By Natalia, Magali, Robin & Kristina
Money laundering is one of humanity’s most deceitful crimes. Huge money laundering scandals have occurred in the EU over the past decade. One of the main reasons is the insufficient exchange of suspicious activity/transaction reports (SARs/STRs) between Financial Intelligence Units (FIUs). FIUs form a bridge between the private sector and law enforcement bodies in the information exchange. But depending on their legal status, they may be subject to different rules of data protection regimes. Therefore, FIUs may be restricted in accessing SARs/STRs in cross-border cases. To coordinate the FIUs, the European Commission (Commission) proposed a new specialized Agency: the Authority on Anti-Money Laundering and the Countering of Financing Terrorism (AMLA). AMLA would be authorized to draft binding Implementing Technical Standards (ITS) on the templates of SARs/STRs. This is important because SARs/STRs’ content vary between Member States (MSs). For example, regarding the activities that are considered to be ‘suspicious’ and the extensiveness of the SARs/STRs. A cause for these differences lie in the fact that the MS uphold diverging thresholds for submitting a SAR/STR. AMLA would also be empowered to host the server FIU.net. FIU.net is considered to be a good and safe alternative to bilateral requests for SARs/STRs. In this blogpost we aim to show how the AMLA could improve the exchange of information between the different FIUs whilst upholding the EU data protection safeguards.
A Scandalous History
Money laundering (ML) is a crime with a strong international dimension. It has been a priority of the EU since the 1990s in response to increased drug trafficking. The EU thus recognized that a highly coordinated response from the EU as a whole is required to tackle AML effectively. This coordinated response is, among others, accomplished through the FIUs. These receive information from the private sector by means of SARs/STRs. The FIUs must forward the reports to national competent authorities and foreign FIUs. Although the SARs/STRs differ across the EU, they are crucial to stop ML. Namely because they can serve as intelligence for the initiation of a criminal investigation. The picture below illustrates how the aforementioned exchange of information goes.
However, the Commission identified in 2021 that there was an insufficient detection of suspicious transactions and activities by FIUs. A main reason, according to the Commission, is insufficient oversight of how entities subject to AML rules apply them. The insufficient detection limits the FIUs’ capacity to suspend transactions and to quickly send relevant information to competent authorities and other FIUs. Consequently, huge ML scandals have happened in the last decade. For example, the Danske Bank case in 2018 where almost €200 billion of suspicious transactions took place before the Danish authorities intervened.
Partly in light of the foregoing, the Commission proposed a Regulation on establishing the Authority for Anti-Money Laundering (AMLA) and the Countering the Financing of Terrorism (proposal). The AMLA would become the EU coordinator of national authorities to ensure that the private sector applies EU rules effectively. Given that a considerable amount of the MSs requested for EU oversight, establishing another agency seems to be an adequate measure. However, it is also known that the Commission does not always consider better alternatives for setting up a new agency . Hence, the question arises whether the proposal would be an improvement for the coordination of FIUs. Hereafter we elaborate on the problems in exchange of information between FIUs and how AMLA could be a solution.
Problems in the exchange of information
Despite the scandalous history, it is not that the private sector does not send SARs/STRs to the FIUs. On the contrary, the German FIU received so many SARs/STRs that it has a huge backlog. Rather, the problem lies with the exchange of the SARs/STRs between the EU FIUs. This might seem odd, considering Article 53 of Directive 2015/849 (AMLD5). FIUs are obliged to forward SARs/STRs to another FIU if they are relevant to that MS.
Important to note here though is that AMLD5 leaves discretion to the MSs to decide upon the legal status of their FIUs. Consequently, 4 different models of FIUs have been developed: ‘administrative’ ‘law enforcement’, ‘judicial’ and ‘hybrid’. Due to this diversity, MSs doubt what the applicable data protection rules are when FIUs exchange information. This results in different content of or access to the STRs/SARs. It hinders the efficiency of the FIUs’ coordination and reduces the capacity to detect money laundering effectively. The fact that FIUs must cooperate with one another regardless of their legal status unfortunately did not prevent the current problems (Article 52 AMLD5).
As previously mentioned, the AMLA is to become a central actor to support the cooperation among the FIUs and facilitate their coordination for better detecting the illicit financial flows of a cross-border nature. Considering this focus, the Commission wants AMLA to coordinate the FIUs by drafting binding Implementing Technical Standards (ITS) on the template of SARs/STRs (Article 42 proposal). The AMLA shall submit its draft ITS to the Commission for adoption. At the same time, the AMLA shall send them to the European Parliament and the Council of the European Union for information purposes.
In any event, the Commission may not alter the content and adopt the ITS before discussing them with the AMLA. Hence, the AMLA would essentially be able to oblige all the EU reporting entities to forward the same type of SARs/STRs to the FIUs. Currently, each FIU uses a different type of SAR/STR. For example, the Dutch FIU receive reports on all ‘unusual transactions’. In comparison, the Sonly receives reports based on a ‘grounded suspicion’. If AMLA were to impose one template, then it would become easier for FIUs to coordinate their operations. This would also be in line with recommendations of various scholars. Therefore, we are convinced that ITS would improve the coordination of FIUs.
The FIU.net’s revival
Under Article 37 of the proposal, AMLA would also be responsible for hosting and managing the FIU.net. This is a secure communication network between FIUs. AMLA would, for instance, ensure the required level of security of the system to address and reduce data protection risks. This is much needed, since FIU.net faces many technical difficulties.
This provision could definitely solve the confusion about the applicable data protection rules between FIUs. Since FIU.net is a ‘centralised decentralized system’, the 27 FIUs would have to connect their own database to the in-house server of FIU.net. It implies that FIUs cannot access each other’s data without consent. The server ensures a certain level of flexibility to exchange SARs/STRs via a hit/no-hit system. Namely because, the analyses tool ‘Match Three’ matches the SARs/STRs without revealing personal data. Thus before revealing the personal data, the SARs/STRs will first be compared to see whether there is a ‘match’. Because of this safeguard, we believe that FIUs will exchange more data with one another. Especially, since they there is a function that can automatically grant access to the FIUs’ databases.
Notwithstanding this, one could argue that the Commission clarifies which data protection regime applies in order to improve the communication between FIUs: the General Data Protection Regulation (GDPR) or the Law Enforcement Directive (LED). That is easier said than done though. For the Commission already stated in 2018 that the GDPR applies to FIUs. Yet, not all of the MSs agree with this because they have law enforcement FIUs. They are hence more inclined to apply the LED, which also happens in practice. Besides this, scholars have provided arguments in favour of both the GDPR and for the LED. Therefore, the answer as to which legal instrument applies, is far from easy. Since the discussion has existed for many years, we do not see a determination of the applicable data protection of rules as the quickest nor most adequate solution. Under these circumstances, we think that the revival of FIU.net would be more preferable in the near future.
Although it is true that few FIUs currently send SARs/STRs via FIU.net, we believe they will do so if another proposal of the Commission is adopted. The other proposal would oblige FIUs to communicate via FIU.net, which is not compulsory today. We thus believe that this proposal is one for a happily ever after. For it would balance the enhanced coordination between FIUs and the data protection rules.