New European legislative proposals that require financial institutions to carry out far-reaching checks on customers need major changes. So say the Autoriteit Persoonsgegevens (AP) and the rest of Europe's privacy regulators, united in the European Data Protection Board (EDPB). The proposals are intended to expand anti-money laundering controls of banks, among others. But could lead to people being unfairly prevented from opening bank accounts. And that sensitive data about religion and health, for example, is used without necessity.
Banks must conduct checks to detect people or companies that may be laundering money or financing terrorism. If they suspect this, they must conduct in-depth investigations and report them to authorities. These investigations are very invasive for many people and can cause people to be labeled in advance as potential criminals. It can also lead to the blocking of their bank accounts, for example.
This is already happening, but with the new legislative proposals, the European Commission wants to expand it. Those expansions go so far that the EDPB expresses concerns about them in a letter to the European Parliament and the Council of the European Union.
'Everyone needs financial services to live normally,' says AP board member Katja Mur. 'Without a bank account, you can't receive your salary or pay your bills. If you are unfairly labeled a 'money launderer,' you will be excluded from society.
So banks should handle your personal data very carefully and prevent you from getting such a stamp unfairly. Good legislation should guarantee people's legal protection. However, that is not the case with the current proposals.'
Banks use "information service providers" for their customer checks. These are data traders who, among other things, supply lists of people who, by default, require additional checking. These include so-called "politically exposed persons" and people in their immediate circle.
The privacy regulators recommend that strict rules be put in place for the use of these data traders. This will prevent people from being unfairly labeled as criminals and unable to defend themselves against it.
The privacy regulators want the bills to state very clearly what highly sensitive personal data banks are allowed to use in audits. In addition, the proposals should require extremely strong safeguards from companies for the use of that personal data. Such as security, data minimization (collecting only the most necessary data) and short retention periods. This is not the case now.
Mur: "Your payment records show that you paid for a drink in a gay bar or that you paid a therapist's bill. Very normal things, which unfortunately still sometimes lead to unpleasant reactions. That is an intrusive look into your life and has nothing to do with money laundering or terrorist financing. That should only be allowed if it is really necessary. And everything must be done to prevent that data ending up on the street.
Four laws are involved. The European Parliament and the Council of the European Union will continue to negotiate the content of the laws and see if any changes are needed. Upon agreement between these parties, the laws can enter into force. The EDPB has previously raised concerns about this issue in 2020 and 2021.
