[DRAFT] AMLA: Proposal for a happily ever after?       

By Natalia, Magali, Robin & Kristina

Money laundering is one of humanity’s most deceitful crimes. Huge money laundering scandals have occurred in the EU over the past decade. One of the main reasons is the insufficient exchange of suspicious activity/transaction reports (SARs/STRs) between Financial Intelligence Units (FIUs). FIUs form a bridge between the private sector and law enforcement bodies in the information exchange. But their divergent models result in a differentiation of the level of data protection. Therefore, FIUs may be restricted in accessing SARs/STRs in cross-border cases. To coordinate the FIUs, the European Commission (Commission) proposed a new specialized Agency: the Authority on Anti-Money Laundering and the Countering of Financing Terrorism (AMLA). AMLA would be authorized to draft binding Implementing Technical Standards (ITS) on the templates of SARs/STRs. This is important because the SARs/STRs’ content are different in each Member State (MS). AMLA would also be empowered to host the server FIU.net. FIU.net is considered to be a good and safe alternative to bilateral requests for SARs/STRs. In this blogpost we aim to show how the AMLA could improve the exchange of information between the different FIUs whilst upholding the EU data protection safeguards.      

A Scandalous History      

Money laundering (ML) is a crime with a strong international dimension. It  has been a priority of the EU since the 1990s in response to increased drug trafficking. The EU thus recognized that a highly coordinated response from the EU as a whole is required to tackle AML effectively. This coordinated response is accomplished through the FIUs. These receive information from the private sector by means of SARs/STRs. The FIUs must forward the reports to national competent authorities and other FIUs. Although the SARs/STRs differ across the EU, they are crucial to stop ML. Namely because they can lead to a criminal investigation into a criminal activity that was unknown before. The picture below illustrates how the aforementioned exchange of information goes.

However, the Commission identified in 2021 that there was an insufficient detection of suspicious transactions and activities by FIUs. This limits the FIUs’ capacity to suspend transactions and to quickly send relevant information to competent authorities and other FIUs. Consequently, huge ML scandals have happened in the last decade. For example, the Den Danske Bank case in 2018 where almost €200 billion of suspicious transactions took place before the Danish authorities intervened.

As a result, the Commission proposed a Regulation on establishing the Authority for Anti-Money Laundering (AMLA) and the Countering the Financing of Terrorism (proposal). The AMLA would become the EU coordinator of national authorities to ensure that the private applies EU rules effectively. Member States (MSs) requested for EU oversight. However, it is known that the Commission does not always consider  better alternatives for setting up a new agency. Hence, the question arises whether the proposal would be an improvement for the coordination of FIUs. Hereafter we elaborate on the problems in exchange of information between FIUs and how AMLA could be a solution.        

Problems in the exchange of information     

Despite the scandalous history, it is that the private sector does not send SARs/STRs to the FIUs. On the contrary, the German FIU received so many SARs/STRs that it has a huge backlog. Rather, the problem lies with the exchange of the SARs/STRs between the EU FIUs. This might seem odd, considering Article 53 of Directive 2015/849 (AMLD5). FIUs are obliged to forward SARs/STRs to another FIU if they are relevant to that MS.    

Important to note here though is that AMLD5 leaves discretion to the MSs to decide upon the legal status of their FIUs. Consequently, 4 different models of FIUs have been developed: ‘administrative’ ‘law enforcement’, ‘judicial’ and ‘hybrid’. Due to this diversity, MSs doubt what the applicable data protection rules are when FIUs exchange information. This results in different content of or access to the STRs/SARs. It hinders the efficiency of the FIUs’ coordination and reduces the capacity to detect money laundering effectively. The fact that FIUs must cooperate with one another regardless of their legal status unfortunately did not prevent the current problems (Article 52 AMLD5).        

ITS time

As previously mentioned, the AMLA is to become a central actor to support the cooperation among the FIUs and facilitate their coordination for better detecting the illicit financial flows of a cross-border nature. Considering this focus, the Commission wants AMLA to coordinate the FIUs by drafting binding Implementing Technical Standards (ITS) on the template of SARs/STRs (Article 42 proposal). The AMLA shall submit its draft ITS to the Commission for adoption. At the same time, the AMLA shall send them to the European Parliament and the Council of the European Union for information purposes.          

In any event, the Commission may not alter the content and adopt the ITS before discussing them with the AMLA. Hence, the AMLA would essentially be able to oblige all the EU reporting entities to forward the same type of SARs/STRs to the FIUs. Currently, each FIU uses a different type of SAR/STR. For example, the Dutch FIU receive reports on all ‘unusual transactions’. In comparison, the Swiss FIU only receives reports based on a ‘grounded suspicion’. If AMLA were to impose one  template, then it would become easier for FIUs to coordinate their operations. This would also be in line with recommendations of various scholars. Therefore, we are convinced that ITS would improve the coordination of FIUs.

The FIU.net’s revival

Source: Vimeo.com

Under Article 37 of the proposal, AMLA would also be responsible for hosting and managing the FIU.net. This is a secure communication network between FIUs. AMLA would, for instance, ensure the required level of security of the system to address and reduce data protection risks. This is much needed, since FIU.net faces many technical difficulties.     

This provision could definitely solve the confusion about the applicable data protection rules between FIUs. Since FIU.net is a ‘centralised decentralized system’, the 27 FIUs would have to connect their own database to the in-house server of FIU.net. It implies that FIUs cannot access each other’s data without consent. The server ensures a certain level of flexibility to exchange SARs/STRs via a hit/no-hit system. Namely because, the analyses tool ‘Match Three’ matches the SARs/STRs without revealing personal data. Thus before revealing the personal data, the SARs/STRs will first be compared to see whether there is a ‘match’. Because of this safeguard, we believe that FIUs will exchange more data with one another. Especially, since they there is a function that can automatically grant access to the FIUs’ databases. Although it is true that few FIUs currently send SARs/STRs via FIU.net, we believe they will do so if another proposal of the Commission is adopted. That proposal would oblige FIUs to communicate via FIU.net, which is not compulsory today. We thus believe that this proposal is one for a happily ever after. For it would balance the enhanced coordination between FIUs and the data protection rules.           

Author: Student posts

This blog post is written by Master students at Utrecht University.

Leave a Reply

Your email address will not be published.