The Cabinet has sent the bill "Money Laundering Plan" to the House of Representatives. The aim is to tackle money laundering and counter terrorist financing. However, the Personal Data Authority fears that the privacy of all Dutch citizens is at stake and warns of a "banking dragnet" if the cabinet follows through on the plans.
The regulator (1) announces this in a press release.
On Friday, Finance Minister Sigrid Kaag sent the bill (2) "Money Laundering Action Plan" to the House of Representatives. The proposal contains a package of measures to combat money laundering. For example, there will be a ban on cash payments of three thousand euros or higher. To improve cooperation between (financial) institutions, they will be obliged to exchange risks with each other. "This way, criminals cannot shop around institutions and institutions do not have to do double work," Minister Kaag said.
The most controversial measure in the bill is to allow banks to monitor financial transactions of all Dutch citizens. The idea is to collect and analyze all payments centrally. "Criminals often deposit sums of money with different banks in order to stay under the radar. With joint transaction monitoring, banks can better identify unusual transaction patterns. The expectation is that this will lead to better 'hits' and thus contribute to a more effective approach to money laundering," the cabinet believes.
On an annual basis, 10 billion transactions of 35 million customers are monitored in the Netherlands.
The Personal Data Authority is deeply concerned about the latter measure. According to the regulator, the bill opens the door to "unprecedented mass surveillance of Dutch citizens." Katja Mur, board member of the Personal Data Authority, says the bill poses risks to the privacy (3) of all Dutch citizens. "Your payment data show your whole business. For example, whether you spend money on a political party, religious institution or psychologist," she said.
Furthermore, the regulator believes that the bill's risks are disproportionate to its purpose. The proposal threatens to create a situation where all people who have an account with a specific bank will have an asterisk after their name. For them, it will be made virtually impossible to open a bank account elsewhere.
Centralized monitoring using algorithms goes too far for the Personal Data Authority. "The proposed system essentially amounts to a banking dragnet," Mur said. "Moreover, it risks discrimination and exclusion. We have seen before that algorithms can stigmatize people and push them into boxes. The question is whether banks will soon be guided mainly by what a computer tells them."
The board member explains that good legislation ensures that money laundering is addressed without restricting the fundamental rights of Dutch citizens. "That is certainly not the case with this proposal. People are innocent until proven guilty. By keeping everyone under surveillance by default, this fundamental principle of the rule of law is being eroded," Mur said.
The regulator is not the only party critical of the Cabinet bill. In January 2021, the Council of State (4) was cautious about the mandatory banking cooperation. "The massive scale on which banking transactions will be jointly monitored is unprecedented and represents a far-reaching breach of the confidentiality of data of citizens and businesses. This does not only concern the right to privacy. This monitoring can also lead to exclusion and discrimination," the advisory body concluded.
The Privacy First foundation also sees nothing in the cabinet's bill. "Privacy First is resolutely opposed to a dragnet by the joint banks on the complete financial transaction data of Dutch people, companies and organizations and calls on everyone to agitate against this cabinet plan," the foundation states in a statement (5).
The Dutch Banking Association (NVB) is pleased with the bill. A spokeswoman told NU.nl (6) that the privacy of Dutch citizens is not at stake. "TMNL will not get to see any customer data. These are pseudonymized when examined." "TMNL" stands for Transaction Monitoring Netherlands. This is a partnership set up by ING, ABN AMRO, Rabobank, de Volksbank and Triodos Bank to implement the joint monitoring obligation.
Medy van der Laan, chairman of the NVB, called the response (7) from the Personal Data Authority "disappointing. "We understand the AP's role of keenly monitoring privacy interests. However, with its stance, the AP does not seem to consider the importance of preventing criminal use of the financial system by individuals and companies. While our job - mandated by law - is to do everything we can to keep criminal use out of the banking system. This is what criminals do in networks using different banks. That's why joint transaction monitoring by banks is really necessary. Otherwise, criminal networks cannot be stopped."
Van der Laan said the Cabinet bill is necessary to prevent abuse of the financial system and financing of terrorism. "Currently, unusual customer transactions can only be mapped within the records of one bank. However, transactions that are not assessed as unusual at an individual bank, when combined with transactions of the customer concerned at other banks, may well indicate money laundering or terrorist financing. The only way to discover such transaction patterns and criminal networks is through joint monitoring in which data on criminals can be exchanged," said the chairman of the NVB.
https://autoriteitpersoonsgegevens.nl/nl/nieuws/nieuwe-wet-opent-deur-naar-ongekende-massasurveillance-door-banken
https://www.rijksoverheid.nl/actueel/nieuws/2022/10/21/wetsvoorstel-plan-van-aanpak-witwassen
https://www.vpngids.nl/privacy/
https://www.raadvanstate.nl/adviezen/@122774/w06-20-0354-iii/
https://www.privacyfirst.nl/aandachtsvelden/financiele-privacy/item/1258-bancair-sleepnet-is-geen-goed-idee.html
https://www.nu.nl/tech/6231325/autoriteit-persoonsgegevens-banktransacties-centraal-monitoren-is-slecht-idee.html
https://www.nvb.nl/nieuws/met-wetswijziging-witwassen-effectiever-te-voorkomen/