effective. With this step, the EBA will contribute to further strengthening the fight against money laundering (ML) and terrorist financing (TF) in the EU.

EuReCA contains information on serious AML/CFT deficiencies in individual financial institutions that have been identified by EU supervisors. It also contains information on the measures taken by supervisors to address those deficiencies.

If a serious deficiency or a measure is linked to a natural person, for example a customer or a beneficial owner, supervisors will be able to report this information to EuReCA. Supervisors can also report the name of a member of the management body or a key function holder in a financial institution, if necessary, because a lack of honesty or integrity can cause or lead to serious problems in a financial institution’s governance arrangements, business model or activities and ultimately, weaken the institution’s AML/CFT defences.

Since its launch on 31 January 2022, 41 authorities have made more than 1400 reports to EuReCA.

Legal basis and background

EuReCA has been established based on provisions in article 9a (1) and (3) of the EBA Regulation and in Regulation (EU) No 1093/2010 of 9 November 2023. With the publication of the Regulation in the Official Journal on 16 February 2024, EuReCA is enabled to start collecting personal data. The factsheet on EuReCA explains further what is EuReCA, who reports to it and what is in it.

The EBA has updated the Data Protection Impact Assessment (DPIA) it had performed in accordance with Article 39 of Regulation (EU) 2018/1725 (EUDPR). A summary of this updated DPIA is published on the EBA’s website along a notice explaining how the personal data are processed.

The EBA, together with the authorities reporting to EuReCA, as well as ESMA and EIOPA, has also put in place joint controllership arrangements with regard to the processing of personal data in EuReCA in accordance with Article 26 of Regulation (EU) 2016/679 and Article 86 of Regulation (EU) 2018/1725.

Only the data related to significant failures in the compliance with AML/CFT-related requirements can be reported. This ensures that the processing of data remains limited in scope and hence limited to what is necessary and proportionate.