Response to consultation on draft RTS on a central database on AML/CFT in the EU
Go back
8 (d) until 8 (f): information on natural persons.
This information is very sensitive and can even qualify as information relating to criminal offences.
8(k): if information relating to individuals is disclosed to other authorities, the risk exists of infringing the principle of purpose limitation. This constitutes a major risk for individuals. They do not know what the consequences for them personally can be if data is shared without the compatibility test from one regulator to another regulator or authority. In Annex 2 there is a reference to the fact that disclosure may be done only if necessary in the context of investigating AML/CFT. The EBA should perform an analysis as per the GDPR on purpose limitation and keep a record of it in order to abide by the principle of accountability. The disclosure of such sensitive information, which may qualify as data relating to criminal convictions or offences can only be disclosed to third parties under strict conditions. We doubt whether these guidance is sufficient. Possibly a more robust legislative act is necessary here, given the nature of such data.
As a bank we welcome further formalization of the exchange of AML supervisory information between EBA and AML supervisors and vice versa. Such exchange will already occur and a more formal framework to accommodate this will improve legal certainty. However, with respect to the current consultation we see two main points of attention. We discuss these in more detail below.
1. Increased information exchange may trigger less coordinated supervision
Article 11.1 c in conjunction with Article 1 D and 1E
Increased information exchange with respect to AML incidents may trigger less coordinated supervision in situations where multiple supervisors are involved either in one Member State or in multiple Member States.
Without the appropriate safeguards and checks and balances, increased availability and distribution of such AML incident information may trigger uncoordinated supervisory actions by the various regulators involved in a particular case. As a bank we are already confronted by multiple enquiries/information requests relating to identical or largely overlapping information from different regulators on a regular basis. Also with respect to AML supervision.
We urge EBA to take this aspect into account and to - where possible - set safeguards, to minimise uncoordinated AML supervision in such situations, and to minimise the administrative and operational burden this places on banks. We are all working on achieving the same goal, but we need to do so in an efficient manner. AML colleges could play a more prominent role in such situations and may need to have a more prominent formal role under this RTS (other than the mere reference in Article 11.1 (c), including clear guidance on how the information should be used in order to avoid inefficient supervision practices.
Increased information exchange with respect to AML incidents may trigger less coordinated supervision in situations where multiple supervisors are involved either in one Member State or in multiple Member States.
Without the appropriate safeguards and checks and balances, increased availability and distribution of such AML incident information may trigger uncoordinated supervisory actions by the various regulators involved in a particular case. As a bank we are already confronted by multiple enquiries/information requests relating to identical or largely overlapping information from different regulators on a regular basis. Also with respect to AML supervision.
We urge EBA to take this aspect into account and to - where possible - set safeguards, to minimise uncoordinated AML supervision in such situations, and to minimise the administrative and operational burden this places on banks. We are all working on achieving the same goal, but we need to do so in an efficient manner. AML colleges could play a more prominent role in such situations and may need to have a more prominent formal role under this RTS (other than the mere reference in Article 11.1 (c), including clear guidance on how the information should be used in order to avoid inefficient supervision practices.
2. Increased data/privacy issues.
Article 10
Article 10 concerns the analysis of the information. What are the parameters that are going to be used by the authority? Page 47 of the document. How far does an entity need to go for the authority to consider that for example CDD has been conducted effectively? Such expectancy can clash with the GDPR’s proportionality principle.
Article 11 and on Annex 2
Reference is made to “nationality”. Does this mean that nationality becomes a compulsory element that needs to be registered? For other AML purposes nationality does not seem to be necessary. Processing this information entails risks. The question to EBA should be what is the rationale behind asking for the nationality of individuals.
Concerning article 11 (2) and 11 (3). We miss an explanation as to why anonymised information is not sufficient, why less information would not help the investigation. It would also be useful if the EBA would indicate for how long the data will be kept.
Annex II - Article 4a sub c
Article 4 c, is not fully in line with the GDPR. It rightly says that the rationale for asking the requested personal data should be communicated. However the text states: “The rationale (s) for the request: whether the information about that specific person is relevant for the requesting competent authority for its supervisory with regard to the prevention of the use of the financial system for the purpose of money laundering or of terrorist financing and intended use (s) of the information requested”. So it only seems that the authority needs to state that “it is relevant for …” but without explaining why in this case it is necessary. In our view it should be included why the data cannot be anonymised or provided in aggregated form, and why it is not possible to provide less data than what is requested in a given investigation. The current text does not provide much comfort. For the banks, it seems that data is not collected fully in line with the GDPR. Such addition would help banks making the assessment whether data can be disclosed in line with the GDPR.
Provisions on a secure data disclosure from the banks to the EBA is missing and in our view it should be mentioned (data security). There is a reference to protecting the data if EBA sees the need to disseminate it, but such provision is not to be found in the document regarding the provision of the data by the banks to the regulator.
P. 47. Effectiveness of CDD measures. When do they consider that customers have been sufficiently identified – effectively in their terms, for example? How far do they think firms need to go? That brings about the dilemma of privacy. What is strictly necessary to abide by this obligation? What can be considered that goes beyond, entailing a privacy breach if the data relates to an individual?
Annex II - Article 4b
See also regarding Annex 2, article 4 b. Data can be disseminated by the EBA to other parties. To the extent that such data could qualify as data related to criminal offences, stricter rules apply. To what extent has the EBA taken into account article 10 of the GDPR?I have doubts as to whether this Annex is sufficient. May be this has been taken into account in the DPIA. As we cannot see this, we don’t know this.
The Consultation refers to the fact that the EBA conducted a DPIA and that a summary of this can be found on the site of EBA and that it intends to approach the EDPS. It would provide comfort to the banks to receive more information on how the recommendations/advice of the EDPS is taken into account in the RTS. With respect to the following articles: 8, 10, 11 and Annex 2, we provide a number of privacy related concerns, which we hope will be addressed by the EBA.
Question 1: Do you have any comments on the definitions proposed in Articles 3 and 4? If so, please explain your reasoning?
NoQuestion 2: Do you have any comments on the corresponding situations identified and proposed in Article 4 and Annex 1 for each type of competent authority in the scope of the draft RTS? If so, please explain your reasoning.
NoQuestion 3: Do you have any comments on the definition of the materiality of a weakness proposed in Article 5? If so, please provide your reasoning.
noQuestion 4: Do you have any comments on the type of information-as specified in Articles 6, 7 and 8 and Annex 3? If so, please provide your reasoning.
Article 88 (d) until 8 (f): information on natural persons.
This information is very sensitive and can even qualify as information relating to criminal offences.
8(k): if information relating to individuals is disclosed to other authorities, the risk exists of infringing the principle of purpose limitation. This constitutes a major risk for individuals. They do not know what the consequences for them personally can be if data is shared without the compatibility test from one regulator to another regulator or authority. In Annex 2 there is a reference to the fact that disclosure may be done only if necessary in the context of investigating AML/CFT. The EBA should perform an analysis as per the GDPR on purpose limitation and keep a record of it in order to abide by the principle of accountability. The disclosure of such sensitive information, which may qualify as data relating to criminal convictions or offences can only be disclosed to third parties under strict conditions. We doubt whether these guidance is sufficient. Possibly a more robust legislative act is necessary here, given the nature of such data.
Question 5: Do you have any comments on the proposed approach with regard to the EBA’s analysis and dissemination of the information contained in the database, as proposed in Articles 10 and 11 of the draft RTS? If you do, please provide your reasoning.
As the EBA Register and the information registered therein and exchanged with other AML supervisors and the EBA, this RTS primarily concerns that relationship. Taking into account the before, we limit our response to a few topics we identified that may have a more direct effect on banks, and other institutions in scope of AMLD.As a bank we welcome further formalization of the exchange of AML supervisory information between EBA and AML supervisors and vice versa. Such exchange will already occur and a more formal framework to accommodate this will improve legal certainty. However, with respect to the current consultation we see two main points of attention. We discuss these in more detail below.
1. Increased information exchange may trigger less coordinated supervision
Article 11.1 c in conjunction with Article 1 D and 1E
Increased information exchange with respect to AML incidents may trigger less coordinated supervision in situations where multiple supervisors are involved either in one Member State or in multiple Member States.
Without the appropriate safeguards and checks and balances, increased availability and distribution of such AML incident information may trigger uncoordinated supervisory actions by the various regulators involved in a particular case. As a bank we are already confronted by multiple enquiries/information requests relating to identical or largely overlapping information from different regulators on a regular basis. Also with respect to AML supervision.
We urge EBA to take this aspect into account and to - where possible - set safeguards, to minimise uncoordinated AML supervision in such situations, and to minimise the administrative and operational burden this places on banks. We are all working on achieving the same goal, but we need to do so in an efficient manner. AML colleges could play a more prominent role in such situations and may need to have a more prominent formal role under this RTS (other than the mere reference in Article 11.1 (c), including clear guidance on how the information should be used in order to avoid inefficient supervision practices.
Increased information exchange with respect to AML incidents may trigger less coordinated supervision in situations where multiple supervisors are involved either in one Member State or in multiple Member States.
Without the appropriate safeguards and checks and balances, increased availability and distribution of such AML incident information may trigger uncoordinated supervisory actions by the various regulators involved in a particular case. As a bank we are already confronted by multiple enquiries/information requests relating to identical or largely overlapping information from different regulators on a regular basis. Also with respect to AML supervision.
We urge EBA to take this aspect into account and to - where possible - set safeguards, to minimise uncoordinated AML supervision in such situations, and to minimise the administrative and operational burden this places on banks. We are all working on achieving the same goal, but we need to do so in an efficient manner. AML colleges could play a more prominent role in such situations and may need to have a more prominent formal role under this RTS (other than the mere reference in Article 11.1 (c), including clear guidance on how the information should be used in order to avoid inefficient supervision practices.
2. Increased data/privacy issues.
Article 10
Article 10 concerns the analysis of the information. What are the parameters that are going to be used by the authority? Page 47 of the document. How far does an entity need to go for the authority to consider that for example CDD has been conducted effectively? Such expectancy can clash with the GDPR’s proportionality principle.
Article 11 and on Annex 2
Reference is made to “nationality”. Does this mean that nationality becomes a compulsory element that needs to be registered? For other AML purposes nationality does not seem to be necessary. Processing this information entails risks. The question to EBA should be what is the rationale behind asking for the nationality of individuals.
Concerning article 11 (2) and 11 (3). We miss an explanation as to why anonymised information is not sufficient, why less information would not help the investigation. It would also be useful if the EBA would indicate for how long the data will be kept.
Annex II - Article 4a sub c
Article 4 c, is not fully in line with the GDPR. It rightly says that the rationale for asking the requested personal data should be communicated. However the text states: “The rationale (s) for the request: whether the information about that specific person is relevant for the requesting competent authority for its supervisory with regard to the prevention of the use of the financial system for the purpose of money laundering or of terrorist financing and intended use (s) of the information requested”. So it only seems that the authority needs to state that “it is relevant for …” but without explaining why in this case it is necessary. In our view it should be included why the data cannot be anonymised or provided in aggregated form, and why it is not possible to provide less data than what is requested in a given investigation. The current text does not provide much comfort. For the banks, it seems that data is not collected fully in line with the GDPR. Such addition would help banks making the assessment whether data can be disclosed in line with the GDPR.
Provisions on a secure data disclosure from the banks to the EBA is missing and in our view it should be mentioned (data security). There is a reference to protecting the data if EBA sees the need to disseminate it, but such provision is not to be found in the document regarding the provision of the data by the banks to the regulator.
P. 47. Effectiveness of CDD measures. When do they consider that customers have been sufficiently identified – effectively in their terms, for example? How far do they think firms need to go? That brings about the dilemma of privacy. What is strictly necessary to abide by this obligation? What can be considered that goes beyond, entailing a privacy breach if the data relates to an individual?
Annex II - Article 4b
See also regarding Annex 2, article 4 b. Data can be disseminated by the EBA to other parties. To the extent that such data could qualify as data related to criminal offences, stricter rules apply. To what extent has the EBA taken into account article 10 of the GDPR?I have doubts as to whether this Annex is sufficient. May be this has been taken into account in the DPIA. As we cannot see this, we don’t know this.
Question 6: Do you have any comments on the provisions proposed in articles 9 ‘timelines and obligations to provide updates’ and in article 13 (1) and (2) in relation the language used? If so, please provide your reasoning.
noQuestion 7: Do you have any comments on the provisions proposed in Article 12 on the ‘articulation with other notifications’? If so, please provide your reasoning.
noQuestions 8: Do you have any comments on the approach proposed in Article 13 and in particular on the sequential approach described in paragraph 4 of that Article? If so, please provide your reasoning.
noQuestion 9: Do you have any comments on the approach proposed in Articles 14 and 15 with regard to confidentiality and data protection, and on Annex 2, which sets out the information in relation to natural persons for the purpose of this draft RTS or more generally on data protection? If so, please provide your reasoning.
The information in the register, will include personal data, suitability assessments of individual day-to-day decision takers and relating information, and may even contain criminal law data relating to individuals. This raises the question whether the proposed data protection/privacy safeguards are adequate. Although in this specific situation the adequate protection of data and safeguarding compliance with GDPR is primarily a responsibility of EBA and the involved AML regulators, taking into account the interests of our clients, employees, management and other stakeholders we address the below points of attention.The Consultation refers to the fact that the EBA conducted a DPIA and that a summary of this can be found on the site of EBA and that it intends to approach the EDPS. It would provide comfort to the banks to receive more information on how the recommendations/advice of the EDPS is taken into account in the RTS. With respect to the following articles: 8, 10, 11 and Annex 2, we provide a number of privacy related concerns, which we hope will be addressed by the EBA.