The European Commission's Anti-Money Laundering (AML) package is in the final stages of the legislative process and this has implications for the Dutch money laundering approach. The package responds to the concerns of the Council of State and the Personal Data Authority, the latter previously calling the Dutch money laundering approach a "banking dragnet."
The Dutch framework for tackling money laundering and terrorist financing differs from its European counterpart in the power to exchange data between banks. But where is the discrepancy and to what extent does it serve the privacy of Dutch citizens and legal protection in general? PONT | Data & Privacy went into conversation with Wwft experts Birgit Snijder-Kuipers and Jurjan Geertsma.
The AML package places restrictions on the Netherlands' progressive money laundering approach. Under the watchful eye of the government, the Money Laundering and Terrorist Financing Prevention Act has led to the initiative of establishing Transaction Monitoring Netherlands (TMNL), a partnership between the Netherlands' largest banks and short lines of communication with the government. Other countries, as well as the European Union, are watching TMNL with great interest because the Dutch banks are leading the world in data sharing between banks with this initiative.
Birgit Snijder-Kuipers, professor of Corporate Compliance and Anti-Money Laundering and candidate notary at de Brauw, emphasizes the nuance of the proposed package. "It sets requirements for the 'diligence' with which data is exchanged, but it is not the case that any kind of cooperation is no longer possible." Specifically, the European regulation differs from the Dutch Wwft in the following aspects:
First, it limits the scope of transaction data that may be shared to specific groups of clients (1). The regulation places stricter conditions on joint monitoring by permitting it only when there is a "high-risk client. This contrasts with the Wwft which uses a different criterion, much to the annoyance of the Personal Data Authority and the Council of State (2)(3).
A second difference with the Dutch money laundering approach is that the AML package makes it mandatory for banks setting up joint facilities to be inspected in advance by the relevant supervisors. These must ensure that the joint facility meets the conditions set out in the AML Regulation and the AVG (4).
According to Jurjan Geertsma, law partner at JahaeRaymakers, TMNL will have to evaluate at this time whether and to what extent the current form of data exchange still fits within the framework of the AML regulation. "I think they will be very cautious about it," he said. But TMNL will have to make adjustments, according to Jurjan Geertsma . "You do take certain risks, of course, if you don't make adjustments and continue with that data sharing without looking into it. That you then end up with unlawful processing, which can lead not only to violation of privacy but also business-wise to unwanted stigmatization and exclusion."
Birgit Snijder-Kuipers goes on to say that the issue is a political choice between effective signaling through the sharing of data by banks among themselves, or less effective signaling that better safeguards the privacy of citizens. "We also have to be realistic. You can signal more effectively if you can share data with each other."
However, privacy experts are clear: A higher threshold for data sharing is not only politically justified, but also legally desirable given the scale of monitoring and the nature of banking personal data (5).
Geertsma sees a corollary of what he calls "fear-based regulation": because of this legislation and the government's attitude, you never know if you're doing well enough, which can reflexively cause you to set yourself up as a field guard instead of a gatekeeper. You are practically detecting instead of signaling. It is important to think more carefully about the demarcation between the government task and the private task. All in all, the AML regulation appears to be a step in this direction and privacy concerns no longer seem to fall on deaf ears.
The five major Dutch banks ABN AMRO, ING, Rabobank, Triodos Bank and Volksbank have joined forces Transaction Monitoring Netherlands. TMNL was at its inception of interest to international banking community because of its progressive cooperation and exchange of client data.
Under this partnership, large-scale joint monitoring of transactions is currently underway. Furthermore, TMNL shares data among itself for the purpose of client research.
Both practices could lead to unlawful processing when the AML regulation comes into effect. Although TMNL says it uses pseudonymization and, for now, only corporate clients are monitored, the potential impact on the privacy of Dutch citizens is significant.
https://data.consilium.europa.eu/doc/document/ST-6220-2024-REV-1/en/pdf, p. 278.
https://autoriteitpersoonsgegevens.nl/actueel/nieuwe-wet-opent-deur-naar-ongekende-massasurveillance-door-banken
https://www.raadvanstate.nl/adviezen/@122774/w06-20-0354-iii
https://open.overheid.nl/documenten/8a49594f-34fa-4966-9426-bf545d478ca0/file
Banking dragnet is not a good idea
