ABN AMRO would like to thank EBA for the opportunity to give its reaction on the Draft Guidelines on the characteristics of a risk‐based approach to anti‐money laundering and terrorist financing supervision, and the steps to be taken when conducting supervision on a risk‐sensitive basis under Article 48(10) of Directive (EU) 2015/849 (amending the Joint Guidelines ESAs 2016 72) the Risk-Based Supervision Guidelines. ABN AMRO will take this opportunity to give its feedback on the draft revised text in line with your request and by answering some of EBA’s consultation questions. To summarize, our main points we make in the questions we have answered are focused on the following item:
1. Public-private partnerships and cooperation between banks
ABN AMRO looks forward to see the final agreed upon guidelines and hope our feedback will lead to further adjustments in the final texts.
Question 3: Do you have any comments on the proposed changes to the Guideline 4.2 ‘Step 1- Identification of risk and mitigating factors’?
Public-private partnerships and cooperation between banks
Even though paragraph 24 has not changed, but the remainder of Guideline 4.2 is connected to this paragraph and incorporates changes. ABN AMRO would like to suggest to in a positive way add to paragraph 24 that “for this purpose consultation may be sought with other public authorities, private entities and other relevant experts” as to further align efforts for fighting (financial) crime at a national or European level. With this suggestion we take into account that EBA found that “their [competent authorities] understanding of the risk factors associated with subjects of assessment was often inaccurate and did not appear to represent the current situation within the Member State”.
Furthermore, this suggested addition on paragraph 24 emphasizes the importance of aligning and focusing the efforts throughout the chain to effectively combat (financial) crime. This will enhance effectiveness as main risks within the field will be identified that require action. Also, it will give necessary focus in the efforts of all parties involved by prioritizing risks at a sectoral and institutional level throughout the chain.
Privacy – proportionality and subsidiarity
With respect to paragraph 22, 23, 34 and 47 and 48 of the draft Guidelines we would like to comment the following. It seems to not take sufficiently into account the principles of proportionality and subsidiarity, which are especially of relevance when the regulators request information from entities that relate to individuals. Only to the extent that it is strictly necessary to obtain information on identified or identifiable individuals that is necessary in the context of an investigation of a competent regulator, such information may be provided by banks to the competent authorities.
Indiscriminately providing client data (individuals) or data relating to employees of the bank poses a significant risk for the privacy of such individuals. We suggest that EBA motivates to what extent the preamble of the GDRP has been taken into account when drafting these changes as to have a clear base for the information to be delivered to competent authorities:
“(31) Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.”
It would in that view also be helpful that EBA indicates whether certain reporting requirements in this guideline are already part of current reporting. These regulation or standards will probably already contain a motivation for reporting that information.
Data protection – more safeguards
ABN AMRO would like to bring to mind that data of the bank needs to be disclosed taking into account adequate measures to protect the data against unautorised access (data security). Specific rules on how requested data is to be disclosed, procedures and arrangements on the safety of the data should be discussed to minimise the risks of data leaks in the process as much as possible.
ABN AMRO, and any other entity under supervision, as a data controller defined in the GDPR, needs to assess data protection risks, especially if those are high, when processing personal data. The disclosure of personal data to the competent regulators constitutes a processing of personal data. If the bank has concerns as to the need, the proportionality and subsidiarity of the disclosure as well as the security measures to ensure that the risk of a data leak occurs, in the views of the bank this could be seen a high risk. Disclosing such data could put banks in a difficult situation as to the compliance with the GDPR.
Adding more concrete safeguards regarding requesting client and employee data when strictly necessary for an investigation would help taking into account the privacy rights of such data subject.